Removing access to on prem resources

I had an interesting request. We have a partner company that previously needed access to our network resources and domain email addresses. The need for network resources has gone away. They still require emails.

I decided the best answer was to convert them to cloud only users. This would allow them to continue using their office 365 email but strip away the on premise access.

This is sort of an off label operation. Microsoft has a recommended process but it involves turning off AD sync for everyone. Making a global change that could break everyone is sort of a deal breaker for me.

There is a workaround though. The basic process involves stopping the sync on a specific OU in your on prem AD, then restoring the user from the deleted accounts in Azure AD.

To migrate small batches of users.

  1. Place the user in a non synced OU a. You can see what our are synced by opening the connector on your dc. b. This will move the o365 account into deleted.
  2. Perform a restore of the user a. This will trigger a password reset.
  3. Remove the office license save then re-add.
  4. Disable or delete the on prem account. End result is that the user will be able to login only to O365 with their temp password. Any emails will be restored with the mailbox.

NOTE: One issue I ran into with the converted accounts, is that you can't delete the account from any of the regular portals. It will throw an error stating that the account needs to be deleted from your on premise AD. Oddly enough removing with the PowerShell command does not experience this error.

Example: Remove-MsolUser -UserPrincipalName "davidchew@contoso.com