Migrate user accounts from Azure AD to on-premise AD?

Question

My company uses Office 365 for Exchange, SharePoint, Lync etc. including the build-in user administration via Azure Active Directory.

Now we want to switch to a local AD on a Windows Server. It shall sync changes to Azure, but the primary user and group policy administration happens on the windows server.

How do we initially get the user accounts from the Azure AD into the on-premise (windows-server) AD?

edit1: Has anybody looked into this using Microsoft Forefront Identity Manager? It looks like this tool comes with DirSync. Open “miisclient.exe” on the DirSync server (Located in “C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell”). It may be possible to configure it to sync the other direction... may.

@TheCleaner: I have read the possible duplicate before but I wouldn't say it's a duplicate, because I just want to migrate the users, not sync them permanently from Azure to on-premise. So I thought there could be other solutions here like offline tools or something which would not work with permanent sync. — sinned, Nov 26 '14 at 14:03
@NathanC what do you mean? You can't connect a traditional domain controller to Azure Active Directory the same way op you would with on-premises domain controllers. — MDMarra, Nov 26 '14 at 14:20
@MDMarra - Nathan was confused...same as he was on the other similar question: http://serverfault.com/questions/550595/can-i-use-office365-or-azure-ad-as-master-record-for-active-directory?rq=1#comment636803_550595 — TheCleaner, Nov 26 '14 at 14:21
Very similar to: http://serverfault.com/questions/643914/pull-office-365-users-to-active-directory/643916#643916 — Evan Anderson, Nov 26 '14 at 18:11

score 9 · Accepted Answer · edited May 19 '18 at 18:17

@MDMarra: Thanks for the hints, so I did:

The users from O365 can be exported by powershell using

Get-MsolUser | Select-Object City, Country, Department, DisplayName, Fax, FirstName, LastName, MobilePhone, Office, PasswordNeverExpires, PhoneNumber, PostalCode, SignInName, State, StreetAddress, Title, UserPrincipalName | Export-Csv C:\Temp\Azure_Export_2014_12_05.csv -Encoding UTF8

This exports all columns to CSV where I could find a mapping that looked appropriate. Those are not all columns, but many of them cannot be mapped to attributes in AD. Others, like the password, cannot be exported.

To import the users to AD, run in powershell

import-csv C:\Temp\Azure_Export_2014_12_05.csv -Encoding UTF8 | foreach-object {New-ADUser -Name ($_.Firstname + "." + $_.Lastname) -SamAccountName ($_.Firstname + "." + $_.Lastname) -GivenName $_.FirstName -Surname $_.LastName -City $_.City -Department $_.Department -DisplayName $_.DisplayName -Fax $_.Fax -MobilePhone $_.MobilePhone -Office $_.Office -PasswordNeverExpires ($_.PasswordNeverExpires -eq "True") -OfficePhone $_.PhoneNumber -PostalCode $_.PostalCode -EmailAddress $_.SignInName -State $_.State -StreetAddress $_.StreetAddress -Title $_.Title -UserPrincipalName $_.UserPrincipalName -AccountPassword (ConvertTo-SecureString -string "Secret!" -AsPlainText -force) -enabled $true }

This creates new users with the name Firstname.Lastname. Other attributes like SignInName could not be used because they are not a valid AD account name.

Country cannot be imported because AD requires the country to actually exist while O365 accepts free text.

The password will be set to "Secret!", because if no password is provided, the account will be created, but disabled.

It may be handy to edit the CSV-file in Excel or something, but I would recommend using PowerShell only. Excel deletes leading zeros from phone numbers or reformats other stuff. Also, mind UTF8.

Don't forget to accept your own answer (click the green checkmark on the left) — Mathias R. Jessen, Dec 09 '14 at 09:39
Azute AD Connect is now available and solves the problem. https://azure.microsoft.com/en-gb/documentation/articles/active-directory-aadconnect/ — Igor Gatis, Jun 20 '15 at 11:53
@Gatis Azure AD Connect does not create users from Azure AD to On Premise AD — Niraj, Mar 09 '16 at 14:24
To execute these cmdlets one has to install Azure Active Directory Module for windows power shell using this link, https://msdn.microsoft.com/en-IN/library/azure/hh974476.aspx — Niraj, Mar 10 '16 at 18:00
@sinned If no password is provided, the account will Not be created .. it will generate an error like ... "New-ADUser : The password does not meet the length, complexity, or history requirement of the domain." — Aravinda, May 18 '18 at 16:58
In order to avoid, disabling user once its created, with new user command -enabled $true should be added with rest of the parameters. — Aravinda, May 19 '18 at 05:58
at the end of the rest of the parameters (ConvertTo-SecureString -string "Secret!" -AsPlainText -force) -enabled $true } — Aravinda, May 19 '18 at 06:00

score 8 · Answer 2 · answered Nov 26 '14 at 14:18

8

You can use the Get-MsolUser PowerShell cmdlets to export user data from Azure Active Directory and then use the New-ADUser cmdlets to take that data and create the accounts on-premises. That said, there's no turnkey way to do this. You'll have to script something.

answered Nov 26 '14 at 14:18

MDMarra

100,183
32
195
326

1

+1 for the "recreate locally" approach, Azure Directory Synchronization is a one-way street – Mathias R. Jessen Nov 26 '14 at 14:22
I just looked into it and of the 56 attributes I can get out of O365, I can map 17 attributes to their on-premise-analogy. For the rest, I hope they are not that important... – sinned Nov 28 '14 at 12:37

Migrate user accounts from Azure AD to on-premise AD?

2 Answers2

Linked

Related