This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 54%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Hi everybody,
We're facing with next scenario:
Company have only 365 tenant and know they growing and need their own on-prem Domain.
we don't want to create new users on-prem cause then they would have different password for O365 and on-prem.
We would like to sync all users & groups from O365 to on-prem domain, and then change the sync way which all users will sync from on-prem to O365 tenant via AdSync
all this for SSO purpose.
is there any written official procedure to get it done peacefully and without downtime?
Thanks
Based on your description, this question is mainly related to AAD Connector configuration. So, I will remove the "office-exchange-server-administration" from this thread.
That's not possible via the native tools, synchronization is always from on-premises AD to Azure AD. Instead, you can export the set of users/groups via PowerShell and import them in AD. And yes, passwords will not match, but there is no way for you to "read" password values in O365.
thank for your answer @Vasil Michev
I'm planning to doing project in this way:
1) Export all 365 users to csv with all attributes
2) Import all users to new domain by next command:
Import-Csv "C:\O365users.csv" | ForEach-Object{ $Domain = "@mathieu.company .com"; $UPN = $.Identity+$Domain; New-ADUser -SamAccountName $.Identity -UserPrincipalName $UPN -Name $.Name -DisplayName $.DisplayName -GivenName $.FirstName -Initials $.initials -Surname $.LastName -Department $.Department -Company $.Company -Fax $.Fax -City $.City -State $.StateOrProvince -PostalCode $.PostalCode -Title $.Title -EmailAddress $.WindowsEmailAddress -Office $.Office -OfficePhone $.Phone -MobilePhone $.MobilePhone -StreeAddress $_.StreetAddress -Path "OU=365-Users,DC=Company,DC=local" -AccountPassword (ConvertTo-SecureString "Password" -AsPlainText -Force) -Enabled $True -PasswordNeverExpires $True -PassThru }
3) after that we plan to manually reset all users password to their identically password in 365
4) installing AAD connect on-prem with express settings
5) Configuring filtering as needed
6) and running initial sync
cause smtp ,email and user names attributes will be identity there suppose to be match between on-prem synced users to in cloud users and then it's suppose to match or destroy to 365 users and each user will link to his mailbox right?
Do you think it would work?
I'll be glad to hear any profession opinion :)
It should work, more or less.
Keep in mind that if those users were previously synchronized from AD, the soft-match process will not trigger (it requires the ImmutableID to be null). If they were created directly in the cloud, the match should indeed happen automatically, due to the matching attributes. If they were synced, either clear the ImmutableID, or use the hard-match method instead.
The other point is passwords - you cannot get a user's password. So you have to reset the value in O365, if you want to ensure a matching one. Obviously, you have to inform the users accordingly and distribute the new password.
And you probably shouldn't provision all accounts with the same password, someone might get opportunistic :)
Thanks @Vasil Michev
about the password point - after i'll create all users with the same password i'll ask them to reset their password in local AD to the same password in 365
in this way the passwords will match and there is no need to reset them after all the tasks right?
could you see any downtime here?
You can simply enable Password Hash Sync, so the changed password is automatically synced to O365. Still, make sure each user gets a unique password, otherwise you might have to explain how someone got access to the CEO email :)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 31%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJP%3C/text%3E%3C/svg%3E)
Instead of resetting all passwords in local AD, can I use the Password write-back option in AAD connect if it's available?
for sure :)
security is on top always
THX