Old Onprem was lost created new domain and onprem in Azure

Hi @Onpoint Data Techs,

Those users still have on-premises attributes (specifically onPremisesImmutableId) stamped on their Microsoft Entra ID objects. Because of this, Entra continues to treat them as directory-synchronized users, even though the original on-prem AD environment no longer exists.

This behavior is expected. As long as directory synchronization is enabled for the tenant, the onPremisesImmutableId attribute is protected and cannot be cleared via Graph Explorer, PowerShell, or the Entra portal.

Supported way to convert users to cloud-only

1. Disable directory synchronization

If the original on-prem AD is permanently gone, you must disable directory sync for the tenant.

Follow Microsoft guidance: https://learn.microsoft.com/microsoft-365/enterprise/turn-off-directory-synchronization

Once synchronization is disabled and the change completes, the OnPremisesSyncEnabled flag will become false for the users.

2. Clear the ImmutableId

After sync is fully disabled, you can clear the attribute using Microsoft Graph PowerShell:

Connect-MgGraph -Scopes "User.ReadWrite.All"

Update-MgUser -UserId ******@domain.com -OnPremisesImmutableId $null

After the onPremisesImmutableId value is removed, the account becomes a true cloud-only user.

If the attribute still cannot be cleared

Microsoft’s fallback approach is:

Delete the user from Entra ID

Permanently remove the account from the recycle bin

Recreate the account as a cloud-only user

Note that users cannot be converted individually while directory synchronization is enabled. The change must occur at the tenant level, unless Microsoft Support intervenes to manually clear the attribute.

Let us know if you need further assistance.

To convert previously synced users to cloud-only when the original on-premises AD is gone, the on-premises attributes that mark them as “synced” must be cleared in Microsoft Entra ID.

The supported approach is:

1. Turn off directory synchronization for the tenant (if any sync tool is still configured).
2. Convert the affected users to cloud-only and clear their on-premises attributes using either:
   • Microsoft Graph (beta) Update User API, or
   • The Clear-ADSyncToolsOnPremisesAttribute PowerShell cmdlet.

1. Clear on-premises attributes with Microsoft Graph

After users are cloud-only (sync disabled and objects converted), update the following attributes to remove the legacy sync markers:

• onPremisesDistinguishedName
• onPremisesDomainName
• onPremisesImmutableId
• onPremisesSamAccountName
• onPremisesSecurityIdentifier
• onPremisesUserPrincipalName

Use the Microsoft Graph Beta Update user API to set these attributes to null for each affected user. This is only allowed for:

• Native cloud-only users, or
• Previously synced users that have been converted to cloud-only after turning off synchronization.

Required role: User Administrator or Hybrid Identity Administrator. Required app permission: User.ReadWrite.All.

2. Clear on-premises attributes with PowerShell

Alternatively, use the Clear-ADSyncToolsOnPremisesAttribute cmdlet to clear these attributes for a specific user:

Clear-ADSyncToolsOnPremisesAttribute '******@contoso.com' -All

Or clear individual attributes, for example:

Clear-ADSyncToolsOnPremisesAttribute -Identity '12345678-90ab-cd12-3456-7890abcd1234' -onPremisesImmutableId

Once these on-premises attributes are cleared and no sync relationship exists, the account is treated as cloud-only in Microsoft Entra ID.

References:

• Clear on-premises attributes from migrated Microsoft Entra ID users