Converting Exchange 2010 hybrid to cloud users

If you’ve read my previous post Hybrid Migration Nightmare then you will already know the trials I had separating out our two organisations (sharing one server and Active Directory) into their own separate Microsoft 365 online tenants (leaving us with one physical server where the Exchange virtual server was syncing The-Charity‘s OU with Azure ADSync, the Domain Controller virtual server was syncing The-College‘s OU using another instance of Azure ADSync and the Exchange server had a hybrid configuration which I had manually duplicated so it worked for both The-Charity and The-College over their respective Microsoft 365 tenants).

In the space in-between that post and this I have installed a new physical server for The-Charity and separated out the Active Directory but, to cut a long story short, both organisations are still on the old server as it is still acting as the ADSync and hybrid Exchange server for both organisations and I was regretting the decision to do a hybrid migration as opposed to a cutover migration in the first place as it had left our two organisations tied to this ageing server together without a satisfactory solution to a clean separation.

I decided the way forward for us was to convert all our users to cloud only, remove ADSync (as keeping the passwords in sync with the server wasn’t important to us anyway) and decommission the old Exchange server for good. These are the steps I took in case they help anyone else.

THE PLAN

1. The-College:

• Disable ADSync for The-College (on Domain Controller)
• Convert users to cloud only
• Uninstall ADSync software (on Domain Controller)
• Remove hybrid settings from The-College Microsoft 365 tenant
• Recreate synced groups in The-College Microsoft 365 tenant (this was not part of the original plan. This part I found out later)
• Remove synced groups using PowerShell and rename the newly created ones (again, not part of the original plan)

2. The-Charity:

• Disable ADSync for The-Charity (on Exchange server)
• Convert users to cloud only
• Uninstall ADSync software (on Exchange server)
• Remove hybrid settings from The-Charity Microsoft 365 tenant

3. Decommission:

• Shut down the Exchange server for a few days (to test)
• Delete The-Charity users from Active Directory on old server
• Uninstall Exchange

TAMING POWERSHELL!

To do a lot of the above requires PowerShell and for it to be connected to the Microsoft 365 tenants. This can be tricky as it requires various modules to have been installed in PowerShell and can also require updates to server software. When I tried to connect PowerShell to Microsoft 365 (even though I had already previously used it to sync using ADSync!) I kept getting errors along the lines of ‘The specified module MSOnline was not loaded because no valid module was found in the blah blah blah BLAH’. The following steps solved it for me.

The specified module MSOnline was not loaded because no valid module was found in any module directory

1. Install the .net framework 3.5 from Microsoft.

2. Open PowerShell as an administrator and run the following commands in order to install the MSOnline module:

Set-ExecutionPolicy -ExecutionPolicy Unrestricted

Register-PSRepository -Default

Get-PSRepository

Install-Module MSOnline

CONNECT POWERSHELL TO MICROSOFT 365 ONLINE

The following commands will allow you to enter your administrator username and password for your Microsoft 365 tenant, store it in a variable, and then connect to the MSOnline service using those credentials:

$UserCredential = Get-Credential

Connect-MsolService -Credential $UserCredential

$exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $UserCredential -Authentication "Basic" -AllowRedirection

Import-PSSession $exchangeSession -DisableNameChecking

You can test the connection was successful by running the following command:

Get-MsolDomain

Perform a final sync

The following commands give you your tenant info (so you can see it’s connected) and force a final sync with Azure online:

Get-MSOLCompanyInformation

Start-ADSyncSyncCycle -PolicyType Delta

SAY GOODBYE TO AZURE ADSYNC

You can check on the current directory sync status by running:

(Get-MSOLCompanyInformation).DirectorySynchronizationEnabled

Then to turn off ADSync run the following command:

(WARNING: turning off ADSync can mean you may have to wait up to 72 hours before being able to turn it back on again so proceed at your own risk):

Set-MsolDirSyncEnabled -EnableDirSync $false

At this point you can re-run the previous command to check it worked:

(Get-MSOLCompanyInformation).DirectorySynchronizationEnabled

CONVERT YOUR USERS TO THE CLOUD

Now that PowerShell is connected to MSOnline and the ADSync has been disabled you can convert a single user to a cloud only account by removing their ImmutableID, or you can convert all users at once by removing all their ImmutableIDs:

Convert a single user to cloud only (replace the UPN with one of your users addresses):

Get-MsolUser -UserPrincipalName username@company.com | Set-MsolUser -ImmutableId $null

For the above code you need to replace the username@company.com with a UPN from your actual organisation. For example: Get-MsolUser -UserPrincipalName Porco.Rosso@The-College.co.uk | Set-MsolUser -ImmutableId $null

Or remove Immutable ID of all users in one go:

Get-MsolUser | Set-MsolUser -ImmutableId $null

GOODBYE HYBRID

Once all users have been converted to cloud users, and you have verified that your DNS is setup the way Microsoft recommends so that emails are pointing to Microsoft 365 first rather than your on-premise server, then there is no more need for the hybrid configuration. To remove it login to the Microsoft 365 tenant and go to Exchange Admin. Then under Mail Flow and Connectors delete the ‘Inbound from …..‘ and the ‘Outbound to …..‘ rules. Then under Organisation and Organisation Sharing delete the ‘O365 to On-premises …..‘ rule.

Note: the ….. above will be an ID unique to your setup.

START AGAIN!

At this point I had converted all The-College users to cloud users (using the Domain Controller) and removed the hybrid configuration from their account. Now time to go back to the start and go through the whole process again for The-Charity (this time using the Exchange server).

I had to once again tame PowerShell (this time on the Exchange server), once again connect PowerShell to Microsoft 365 (this time to The-Charity‘s 365 tenant), once again perform a final sync, once again disable AD Sync, once again convert all users to cloud users and then once again remove the hybrid configuration settings from the Microsoft 365 admin centre. Done!

TROUBLES WITH GROUPS

When I did this process with The-College account it converted all users to cloud users but it didn’t convert the synced groups. I had to remove the groups using PowerShell and then recreate the groups manually in Microsoft 365. To do this I connected to the tenant again with PowerShell and used the following command to list all the groups with their object IDs:

Get-MsolGroup

Then find, highlight and copy the ID for one of the groups to be deleted (it will be a long string of letters and numbers such as 46dbg0f9-b2fc-4e95-a6b7-4d8e8d2909e9) and then remove the group using the following command (replace the <group_ID> with the copied/pasted ID from above):

Remove-MsolGroup -objectid <group_ID>

For example: Remove-MsolGroup -objectid 46dbg0f9-b2fc-4e95-a6b7-4d8e8d2909e9

I then had to recreate the groups manually in the Microsoft 365 admin centre and assign all the relevant users again.

It’s worth noting that I did not have this issue with The-Charity account. All synced groups became cloud groups as I had wanted. I’m assuming this is something to do with the way I had created the hybrid environments in the first place. For The-Charity I had created the hybrid environment the correct way (using the appropriate wizard/installer) whereas for The-College I had created the hybrid environment manually by adding in the relevant connectors and organisation rules myself.

AND RELAX…

And there we have it! All my hybrid migrated worries have dissipated and all users and groups from the two organisations are now just cloud users with no syncing. I have tested editing information (which I couldn’t do before when they were synced users) and I have also shut down the Exchange server and all seems to be working fine. The next step will be to decommission and uninstall Exchange but for now everything is separate and that part can wait…

I’m sure there are better ways to do this, and if anyone reads this then probably the best takeaway is to not get stuck in the position we got stuck in in the first place, but if by some remote chance there is anyone out there who has found themselves stuck in a situation where they have two organisations sharing one Active Directory and Exchange server and have somehow manually migrated them off into two separate hybrid migrations running on the same Exchange server while simultaneously syncing their respective organisations OU’s using two instances of AD Sync running on different servers and are now wishing they had simply migrated using a cutover method instead (and this seems unlikely as I could find NOBODY online who could help) then I hope this post at least offers some options. I’ll keep my fingers crossed for you!