Azure AD Connect - Password Sync Cutover migration

JonVeev 46 Reputation points
2020-11-29T06:13:04.33+00:00

Hi All,

I am planning to migrate user mailboxes from Exchange 2016 to Office 365 and these few questions that I just cannot figure out the answers for. If anyone could please provide their expertise, I would be grateful.

1) I am planning to use Azure AD Connect for Password Synchronization and Password Writeback but not sure if to install Azure AD Connect before or after the migration.
2) Not all the users in my company have mailboxes so will that have any effect if I want to sync all users? I want users to use the self password reset tool to reset their own passwords.
3) If I install Azure AD Connect after the migration can I allow users to use their current AD passwords after the initial migration for them to log in to Office 365 for the first time.

Thank you so much for your time and help!!

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,635 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,803 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Vasil Michev 106.2K Reputation points MVP
    2020-11-29T08:27:15.717+00:00

    What kind of migration are you going to perform? AAD Connect is a requirement for most migration types, but if you are planning to do Cutover migration, it's actually required to not have it enabled, as the migration process uses a different method to provision user objects. So in that case you will run it after the migration is complete.

    The password sync process does not care whether the user has a mailbox or not. Once you enable PHS, every user in the scope of the sync process will be able to use his AD credentials to access Office 365.


  2. KyleXu-MSFT 26,261 Reputation points
    2020-11-30T02:37:49.3+00:00

    @JonVeev
    You need to change your domain from .local to .com first, because you must use a certificate issued by a trusted certification authority (CA) with your Outlook Anywhere configuration in order for Microsoft 365 or Office 365 to run a cutover migration. A ".local" domain name isn't supported with trusted CA.

    For more detail information, you can have a look about this article: Prepare for a cutover migration


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.