Alumni & Office 365: Breaking the AADConnect link

Share this content:

I presented this at the MIM Team User Group meeting last week, but was having some computer issues and apparently people couldn’t hear me. There did seem to be quite a bit of interest from the comments window, so I figured I’d write it up as a blog post.

This solution allows an Office 365 account to automatically transition from “Synchronized” to “Cloud managed”. It was designed for a university where:

  • Student accounts are synchronised to Office 365, including the password hash, using AADConnect, and
  • Alumni accounts should remain active in Office 365 but disabled on-prem – therefore we want to stop syncing them with AADConnect following graduation.

Following are some pictures I put together to present the solution. A licensing process is mentioned but not covered – this just focuses on the change in management source.

It should also be noted that this solution has been in production for over a year.

Desired Outcome – Student

Student accounts are managed on-prem and synchronised to Office 354 by AADConnect. An different PowerShell-based process (not pictured) detects the account and assigns the standard license type.


Desired Outcome – Alumni

Alumni on-prem accounts are disabled, however the Office 365 account is a lifelong account and remains enabled, with the last synchronized password, and the Alumni license package.


Transition Process

Following the student’s graduation the on-prem account is disabled an moved into a different OU (by the FIM Sync Service). This OU is outside AADConnect’s scope, so it interprets this as a Delete, triggering a deletion of the Office 365 account.


As the Office 365 account is only soft deleted up to a grace period, we can promptly un-delete it, at the same time flaging it as “Alumni”. When the account is restored it comes back as “Cloud managed” and not synchronized.


Here are the PowerShell commands used in restoring the account and changing the license type:

Get-MsolUser -ReturnDeletedUsers –All


Restore-MsolUser -UserPrincipalName $user.UserPrincipalName -AutoReconcileProxyConflicts -NewUserPrincipalName $user.UserPrincipalName

Set-MsolUser -UserPrincipalName $user.UserPrincipalName -Department “Alumni”

Set-MsolUserLicense …


The solution also works fine for re-enrolment. If a student returns their AD account is re-activated and moved back to the Student OU. This brings it back into the scope of AADConnect and flags it as a synchronized account. AADConnect uses the ImmutableID on the Office 365 account, matching it to the objectGUID of the re-enabled AD account to make the join.


Carol Wapshere

I’ve been working in the IT industry for rather a lot of years now, starting in sys admin then moving through project work and consultancy, eventually coming across MIIS 2003 in 2005 while working on an email migration project in London. After a few years in Switzerland I am now back in Australia, based in Canberra, working for UNIFY Solutions. I have been awarded the MVP for ILM/FIM every year since 2009.

Leave a Reply

Your email address will not be published. Required fields are marked *