Sync New Active Directory with Existing Office 365 Tenant

These are some high level projects tasks I put together based on an existing Office 365 tenant who is creating a “greenfield” (new) on premise Active Directory forest/domain for the purpose of being able to manage Office 365 users through the utilization of Active Directory synchronization.

1. Connect to Office 365 via Azure AD PowerShell Module with customer’s Office 365 global admin account.

2. From the Azure AD PowerShell console, collect user information from Office 365 using this command. The exported data will be used to create on premise Active Directory user objects that will be synchronized with the associated O365 users.
Get-User | Export-Csv "C:\O365Export.csv" -NoTypeInformation

 

3. Add UPN suffix(es) in Active Directory Domains and Trusts to match email domain(s) in Office 365 (as needed).

4. Create OU(s) for filtering of users (as needed).

5. From Windows PowerShell, create new Active Directory users from CSV file. Using this command with the CSV file created in step 2, AD users are added based on an UPN suffix, to a specific OU, and assigned a password that does not expire.
Import-Csv "C:\O365Export.csv" | ForEach-Object{ $Domain = "@CompanyA.com"; $UPN = $_.Identity+$Domain; New-ADUser -SamAccountName $_.Identity -UserPrincipalName $UPN -Name $_.Name -DisplayName $_.DisplayName -GivenName $_.FirstName -Initials $_.initials -Surname $_.LastName -Department $_.Department -Company $_.Company -Fax $_.Fax -City $_.City -State $_.StateOrProvince -PostalCode $_.PostalCode -Title $_.Title -EmailAddress $_.WindowsEmailAddress -Office $_.Office -OfficePhone $_.Phone -MobilePhone $_.MobilePhone -StreetAddress $_.StreetAddress -Path "OU=Users,OU=Company A,DC=onpremdomain,DC=local" -AccountPassword (ConvertTo-SecureString "Password" -AsPlainText -Force) -Enabled $True -PasswordNeverExpires $True -PassThru }

 

6. After the user objects are created, have users log on to their newly domain joined workstations with their Active Directory account to change passwords to what they currently have set in Office 365.

7. Download Azure Active Directory Connect (AAD Connect).

8. Create AAD Connect service account (in Active Directory) and set as a member of the Enterprise Admins group.

9. Prepare member server to install AAD Connect on…
  • Set AAD Connect service account as a member of the Local Administrators group
  • Log in as AAD Connect service account

 

10. Install AAD Connect (with Express Settings).
  • Provide O365 global admin account
  • Provide AAD Connect service account
  • Use Express Settings
  • Do not enable start synchronization (we will start later)
  • Reboot after install to verify “Microsoft Azure AD Sync” service has started
  • If the service doesn’t start, make sure the “AAD_” auto created account is set to “log on as a service” in the “Local Security Policy”

 

11. Configure filtering with AAD Connect.
  • Configure to sync accounts in previously created OU(s)
  • Run manual sync per article

 

12. From O365 Admin Center, enable Active Directory synchronization via Users > Active Users.

13. Check Office 365 for account status of “Synchronized with Active Directory” instead of “In cloud“.

 

Advertisements

5 thoughts on “Sync New Active Directory with Existing Office 365 Tenant

  1. No matter how many times I run this (on 2016) I get an error – ” Cannot validate argument on parameter ‘Name’. The argument is null or empty.” The Name field is present and populated in the .csv file

    • I suppose your issue is when running the command in step #5?

      There aren’t any extra spaces in the header row of the CSV are there?

      The process was tested on Windows 2008 R2 and 2012 R2. May have to take some time to test with Windows 2016 to see if there are any changes that will be required.

  2. Pingback: Sync users from Office 365 for a new Active Directory Install – Mark's IT Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s