Converting existing cloud only Office 365 accounts to hybrid after the initial hybrid deployment

bp81 1 Reputation point
2022-02-16T19:48:11.057+00:00

I am taking over management of a partner company's Office 365 Tenant and on premise AD domain. The previous admin had not set up a hybrid deployment, therefore the Windows workstation logons and Microsoft 365 account logons are not synchronized, causing end users to have to track two different account credentials, and also prevents the use Seamless SSO.

I am setting them up for hybrid deployment with Azure AD Connect Sync. I have consulted Microsoft's documentation on how to do this for a pre-existing 365 Tenant and pre-existing on premise domain, and am comfortable with proceeding on that.

One of the quirks of this partner's setup is that the partner in question has one main office location, and then a small number of remote employees. The remote employees are not part of the on premise active directory domain and are using local accounts on their Windows workstations. Over time we are setting up VPN infrastructure to support remote employees workstations being managed by the on premise AD domain, but that will happen later.

In the short term, I expect to have some employees synchronizing from the on premise AD domain, and some that will be cloud managed only with no corresponding on premise AD domain account. What steps would be needed to migrate the cloud only employees to on premise sync/management in AD after the initial hybrid deployment for the non-remote employees is done, and we have the VPN infrastructure in place to join remote employee workstations to the on premise domain?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,537 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,757 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Vasil Michev 105.8K Reputation points MVP
    2022-02-17T07:35:41.06+00:00

    As far as O365 is concerned, you can simply create an AD account for them and soft-match it against the Azure AD user object. This will allow you to centrally manage it, in the same fashion as all the other AD accounts. Unless you change authentication to any method that redirects the auth process to on-premises, they won't even notice a thing, and can continue using their cloud account to access O365 resources. That's of course not taking into account any needs for accessing on-premises resources.
    You can also consider Azure AD Join as an option for said users, as it will allow them to login to Windows with their O365 credentials.

    1 person found this answer helpful.
    0 comments No comments

  2. Siva-kumar-selvaraj 15,636 Reputation points
    2022-03-02T11:17:20.037+00:00

    @bp81 , Thanks for reaching out.

    Here are a few of the references that @Vasil Michev highlighted. I hope this was useful.

    Sync with existing users in Azure AD: When you install Azure AD Connect and you start synchronizing, the Azure AD sync service (in Azure AD) does a check on every new object and tries to find an existing object to match. There are three attributes used for this process: userPrincipalName, proxyAddresses, and sourceAnchor/immutableID. A match on userPrincipalName and proxyAddresses is known as a soft match. A match on sourceAnchor is known as hard match. So yo could use either soft or hard match to convert existing cloud only Office 365 accounts to hybrid

    Reference : https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-existing-tenant

    You could use Azure AD Join for cloud managed users to experience SSO who doesn't have corresponding on premise AD domain account. Reference: https://learn.microsoft.com/en-us/azure/active-directory/devices/azureadjoin-plan

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.