PS >cloudkreise

Remove on-premise attributes from (migrated) cloud-only accounts

A lot of companies are neither on-premise only nor cloud-only but hybrid. That means that Active Directory objects like accounts, groups or devices are synced with Entra Connect (formerly known and still installed as Azure AD Connect).

If you want to migrate an account from hybrid to cloud-only the typical process is to move the account out of scope for the Entra Connect sync. The object will be deleted with the next sync cycle and can be restored from the Entra ID recycle bin as a cloud-only object. But if you look closer at the object, there are still some values in the on-premise attributes existing like the following:

  • onPremisesDomainName
  • onPremisesImmutableId
  • onPremisesSamAccountName
  • onPremisesSecurityIdentifier
  • onPremisesUserPrincipalName
  • onPremisesDistinguishedName
  • onPremisesLastSyncDateTime

And depending on your configuration it might be necessary to remove these attributes because e.g. of dynamic group memberships. If you try to delete these attributes with the obvious tools like Update-MgUser, Set-EntraUser or directly via Graph API, you are greeted with the following error:

Microsofts documentation says the following for these attributes:

The property is only populated for customers who are synchronising their on-premises directory to Microsoft Entra ID via Microsoft Entra Connect. Read-only. Returned only on $select.

Some old reports and community notes mention that only the Microsoft support can remove the values and its needed to open a ticket for that. But is that actually still the case?

No. As it turns out, it is possible to clear (at least some) of these attributes. But neither solely with the PowerShell Graph SDK, the Entra PowerShell Module or via Graph API Calls, but with the ADSyncTools-Module in combination with the PowerShell Graph SDK. How? I’ll show you:

# Install the PowerShell Graph SDK and the ADSyncTools from the PowerShell Gallery to your user profile
Install-Module -Name Microsoft.Graph -Scope CurrentUser
Install-Module -Name ADSyncTools -Scope CurrentUser

# Connect to Entra ID via Graph API
Connect-MgGraph -Scopes "User.ReadWrite.All"

# Get a list the EntraID users
# You can gather these Ids with Get-mgUser
$userIds = @(
"0cd55852-ffd3-0000-8348-1a342e39433a",
"52a4bb38-9246-0000-b9de-7672e201ac16",
"2b9ecffa-f09b-0000-b4f8-cb30d885a664",
"add4f499-a5c2-0000-af90-ddd64a3822a2")

# Null the on-premise attributes you want to clear in a json object.
$jsonBody = @'{
"onPremisesImmutableId": null,
"onPremisesSamAccountName": null,
"onPremisesSecurityIdentifier": null,
"onPremisesDistinguishedName": null,
"onPremisesLastSyncDateTime": null,
"onPremisesUserPrincipalName": null,
"onPremisesDomainName": null
}
'@

# Loop to clear the mentioned attributes for the given user Ids
foreach ($userId in $userIds) {
Clear-ADSyncToolsOnPremisesAttribute -Identity $userId -BodyParameter $jsonBody
}

After the execution the attributes are almost immediately removed from the accounts via cli and after some cloud-lag minutes even in the Entra ID portal. Sadly I was still not able to clear the following two attributes, seems like if you need these two to be empty, you still have to create a nasty support ticket.

  • onPremisesUserPrincipalName
  • onPremisesLastSyncDateTime

Hope this information might help some people on their journey to cloud-only.