Office 365 – Linking Cloud Only Accounts to Sync’d AD Accounts

Recently I have been working with a customer who wanted to move key business services over to Office 365, so Exchange Online, SharePoint and OneDrive. The company had already created a tenant and was using it for Power BI. They had a number of user accounts created (Cloud only) that matched the company email address.  – This made the migration process a little more interesting as we had to match up the Active directory user accounts with the Azure AD account that were already being used within Office 365 so the user only had one username and the password that matched that of the one they use to log onto there local domain.

In order to make this work, we have to match up the users GuiD from Active Directory to the Immutable ID of that for the users created on Office 365 / Azure AD. – The following steps will explain how this is done.

Install Microsoft Online Services Signin Assistant and Azure AD powershell module, I recommend that you do this on a domain controller for making things simple (Link )

On the Domain Controller open a powershell window and run the command

Import-Module ActiveDirectory

Then run the command

Get-ADUser -Identity "Enter Local AD logon ID in these quotes"

Once you run the above command you should be able to see an output like this:-​​

Now copy the objectGUID from the output and open the website and paste the same on the textbox as shown in the image and click on convert, you shoud be getting the B64 value and copy the same. Make sure that there are no spaces when you paste the value in the text box. (Although, there are other ways to get the Base64 value from a GUID I recommend this approach as it is simple, you can get the same results from LDIFDE and Powershell)


Now run the command

 Import-Module MSOnline

Then run the command


you will see a prompt to enter credentials, enter the office 365 global admin credentials here.

Now before we proceed further make sure you get rid of the duplicate account from Office 365/Azure AD. (The one that has been Syncronised from AD) Make sure you remove it from the Deleted Users as well.


To remove the user from the deleted users container run the command:


 Remove-MsolUser -UserPrincipalName -RemoveFromRecycleBin -Force


This command would permanently remove the user, so make sure you remove the right account.


Once you remove the account run the command:

 Set-MsolUser -UserPrincipalName -ImmutableId QX00ApTUDEiiEm5kX0WP2w==

Here you need to enter the UPN /Signin address of office 365/azure AD against which you wish to perform a hard match and after the -immutableID flag enter the B64 value that you copied from

Once this is done run a delta sync and you will see the once Cloud Only account will now be Synced with that of the user in AD.