Sync existing office 365 tenant with local active directory
Posted On May 2, 2019
Recently we created an AAD tenant that has no on-premises AD domain counterpart. Now we are facing an issue where we want to be able to use the identities in this tenant to log into some servers. It would appear that we would need to domain join these servers, but we can’t do this without AD. The question is, how can we continue to setup these servers?
But today we are going to install a new domain on-premise. The domain name isn’t relevant for the sync with Azure AD / Office 365. But the UPN for the end users is important! So first we can add the UPN domains by going to the Domain and Trusts console. Add the required domain names.
I will create a manual later on with the full AD Connect setup process.
Once the configuration is complete, and the users with the same UPN/email address have been created in both the on-premise AD and Azure AD/Office 365, there are several possible things that can happen when you start the initial sync:
If a match is not found based on immutableID, but a user with a matching UPN/email address and a blank immutableId is found, the user will have its immutableId stamped with the new value (determined above) and the AD+AAD users become tied together. This is called a soft match.
If a match is not found based on immutableId, but a user with a matching UPN/email address is found but with a different immutableId, a sync error is thrown. AAD Connect will not override the user’s UPN, as they’re not the same object
If a match is found based on immutableId, but the object types are different (e.g. AD user matching an AAD Connect contact), AAD Connect will throw an error and refuse to synchronize the objects. This won’t happen in the wild unless someone unintentionally (or intentionally) breaks something
Most of the times you will get a soft match. But what if there is a problem? Usually this is caused by a problem with the immutable ID. (This can be reviewed in the AD Connect logs). There are 2 possible options to solve this problem
Calculate and set immutable ID (Recommended)
This method is the best way to make sure that AD Connect gets a proper sync. We are going to connect to the on-premise AD, and calculate and set the immutable ID in Azure AD / Office 365. So first we connect to Active Directory.
Import-Module Active Directory
Now, lets grab the GUID of the user and create the ImmutableId
The easy way is to clear the immutable ID in Azure AD/ Office 365. This will let AD Connect think that the account has never been synchronized and will sync it based on a soft match. However I wouldn’t recommend it. But if you ever need to do it, here is the commands to do it.