Share via

Moving users across on-prem

Subham Thapa 20 Reputation points
2024-04-24T05:30:56.8633333+00:00

Please help!!!!

We have 3 on-prem domains abc.com.au 123.com and cab.com. They all sync back to single azure ad tenancy and gets assigned same domain for their email address (cab.com). I am trying to move selected users from the first 2 domain to the cab.com one.

I used ADMT tool to copy across the AD object and disabled the source object.

Once disabled moved the source object to a non-sync OU

Went into azure and changed the immutable id for the existing user to the new ID from user in target domain. It has picked up the on-prem attributes correctly in azure. However the groups has not updated (the new onprem object does not have any group), and the mailbox also seem to still seem to be connected to the old on prem account

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,631 questions
0 comments
Accepted answer
  1. Sandeep G-MSFT 16,696 Reputation points Microsoft Employee
    2024-04-25T08:20:04.1+00:00

    @Subham Thapa

    Thank you for posting this in Microsoft Q&A.

    As I understand you have done user migration from one forest to another forest. Now, everything is working in Entra ID and also in on-premises.

    You are facing some issues with groups memberships. New object which was created in forest doesn't have the group membership in on-premises as old object.

    I think when the object is moved from one domain in on-prem to another domain, group memberships are not carried along with the user.

    Usually with if you migrate users using ADMT tool it creates groups associated with the user being migrated accounts and maintains group membership in the target domain.

    If the user group membership is intact in on-premises then there will not be any problems with group membership.

    And if user is part of particular group in on-premises AD then Entra connect should sync the groups and membership without any issues provided groups are in Sync OU scope.

    If you are seeing user not being part of any group in Entra ID then you will have to check in on-preimses if the group is syncing using Entra ID.

    Let me know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jing Zhou 5,210 Reputation points Microsoft Vendor
    2024-04-25T03:16:43.7733333+00:00

    Hello,

     

    Thank you for posting in Q&A forum.

    To further check this issue, please kindly follow below steps:

    1.Check if there's anything wrong with the AAD sync.

    You could refer to below Microsoft Official Documentation:

    https://learn.microsoft.com/en-us/answers/questions/132908/forcing-sync-between-on-prem-ad-and-aad

    2.Check if the SPN ofr AD account is matched with the latest domain or not.

    3.Check if AAD configuration is configured well on Azure Portal .

    To help other customers who may be facing the same issue, please don't forget to vote if the reply is helpful.

    Best regards,

    Jill Zhou

    0 comments