Pull Office 365 Users to Active Directory

Question

I am currently working with an existing Office 365 subscription that needs to have a new instance of Windows Server 2012 R2 in Azure manage the users through Active Directory. The server 2012 VM is brand new and has nothing set up. I understand that when going the opposite way and creating a new 365 account you can simply use the DirSync tool and push your AD users to the 365 cloud.

I have not been able to get any support from MS on this, so I am wondering if anyone has any suggestions on how to get users from the cloud to AD so that I can eventually set up a SSO situation for server users.

`"needs to have a new instance of Windows Server 2012 R2 in Azure manage the users through Active Directory"` - why? Are you going to be utilizing AD and those accounts elsewhere going forward and you've never had AD before? Just curious since you only stated "manage the users" without mentioning other needs for having AD. — TheCleaner, Nov 12 '14 at 22:26
yes. the current setup involves a "server" for user accounts and then the 365 accounts. now that there will be actual servers (ie, not a desktop running vista) its time to set up a domain, and SSO seems like a good addition while were at it. — The Thirsty Ape, Nov 12 '14 at 22:30

score 6 · Answer 1 · answered Nov 12 '14 at 21:08

I don't believe Microsoft currently has a solution for what you're looking for. As you've mentioned, this is the opposite of a typical Office 365 deployment.

In the longer-term, the Azure Active Directory Premium edition with the announced, but not yet available, "Identity Synchronization Tool" with "advanced write-back capabilities" (see http://channel9.msdn.com/Events/TechEd/Europe/2014/CDP-B312) might do what you want, but I get the feeling that this doesn't exactly exist yet.

You could code something up with the Azure Active Directory PowerShell Module to dump data out of your Azure tenant AD and provision users in your own Active Directory, but I cannot image that you're going to get password hashes back out of Azure. That's going to leave a sticky problem of passwords.

Microsoft is, ultimately, who needs to be supporting you on this. I'd engage with sales and support to determine the best way to achieve your business goals, rather than knocking together some awful one-off that ends up doing more harm than good.

As far as I know it should be possible, the rep I emailed mentioned I would need to change the source of authority and referenced: http://technet.microsoft.com/en-gb/library/jj863117.aspx but there are not really actual instructions there. — The Thirsty Ape, Nov 12 '14 at 21:17

score 5 · Accepted Answer · answered Nov 12 '14 at 21:17

5

What you are looking for is SMTP matching: http://support.microsoft.com/kb/2641663

Typically the way AD -> O365 sync works is that a unique identity value is created for each user in AD, then the user is pushed to O365. Updates are performed using the identity value to match the accounts.

SMTP matching tells the DirSync tool to initially match based on the primary SMTP address. Further syncs are accomplished using the identity value.

Also, make sure you read this, as it includes how to change the authority of your directory: Directory synchronization and source of authority

answered Nov 12 '14 at 21:17

longneck

22,793
4
50
84

If I understand: Install AD DS on server, use same domain as 365, run the DirSync tool to match users (which pulls down accounts to server), install AD FS 2.0 to enable SSO. – The Thirsty Ape Nov 12 '14 at 21:46
2

This helps the OP after provisioning all the users in his local AD, but this doesn't provision them for him. – Evan Anderson Nov 12 '14 at 22:06
If i were to provision ahead of time in local AD, i assume that the 365 passwords would be overwritten and the rest would be ok? – The Thirsty Ape Nov 12 '14 at 22:23
1

@foochow - check this: http://www.kraak.com/?p=69 – TheCleaner Nov 12 '14 at 22:38

score 3 · Answer 3 · edited Apr 13 '17 at 12:14

Been asking this same question myself. Here's the approach I took:

So I did the standard setup of the server. Provisioned in Azure and installed Active Directory Domain Services.

Then I used this tool: http://blogs.technet.com/b/ad/archive/2014/12/15/azure-ad-connect-one-simple-fast-lightweight-tool-to-connect-active-directory-and-azure-active-directory.aspx

Of course, that doesn't work for me because none of my users are in AD!

So I did more research, and came across this: Migrate user accounts from Azure AD to on-premise AD?

Using the second answer, I was able to export from Azure and Import into AD.

A word of warning: On the first go, I broke authentication. But that seems to be because I set up DirSync/SSO and ADFS before I imported. All of the accounts I imported are blocked, so everytime DirSync runs, it blocks my accounts in Azure. So I recommend you start with this process:

1) Add two accounts to your AD. - One to your local AD, the one on your server. - One to your Azure AD that ISN'T part of your Office 365 subscription. Use your .onmicrosoft.com domain. Give it admin over your AD. 2) Set up Azure Active Directory Powershell, and make sure you have regular Active Directory Powershell: https://msdn.microsoft.com/en-us/library/azure/jj151815.aspx

3) Connect your MSOL using the Azure AD account you created.

4) Perform the export from Azure AD in the guide linked earlier.

5) Perform the import into your local AD, per the same guide.

6) Verify your accounts.

This is where I'm still figuring it out myself. The above should answer your question over how to transfer the users. But now, as for setting up SSO and DirSync, I can't direct you. But I used AD Connect and that seems like it's going to do the trick for me. But make sure you learn how to undo what it does! I managed to break authentication for almost an hour while I figured it out!

Good luck! Let me know how your project goes, and I'll let you know how mine does.

I am currently facing this challenge? did you successfully accomplish this? — Nqabeni Simela, May 27 '20 at 15:07

score 2 · Answer 4 · edited Jun 29 '15 at 17:20

Did all the steps provided by Chris, everything went well, I modify the import command to avoid disabling the account once the sync runs, I added Enabled $ True before account password, did the sync and the account was created and enabled at the same time.

Try this:

import-csv C:\Azure_Export_26_15_1.csv -Encoding UTF8 | foreach-object {New-ADUser -Name ($_.Firstname + "." + $_.Lastname) -SamAccountName ($_.Firstname + "." + $_.Lastname) -GivenName $_.FirstName -Surname $_.LastName -City $_.City -Department $_.Department -DisplayName $_.DisplayName -Fax $_.Fax -MobilePhone $_.MobilePhone -Office $_.Office -PasswordNeverExpires ($_.PasswordNeverExpires -eq "True") -OfficePhone $_.PhoneNumber -PostalCode $_.PostalCode -EmailAddress $_.SignInName -State $_.State -StreetAddress $_.StreetAddress -Title $_.Title -UserPrincipalName $_.UserPrincipalName -Enabled $True -AccountPassword (ConvertTo-SecureString -string "Secret!" -AsPlainText -force) }

score 0 · Answer 5 · answered Mar 28 '17 at 20:39

0

Windows Server Essentials role has a limited connector in the Console that has import capabilities. However, it is not possible to use this connector and enable ADFS with O365, you need to switch to AD Connect.

answered Mar 28 '17 at 20:39

Chris McGhan

1

Pull Office 365 Users to Active Directory

5 Answers5

Linked