on-premises AD account merge with azure ad account

Question

Hi guys, need to get my head around this.
Lets say we have a company that today is only using cloud ids (Azure AD and an exchange online mailbox) and would like to set up an in-premises environment (domain controllers and Azure AD connect, Exchange server).

Is it possible to create new local accounts and have azure ad connect merge them with the azure AD account?
Is it as easy as matching the:

• userPrincipalName (adding correct domain suffix to local AD)
• proxyAddresses (verify that the emailaddresses are the same)
• sourceAnchor/immutableID (specified in the Azure AD Connect setup)

If the on-premises ad accounts have these correct attributes matching the azure AD accounts we are all good and Azure AD connect will find a match and everything is good?

Resetting a local AD password will be executed on the azure ad account (if we use password sync and it has performed a sync)

If we also configure an exchange hybrid lets say if we have an account that needs to be on-prem that will not be an issue?

Answer 1

It's simple,
just match the UPN and Proxy-Address

If your cloud only user has this setting: Marco.Schiavon@yourdomain.com as login account and you have additional email addresses like m.schiavon@yourdomain.com

Now you need to create the user on prem and match them trought the UPN .
When the sync occur the "identity source" will from cloud to on prem.

To do this, create an AD user that match the login/primary address of the cloud with your UPN.
In my example you will need an AD account like this:

UPN: Marco.Schiavon@yourdomain.com
Into AD Attribute Editor add the proxy address like this:
SMTP:Marco.Schiavon@yourdomain.com <<= SMTP UPPERCASE= Primary address
smtp:m.schiavon@yourdomain.com <<= SMTP lowercsase= aliases address

Marco.