2

I have had the following scenario working fine for years.

  • One simple local AD domain (local.whatever.com) with user LOCAL\john.doe (Domain Admin)
  • One isolated Office 365 tenant (whatever.com) with user john.doe@whatever.com (Office 365 Global Admin)

Even though the local AD user conceptually corresponded to the Office 365 user, there was no specific link between them, so the local domain and Office 365 tenant were isolated repositories.

Now, I decided to deploy and configure Azure AD Connect to get my local domain and Azure AD synchronized, so I did the following:

  1. Added whatever.com UPN to the local active directory (local.whatever.com)
  2. Set the email address on LOCAL\john.doe to john.doe@whatever.com
  3. Installed and configured Azure AD Connect
  4. Ran the first full synchronization

The result was:

  • A new account was created in Azure AD in the form john.doe1234@whatevercom.onmicrosoft.com (note the random number at the end of the username)
  • The Office 365 account and the local AD account did not get linked.

This makes sense because I never had the chance to instruct Azure AD Connect to map the local AD user with the Office 365 user.

So, I found this article: Azure AD Connect: When you have an existent tenant

After reading the previous article, it seems to me that I should set up a mapping between both users to make it work. However:

  1. I don't understand what would be the steps to make this mapping happen
  2. Deleting the existing user in Azure AD would not be an option due to the fact that the non-synched user is the only Global Administrator in the Office 365 tenant.

In addition, I came across the following warning in the Microsoft documentation:

Microsoft strongly recommends against synchronizing on-premises accounts with pre-existing administrative accounts in Azure Active Directory.

Any known fix or workaround?

dsuy
  • 123
  • 1
  • 6

1 Answers1

2

I don't understand what would be the steps to make this mapping happen.

The article you linked spells it out pretty succinctly here:

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-existing-tenant#admin-role-considerations

So to expound on that,

Azure AD Connect won't match an existing on premises user account to an Office 365 account that is a Global Admin in Office 365. That's why a new user was created in Office 365. To fix this you should do the following:

  1. Create a new Global Admin in Office 365.

  2. Log into Office 365 as this new Global Admin.

  3. Delete the john.doe1234@whatevercom.onmicrosoft.com user.

  4. Remove the john.doe1234@whatevercom.onmicrosoft.com user from Deleted users in Office 365 (https://practical365.com/exchange-server/permanently-remove-deleted-users-office-365/).

  5. Remove the Global Admin role from the john.doe@whatever.com user in Office 365.

  6. Initiate an Azure Ad Connect sync cycle (https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-scheduler#full-sync-cycle).

  7. Verify that the on premises user account is now matched to the existing john.doe@whatever.com user in Office 365.

  8. Add the Global Admin role back to the john.doe@whatever.com user in Office 365.

Deleting the existing user in Azure AD would not be an option due to the fact that the non-synched user is the only Global Administrator in the Office 365 tenant.

You know that you can create additional Global Admins in Office 365, right? If you're logged in as a Global Admin you can create additional Global Admins or grant that role to other existing Office 365 users. Additionally, Microsoft recommends that if you're using Azure Ad Connect to sync your on premises AD to Office 365 that you have at least one "cloud only" Global Admin in Office 365, meaning that you should have a Global Admin in Office 365 that isn't being synced from your on premises directory.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • It seems like step #2 cannot be executed. I'm getting a "Couldn’t delete this user because the account is synchronized with your on-premises servers. You can delete the user from your on-premises server." error when trying to delete. I will play around with AD users and I'll let you know. – dsuy Jan 10 '20 at 22:45
  • 1
    Ah, OK. Do this: set the adminDescription attribute on the user object in your on premises AD to `User_NoAzureADSync`. Then initiate a sync cycle. This will effectively "unlink" the two accounts and will then allow you to delete the Office 365 user. Once you've done that, set the adminDescription attribute to `Not Set` and run another sync cycle. If you've done everything else in my answer then this should fix it for you. – joeqwerty Jan 10 '20 at 23:44
  • It worked. Thanks! – dsuy Jan 11 '20 at 17:17
  • Glad to help... – joeqwerty Jan 11 '20 at 17:53
  • +1 from me. Note, however, that setting the attribute `User_NoAzureADSync` seems to delete the user already from MS 365 after a sync cycle. It's not necessary and actually doesn't seem possible to delete it manually. All that's left to do is to remove the deleted user from the recycle bin. Just make sure to remove the admin roles before the next sync cycle or you'll just end up with a new unwanted user. – vic Feb 03 '21 at 22:05