On-Premises Windows Active Directory migration to Azure

Rehan Masood 1 Reputation point

Hello, Can someone explain the scenario below and what is the best way to approach this?

We have a strategy for moving On-Premises AD objects out of the regional OUs (Boston, Seattle, Detroit) and up to the corresponding top-level OUs. We need to determine the impact that will have on the GPOs; in other words, are there GPOs applying to (for example) the Boston Users OU that are NOT applied to the top-level Users OU? If we can work out a way to provide that analysis, that will help us develop a strategy for migrating those AD objects with minimal impact.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,150 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Shashi Shailaj 7,581 Reputation points Microsoft Employee

    Hello @Rehan Masood ,

    This question is specific to your environment and anyone on forum may not have any insight to your active directory GPO linking and structure . However i would still try to answer in the best way i can . Since you are talking about migration of On-prem directory to azure, I am assuming that you mean migrating users to Azure AD using Azure AD connect.

    If you are restructuring Active Directory Hierarchy in the AD database , you would need to first get a list of GPOs that you have applied on those OUs and evaluate the settings within those GPOs . Every location may have their own requirement according to which thy would have setup the group policies. Because once you move from regional OUs to top level OU , I am assuming all the users would come under same top-level OU and the same group policies would apply on the users once you have moved them. You may have to do some detailed security filtering and apply multiple GPOS on this OU so as to apply similar settings that the users from local OUs were applied to . This is a complex procedure because the end-user experience will directly change if the same settings are not present in the new GPO. If you do not have similar GPO settings defined and applied on local OUs (Boston, Seattle, Detroit) as mentioned by you then there may be many new tickets opened within your servicedesk in small amounts of time. So the solution will be to approach in a phased manner like below :-

    • Start with one OU first , lets say Boston OU.
    • Create a test user account in the OU to test behavior of changing end-user experience by changing OUs .
    • Find all the GPOs applyig on this OU. Get a RSOP(resultant set of policies) output for this test user.
    • See what all settings are getting applied using RSOP output.
    • Now go to the new OU where you would like to move this user.
    • Check what all GPOs are current linked by collecting RSOP output again .
    • Also If you want to compare two group policies then you can use Security Compliance toolkit
    • You can import the GPOs that you want to compare and see the difference in settings.
    • You can check them against a baseline published by us . Read more here.
    • Note that the baselines in your organisation may be different than what we have published because every organisations have their own regulations.
    • Once you have matched the settings , you can apply same settings and move this test user to new top level OU.
    • Reboot the client machine and have this user logon to domain and check the end user experience. This will tell you the differences.
    • You can then accordingly decide what kind of settings you would like to apply and define the same by editing existing group policy applied on top level OU.
    • AD OU restructuring is a very complex procedure and you will need to evaluate all details carefully before proceeding with the same.

    If you are just doing this for syncing user objects to cloud then I do not think you would need to any such change in on-premise environment . You can just select the OUs from where you want to sync the objects using domain filtering step while running the Azure AD configuring wizard. Only the object types that you would have selected within the AD connect configuration will sync. You can setup a Domain/OU filtering within the AD connect configuration wizard as shown below. You can expand each domain and accordingly set the OUs for which you would like to sync the users. I would suggest you to read through the article Determine identity requirements for your hybrid identity solution


    In case you have users in Boston OU who you do not want to sync to cloud because you are sure that they would never need access to any cloud apps or are vendors who only may ever need on-prem accounts in your organisation then you can configure negative filtering to let the sync engine choose the users who get synced to cloud using extension attributes. This woudl help you filter out the users you don't want to sync.

    I understand that this might be a long answer but I would suggest you to go through the articles I have linked as they contain a lot of information which will provide you guidance on how to approach Azure AD sync architecture for syncing your local on-prem environment . In case you are still not sure , you can either open an advisory case with Microsoft or engage a Azure AD consultant who can help you with the same.

    Hope this helps. If the information provided in any of the posts is helpful , please do mark it answer or upvote it so that it is helpful to other members of the community searching for similar answers.

    Thank you.

    1 person found this answer helpful.
    0 comments No comments

  2. Rehan Masood 1 Reputation point

    Thank You very much @shashishailaj-