MurphTech's First KB Article
Bringing Home Azure Users onto Local Active Directory
Achieve this by following the information below.
Quick Notes to Start:
You can sync a user to an on-premise ad server. The domain name needs to be added to the on-premise active directory.
Once the domain is added and allowed, create the user who is in the Azure AD onto the local on-premise active directory before a sync. When creating the user, the information needs to be correct the first time during creation.
The user-created must have the same login domain as the Azure AD. If this is set wrong during initial creation, it will not work. You can create any password for the user. They will need to give you a password or create a password with them after the process is completed.
Once the user is created, go into the Attribute Editor. Under attribute editor, look for “poxyAddresses” attribute. In “proxyAddresses” you must add the user’s primary email address as well as an alternate. To add the Primary Address you must use capital letters for SMTP:firstname.lastname@example.org. To add the secondary email address you must use lower case letters, the secondary email address in most cases reflects the onmicrosoft domain. Example, smtp:email@example.com.
Once this user has been created on the on-premise domain you can sync delta via PowerShell.
Start-ADSyncSyncCycle -PolicyType Delta
Users who are synced through this method should have consistent access to a domain member joined PC for their password maintenance. If they do not have regular access to a member’s PC then they will have password issues overall as the password does not by default write back to on-premise domain controllers.
To enable On-Premise writebacks, the user must be licensed with Azure P1 or Azure P2. This is an extra license that gets enabled on those specific users.
Resolution: Match the user on the AD and on the cloud
1. Make sure that AAD Connect is updated.
1.1 Go to the AAD Connect Version history and download the latest version (https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history)
1.2 Run the downloaded version to proceed with the upgrade.
2. Upgrade existing Windows Powershell
2.1 Go to https://docs.microsoft.com/en-us/powershell/scripting/setup/installing-windows-powershell?view=powershell-6 to get the latest version
3. Perform OU filtering – uncheck all OU that does not need to by synced with Office 365
4. Move the duplicate users to the unsyncing OU. – This will put the users on the Deleted users on the Office 365.
5. Sync changes using Powershell.
5.1 Run powershell as admin
5.2 Run Start-ADsyncsynccycle -Policytype Initial
*If the users are on the deleted users you can proceed on deleting the account on the Office 365.
6. Make sure powershell have the AAD module to be able to manage objects through powershell. If the commands below were performed, proceed with step 7.
6.1 Install Microsoft Online Services Sign-in Assistant (https://go.microsoft.com/fwlink/p/?LinkId=286152)
6.2 Run powershell as admin
6.3 Run the Install-Module MSOnline command.
If prompted to install the NuGet provider, type Y and press ENTER.
If prompted to install the module from PSGallery, type Y and press ENTER.
7. Hard delete users using powershell
7.1 Connect to the Office 365
7.1.1 Run Connect-MSolservice
7.1.2 Enter Global Admin credential
7.2 View the deleted users. Run Get-MsolUser -ReturnDeletedUsers
7.3 Remove the Users on the deleted users. Run Get-MsolUser -ReturnDeletedUsers | Remove-MsolUser -RemoveFromRecycleBin -Force
7.4 Refresh and check the Office 365 Deleted users if the changes was reflected.
*Once deleted, perform the steps below to match the Object ID to the one on the Cloud
8. Match Object ID – AD and Office 365
8.1 Go to the command prompt on the AD server. Run as admin.
8.2 Run ldifde -f export.txt -r “(Userprincipalname=*)” -l “objectGuid, userPrincipalName” . This command will give us an output file export.txt that has all the user principal names and Immutable IDs of all objects that has UPN.
The output looks like this for each object
dn: CN=2013 OU=DirSynced OU DC=one DC=domain DC=com
8.3 On the Powershell, run Set-MsolUser -UserPrincipalName User@domain.com -ImmutableId AbcDefGhiJk===
*User@domain.com should be the email address IN CLOUD
8.4 Repeat 8.3 for all users that needs to be match
9. Move the users to the syncing OU.
10. Perform Start-ADsyncsynccycle -Policytype Delta to sync the object.
You will see the number of updates on the synchronization services after successful sync. Check the office 365 admin center and you will see that the users status are now Synced with Active Directory.