I'm dealing with a situation where I need to rename a display name for an account, but I found out that this account originates from an on-prem Active Directory that hasn't synced with Entra since 2018. The connector for syncing isn't even installed anymore, and the old domain is a total mess, used for some legacy servers that aren't even online. I'm looking for a way to convert this specific object to a cloud-only account without having to touch the ancient setup. I've come across suggestions that involve moving the user to an OU not in the sync scope, running a sync, and restoring the account in Entra, but that's off the table for me. Would just removing the immutableID do the trick?
2 Answers
You should also look into why that on-prem AD still exists. If it's tied to old legacy servers, that can get tricky. It might be best to handle the root cause instead of just converting the account.
To convert that object to a cloud account, here's a straightforward plan:
1. Move the user to an OU that isn’t included in the syncing scope.
2. Perform a Delta sync.
3. Restore the user in Entra ID.
4. Lastly, you’ll need to use PowerShell to remove the immutableID from the user you just restored. That should make it a cloud-only account!
Just a heads up, if the sync hasn't run in 7 years, that could really complicate things. Installing the connector again might cause more issues than it’s worth!
Absolutely! I wouldn't trust syncing again after such a long break. Sounds like dealing with a hornet's nest. Better to find a safer way around it!