Change of Source of Authority for users is now in public preview

Microsoft has opened a long-awaited door: you can now switch a synced user's Source of Authority (SoA) from AD DS to Microsoft Entra ID without delete/recreate gymnastics. It's designed for "road-to-cloud" programs where you want to retire on-premises user management but keep identities, GUIDs, and access intact. This capability is Public Preview as of October 6, 2025.

Before doing this in production, make sure you have read Microsoft's documentation carefully.

What changed

You can flip a user from on-prem-managed to cloud-managed by setting a new per-user flag through Microsoft Graph (/users/{id}/onPremisesSyncBehavior → isCloudManaged: true).

Entra Connect/Cloud Sync will respect the switch: AD stops being the authority for that object, and the user becomes editable in the cloud as if it had been created there. No hard match/soft match shenanigans.

Why use it?

• Shrink AD footprint: move user lifecycle to Entra ID and decommission AD-only processes for those users.

• Unlock governance: use Entra ID Governance features (e.g., access reviews, lifecycle workflows) directly on those identities.

• Keep hybrid access: with Cloud Kerberos Trust + passwordless (WHfB/FIDO2), users can still reach on-prem resources while being managed in the cloud.

How it works

• Flip per-user isCloudManaged = true via Graph (beta).

• Connect/Cloud Sync sets the connector state so changes from AD no longer flow to that user (blockOnPremisesSync on the Entra connector object).

• Attribute flags reflect the state (e.g., onPremisesSyncEnabled goes null after transfer).

Prerequisites & supported scenarios

• HR → Entra provisioning in place for the users you'll manage in the cloud (stop HR→AD for those users).

• No on-prem Exchange for those users (migrate to EXO first; then dismantle hybrid bits like SCP, connectors, etc.).

• Passwordless auth (Windows Hello for Business or FIDO2) and Cloud Kerberos Trust if users still need on-prem access post-transfer.

• Minimum agent versions:

  • Entra Connect Sync ≥ 2.5.76.0
  • Cloud Sync Provisioning Agent ≥ 1.1.1370.0

• Roles & permissions to automate:

  • Hybrid Administrator to read/update SoA,
  • App permission User-OnPremisesSyncBehavior.ReadWrite.All for the Graph call.

Order matters: If you'll also flip group SoA, convert groups first, then users.

Planning checklist

1. Stop AD as the middleman for the chosen users (halt HR→AD for them; scope HR→Entra for them instead). Wait a full sync cycle.
2. Flip SoA for each user via Graph.
3. Verify in the Entra admin center (user is now cloud-editable) and in Audit logs (activity: Change Source of Authority from AD to cloud).
4. Keep Connect/Cloud Sync running if those identities still reference AD objects (groups/devices/contacts).

Rollback

If you must revert a user to AD-managed.

• Update user attribute

PATCH /beta/users/{id}/onPremisesSyncBehavior { "isCloudManaged": false }

• Then let Connect/Cloud Sync run, until that run completes, the object remains editable in the cloud.

• Clean up cloud references first (remove from SoA-transferred groups/access packages) to avoid conflicts.

• Audit logs show Undo changes to Source of Authority from AD to cloud.

References

• Transfer user Source of Authority (SOA) to the cloud
• Prepare your environment for user SOA
• Configure user Source of Authority (SOA)