Azure Sync - existing Azure Accounts and Local AD accounts

DW-Admin 1 Reputation point
2023-01-04T22:33:17.53+00:00

Hello and thanks in advance for any assistance.

So, I started at a company that had an existing on-prem AD environment and Azure (M365). The two were never synced and the previous IT users would just create separate accounts in each environment.

I'm looking for assistance in how to correctly proceed with Azure AD Sync.

The company has had many "smart end users" managing their AD over the past few years so the OUs and accounts are all over the place. Doing a lot of cleaning up.

In preparation for the sync I have added the domain.com suffix, imported aliases from M365 to local, and updated all the UPN to match the users email accounts.

  • Suggestions for additional preparations steps
  • What is the best way to link the user's on prem account with their Azure account?
  • What issues\concerns should I be aware of before starting the sync?

I'm wanting this to be a smooth process with not a lot of clean up afterwards.

Thanks again for any advice!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,971 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Akshay-MSFT 17,901 Reputation points Microsoft Employee
    2023-01-05T06:14:01.86+00:00

    Hi @DW-Admin ,

    Thank you for posting your query on Microsoft Q&A. PFB answer to your queries inline:

    • Suggestions for additional preparations steps : Kindly follow Prerequisites for Azure AD Connect and Admin role considerations for validating both on-prem and Azure.
    • What is the best way to link the user's on prem account with their Azure account? Here are the things to take care of to Sync with existing users in Azure AD
    • What issues\concerns should I be aware of before starting the sync?
      1. Since all attributes in Azure AD are going to be overwritten by the on-premises value, make sure you have good data on-premises. For example, if you only have managed email address in Microsoft 365 and not kept it updated in on-premises AD DS, then you lose any values in Azure AD/Microsoft 365 not present in AD DS.
      2. If you use password sync, which is always used by express settings, then the password in Azure AD is overwritten with the password in on-premises AD. If your users are used to manage different passwords, then you need to inform them that they should use the on-premises password when you have installed Connect.
      3. For mail-enabled groups and contacts, you can soft-match based on proxyAddresses. Hard-match is not applicable since you can only update the sourceAnchor/immutableID (using PowerShell) on Users only. For groups that aren't mail-enabled, there is currently no support for soft-match or hard-match.

    Please do let me know if you have any further queries in the comments section.

    Thanks,
    Akshay Kaushik

    ****Please "Accept the answer", "Upvote" and rate your experience if the suggestion works as per your business need. This will help us and others in the community as well.****

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.