On-Premises User Profile Update Using Microsoft Graph API

Question

we have a screen in our application that is used to update Azure AD users through Graph API. If users are created using Azure Portal or Graph API, I'm able to updated user profile using this screen.

But if the user is Created/Sync using AD Connect(e.g in case of O365 Users) while updating these Users Microsoft Graph returns following error:

Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration

I have following queries:

1. Is it possible to update a user through Graph API that is created from on-premises to Azure AD?
2. Is there any settings on azure portal or Ad connect that allow user to be updated through Graph API?
3. Also How to tell the difference between if a user is created on-premises or on Azure AD through Microsoft Graph API. Any attribute in Microsoft.Graph.User Class?

Answer 1

To answer your questions:

1. No this isn't possible because of the way they are synced. If Microsoft would allow changes on both sides, it would have to implement some kind of duplicate change resolution system. So they just blocked changing properties except for some cloud only properties like licenses.
2. No there isn't because of the above reason
3. Yes there is, but it's kinda hacky.

To see if a Graph user is created through the sync you should request the User.Read.All scope for your application and then do a request to the Get user endpoint with the select all properties querystring ?$select=*.

The synced users should have the OnPremisesSamAccountName property amongh others that don't appear on a non-synced user.

Once you found out the user is an on-premise user, your application could do an update straight to your AD with the System.DirectoryServices.AccountManagement api.