Forum Discussion

Icsab's avatar
Icsab
Copper Contributor
Jul 23, 2020

o365 sync, merge users

Dear Microsoft,

 

I hope I can ask your help for further information about O365.

we have a (academic/university) tenant, we use it with a „fake” subdomain (cl.domain), have a lot of user who use Teams and Onedrive (and many other application)

In parallel We have an on-premise AD and Exchange system.

We would like to do a Password Hash Sync between the on-premise AD and O365, and have a few question about it:

  1.  Which DNS record is the basic  we definitely need? TXT? We don’t want to use Exchange online. We want an single/unified directory so our users can use system with the same username. Currently every user has an on-premise username and a „cloud” username.
  2. After the sync can we merge the users?  Each user is member/owner of many Teams and they store a lot of files in Onedrive
  3. Is it enough not to set the mx dns record or rather not give users the Exchange online license?
  • harveer singh's avatar
    harveer singh
    Steel Contributor

    Hey Icsab ,

     

    There are a quite few things which you need to consider here in order to achieve this, although it calls for a more detailed discussion, i will try to summarize best i can, the overall strategy would look somewhat like this:

    1. Add the production domain in office 365, you just have to update the txt record, nothing more. Also set the domain to internal relay via exchange.

    2. Change users' User principal name and primary SMTP in office 365; match it to your on-premises user principal name for respective users. Make sure UPN matches primary SMTP. Changing the UPN won't delete the data present in OneDrive.

    3. Remove exchange online license from the users. Hopefully you don't need the data already present in office 365 mailboxes ?

    4. Next you need to setup AADConnect to synchronize identities from on-premises, for the accounts to merge automatically (Also referred to as soft match), you need to ensure that UPN in office 365 matches the UPN and primary SMTP address on-premises. You can also populate the 'mail' attribute with the same as well. Run a full sync.

    This is a automated process and there can be misses often, what that would mean is you might see two different accounts in office 365 for same user, i.e if the merger fails. There is a manual method to match the users as well (Hard Match), but it has to be employed with caution and only when you have verified the above conditions. Hard Match : https://docs.microsoft.com/en-us/archive/blogs/praveenkumar/how-to-do-hard-match-part-2

     

    Looks scary ? Try it with a dummy user first, create a dummy user in office 365 and on-premises, synchronize only the dummy user from on-premises ( You can create an OU and have only the Dummy user in it, and sync this OU only using AADconnect.)

     

     Thanks

Resources