Here is the situation:
We use Azure AD Connect for our hybrid environment. We have a need to get rid of a lot of users on our on-prem AD environment but retain their users in the cloud. These are remote users that rarely touch our domain controller and we'd like them to be able to manage their own passwords. Before anyone suggests it, we don't want to implement password writeback with Azure AD Premium.
I've been trying to accomplish this using some instructions that somebody scrapped together in 2016 and they look like this:
1. Delete the user in AD (or move them to an OU that doesn't sync to Azure AD)
2. Refresh the schema in Azure AD Connect
3. Force a delta sync
4. Restore the user from the deleted users category in the 365 Admin Center
5. Force another delta sync
The problem is that on the step 5 delta sync, we get the error "exported-change-not-reimported" on the delta import step of the cloud connector and the user gets deleted again.
Does anyone know how to do what I'm trying to accomplish? I can't seem to find a way to do it and google searching only turns up the process I just described (which doesn't work).
You will have to disable synchronization in your tenant and then move the on-premises users out of scope before re-enabling sync. Otherwise, if you move them out of scope with sync enabled, they'll be treated as a delete (which is what you're experiencing).
If your domain is federated, you may experience problems because the tenant settings will refer the users back to on-premises for authentication. In this case, password hash sync is probably the best solution for your tenant, or move your "unsynced" users to a different, unfederated domain in your tenant.If you follow the link to "how to sync enabled on AD users only", that will effectively de-scope the users and you'll end up with deleted users again. Plus, any time you disable an on-premises account, they'll get deleted in the cloud (since they'll be descoped).