![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 39%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL%3C/text%3E%3C/svg%3E)
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,702 questions
Hello @Les ,
Thans for reaching out.
Individual user object converting from synced to cloud only operation is not supported as of today. However, our product team working to support Source of Authority (SOA) conversion of individual or subsets of users from on-prem to AAD in private preview by the end of the calendar year.
Here is some background of Source of Authority (SOA) in hybrid environments for your reference:
A common misconception about Source of Authority (SOA) in hybrid environments is that you can transfer the SoA of a single synchronized user from on-premises AD to Azure AD. It is incorrect to assume that by filtering out a synchronized user from AADConnect sync scope and then recovering the soft-deleted object, the object's SoA is transferred to Azure AD and Exchange Online, transforming it into a managed, commonly referred to as “Cloud Only” object.
An object in these circumstances is displayed in the portal as "Cloud Only" because its "DirSyncEnabled" property is set to 'false' which means the object is disconnected from its on-premises source object and will no longer receive any updates from AADConnect server or Azure AD Connect Cloud Sync Agent.
However, the user object still holds all the on-premises properties that were synchronized from on-premises AD, specifically all its Shadow attributes.
The only supported way of transfer SoA from on-premises to the cloud is to completely disable "DirSync" on the tenant which converts all the objects into cloud only in the tenant. *Note: We don't to disable "DirSync" on the tenant as either a troubleshooting step or a temporary mitigation. "DirSync" should only be disabled in the directory if the customer wants to permanently disable it and has no plans to reenable it in the foreseeable future. *
-----
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 33%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETT%3C/text%3E%3C/svg%3E)
