Some time ago I got the question if it was possible to start using AAD Connect while some of the users are already in Office 365 with a cloud account without losing their content and access. So this was a first that I had this question and found myself searching on the internet and found an article from Microsoft that this was possible. https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-existing-tenant
This article describes that you can start syncing an on-premises AD with Azure AD when you already have users in Azure AD. AAD Connect then tries to connect the on-premises user to the cloud user. There are two types of matching Microsoft does, Hard match and Soft match. A hard match is done on the “SourceAnchor/ImmutableId” in Azure AD, and a soft match is on the combination “UserPrincipalName” and “Proxyaddresses”, and then only the primary email address is used.
Since my customer used the onmicrosoft domain to create the accounts, my first thought was to update the Proxyaddressess and UserPrincipalName fields in Azure AD, but this gave me several errors. One of those errors was that the domain was a federated domain. So, I had to come up with another solution.
Adding the ImmutableId
Since the update of the UserPrincipalName did not work and the soft match was no option anymore, I had to make sure that AAD Connect does a hard match on these accounts. So after some digging, I found that the ImmutableId is a Base64 string of the AD property “ObjectGUID”. I did some double checks on accounts that were already in the sync and checked their ImmutableId and ObjectGUID converted to a Base64 string, and they matched.
The only thing now to do is calculate the ImmutableId and set this with the cloud user.
Calculating the ImmutableId
This script below will create the ImmutableId for the user provided
Updating the cloud user
Now that we have the immutable Id for the on-premises user we can update the cloud user. The script below will do that and uses the AzureAD module.
You can start using Office 365 before you are ready to synchronize your whole company to Azure AD. This gives you the ability to dip your toes into the cloud with some users before setting up the infrastructure needed to get all your users synchronized. Another scenario is when you have noticed that your users created an office 365 environment and started experimenting and sharing data and you need to formalize this environment without losing the data in this tenant.
In the need for help on this part check out my consultancy options