These are some high level projects tasks I put together based on an existing Office 365 tenant who is creating a “greenfield” (new) on premise Active Directory forest/domain for the purpose of being able to manage Office 365 users through the utilization of Active Directory synchronization.
1. Connect to Office 365 via Azure AD PowerShell Module with customer’s Office 365 global admin account.
2. From the Azure AD PowerShell console, collect user information from Office 365 using this command. The exported data will be used to create on premise Active Directory user objects that will be synchronized with the associated O365 users.
Get-User | Export-Csv "C:\O365Export.csv" -NoTypeInformation
3. Add UPN suffix(es) in Active Directory Domains and Trusts to match email domain(s) in Office 365 (as needed).
4. Create OU(s) for filtering of users (as needed).
5. From Windows PowerShell, create new Active Directory users from CSV file. Using this command with the CSV file created in step 2, AD users are added based on an UPN suffix, to a specific OU, and assigned a password that does not expire.
Import-Csv "C:\O365Export.csv" | ForEach-Object{ $Domain = "@CompanyA.com"; $UPN = $_.Identity+$Domain; New-ADUser -SamAccountName $_.Identity -UserPrincipalName $UPN -Name $_.Name -DisplayName $_.DisplayName -GivenName $_.FirstName -Initials $_.initials -Surname $_.LastName -Department $_.Department -Company $_.Company -Fax $_.Fax -City $_.City -State $_.StateOrProvince -PostalCode $_.PostalCode -Title $_.Title -EmailAddress $_.WindowsEmailAddress -Office $_.Office -OfficePhone $_.Phone -MobilePhone $_.MobilePhone -StreetAddress $_.StreetAddress -Path "OU=Users,OU=Company A,DC=onpremdomain,DC=local" -AccountPassword (ConvertTo-SecureString "Password" -AsPlainText -Force) -Enabled $True -PasswordNeverExpires $True -PassThru }
6. After the user objects are created, have users log on to their newly domain joined workstations with their Active Directory account to change passwords to what they currently have set in Office 365.
7. Download Azure Active Directory Connect (AAD Connect).
8. Create AAD Connect service account (in Active Directory) and set as a member of the Enterprise Admins group.
9. Prepare member server to install AAD Connect on…
- Set AAD Connect service account as a member of the Local Administrators group
- Log in as AAD Connect service account
10. Install AAD Connect (with Express Settings).
- Provide O365 global admin account
- Provide AAD Connect service account
- Use Express Settings
- Do not enable start synchronization (we will start later)
- Reboot after install to verify “Microsoft Azure AD Sync” service has started
- If the service doesn’t start, make sure the “AAD_” auto created account is set to “log on as a service” in the “Local Security Policy”
11. Configure filtering with AAD Connect.
- Configure to sync accounts in previously created OU(s)
- Run manual sync per article
12. From O365 Admin Center, enable Active Directory synchronization via Users > Active Users.
13. Check Office 365 for account status of “Synchronized with Active Directory” instead of “In cloud“.
ODDYTEE 
No matter how many times I run this (on 2016) I get an error – ” Cannot validate argument on parameter ‘Name’. The argument is null or empty.” The Name field is present and populated in the .csv file
I suppose your issue is when running the command in step #5?
There aren’t any extra spaces in the header row of the CSV are there?
The process was tested on Windows 2008 R2 and 2012 R2. May have to take some time to test with Windows 2016 to see if there are any changes that will be required.
What is the attribute to use to import the exchangeguid as well
Will you elaborate?
Pingback: Sync users from Office 365 for a new Active Directory Install – Mark's IT Blog
What happens, when i will sync for example only 50 user from lcoal AD to Office 365 where i have 70 users?
Will the remaining 20 users deleted or will they stay as “Cloud-Only” users?
Can i test the sync with only one or two user if everything will work or will i delete all my Office 365 users?
Thank you very much.
The remaining users will remain as “cloud-only” users and will not be deleted.
Hi how should I modify line in second step to export a selection of users (from csv file for example) instead of all users?
Many Thanks
I know things have changed a bit with Office 365, but how does this affect the management of Mail Users? Will changing the source of the user then require you to use an on premise exchange server to manage those users and their mail properties? Even when you don’t have Exchange deployed in your new AD environment?
I hit my head against the wall on this one for a while for step #5 due to the invalid or null “name” field-
Edit the .csv file with notepad and remove the extra lines of commas that are at the bottom- then it runs like a champ
For those of you who also don’t read (like me)- ensure you change any of the commands in red to your environment’s data. If you aren’t sure of CN or OU data you can open adsiedit.msc -> open your AD users section-> right click an existing user and go to properties-> look for the distinguishedName and it will tell you anything you are missing
I keep getting this error message on step 5: New-ADuser : New-ADUser : Directory object not found
At line:1 char:110
+ … ty+$Domain; New-ADUser -SamAccountName $_.Identity -UserPrincipalName
What am I doing wrong?
From the provided command in the article, did you change the the items with red text to values specific to your environment?
Can a solution like this be applied in a situation where the Office 365 tenant is already being synced with a domain and then needs to be synced with a brand new domain? The first domain is the victim of Ransomware and we need to create a brand new domain and move the users over without a connection between the old domain and the new domain.
Not sure. Possibly.