question

ArnoldMIshaev-9439 avatar image
0 Votes"
ArnoldMIshaev-9439 asked ArnoldMIshaev-9439 answered

Sync office 365 cloud users to new on-prem domain and configure SSO

Hi everybody,

We're facing with next scenario:

Company have only 365 tenant and know they growing and need their own on-prem Domain.
we don't want to create new users on-prem cause then they would have different password for O365 and on-prem.

We would like to sync all users & groups from O365 to on-prem domain, and then change the sync way which all users will sync from on-prem to O365 tenant via AdSync

all this for SSO purpose.

is there any written official procedure to get it done peacefully and without downtime?

Thanks

azure-active-directoryazure-ad-connectmicrosoft-365-apps-publishing-devazure-ad-single-sign-on
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KyleXu-MSFT avatar image KyleXu-MSFT ·

@ArnoldMIshaev-9439

Based on your description, this question is mainly related to AAD Connector configuration. So, I will remove the "office-exchange-server-administration" from this thread.

0 Votes 0 ·

2 Answers

michev avatar image
1 Vote"
michev answered michev commented

That's not possible via the native tools, synchronization is always from on-premises AD to Azure AD. Instead, you can export the set of users/groups via PowerShell and import them in AD. And yes, passwords will not match, but there is no way for you to "read" password values in O365.

· 4
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ArnoldMIshaev-9439 avatar image ArnoldMIshaev-9439 ·

thank for your answer @michev

I'm planning to doing project in this way:

1) Export all 365 users to csv with all attributes
2) Import all users to new domain by next command:
Import-Csv "C:\O365users.csv" | ForEach-Object{ $Domain = "@Company.com"; $UPN = $.Identity+$Domain; New-ADUser -SamAccountName $.Identity -UserPrincipalName $UPN -Name $.Name -DisplayName $.DisplayName -GivenName $.FirstName -Initials $.initials -Surname $.LastName -Department $.Department -Company $.Company -Fax $.Fax -City $.City -State $.StateOrProvince -PostalCode $.PostalCode -Title $.Title -EmailAddress $.WindowsEmailAddress -Office $.Office -OfficePhone $.Phone -MobilePhone $.MobilePhone -StreeAddress $_.StreetAddress -Path "OU=365-Users,DC=Company,DC=local" -AccountPassword (ConvertTo-SecureString "Password" -AsPlainText -Force) -Enabled $True -PasswordNeverExpires $True -PassThru }
3) after that we plan to manually reset all users password to their identically password in 365
4) installing AAD connect on-prem with express settings
5) Configuring filtering as needed
6) and running initial sync

cause smtp ,email and user names attributes will be identity there suppose to be match between on-prem synced users to in cloud users and then it's suppose to match or destroy to 365 users and each user will link to his mailbox right?

Do you think it would work?

I'll be glad to hear any profession opinion :)



0 Votes 0 ·
michev avatar image michev ·

It should work, more or less.

Keep in mind that if those users were previously synchronized from AD, the soft-match process will not trigger (it requires the ImmutableID to be null). If they were created directly in the cloud, the match should indeed happen automatically, due to the matching attributes. If they were synced, either clear the ImmutableID, or use the hard-match method instead.
The other point is passwords - you cannot get a user's password. So you have to reset the value in O365, if you want to ensure a matching one. Obviously, you have to inform the users accordingly and distribute the new password.
And you probably shouldn't provision all accounts with the same password, someone might get opportunistic :)

0 Votes 0 ·
ArnoldMIshaev-9439 avatar image ArnoldMIshaev-9439 ·

Thanks @michev

about the password point - after i'll create all users with the same password i'll ask them to reset their password in local AD to the same password in 365

in this way the passwords will match and there is no need to reset them after all the tasks right?

could you see any downtime here?

0 Votes 0 ·
michev avatar image michev ArnoldMIshaev-9439 ·

You can simply enable Password Hash Sync, so the changed password is automatically synced to O365. Still, make sure each user gets a unique password, otherwise you might have to explain how someone got access to the CEO email :)

0 Votes 0 ·
ArnoldMIshaev-9439 avatar image
0 Votes"
ArnoldMIshaev-9439 answered

for sure :)
security is on top always

THX

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.