Hi,We use Office 365 (Business Premium) for email, sharepoint etc. with close to 120 users. But there is no on-premise Active Directory Domain. We plan to have Active Directory installed and all the machines joined to domain. Is there any guidelines available as how to do a seamless migration of the user accounts from Office 365 onto the AD domain?Thank you,Anjana

That's unfortunate that you have to go back to AD if you are already on 365, what is the driving factor to require that? Couple things to note. Any object you sync, will have to be modified on local AD. So any e-mail changes etc. have to be done going forward from onprem AD. "Technically" you can do it without exchange onprem, but it's not supported. So in this case you need to make sure the local AD you do build, has the exchange schema extenations added so you can modify and exchange attributes on the AD Objects. When you create your users, you neeed to make sure their Login and logon domain match what's in O365 and their mail attribute. If you have any additional e-mail domains you will have to also make sure your Proxy addresses attribute is updated with the SMTP: primaryemail@domain.com and any additoinal aliases for smtp: alias@domain2.com etc. Any local security groups from AD that you want to use in cloud and on-prem in tandem need to be synced to o365 as well. Passwords will also need to be reset and or matched when doing sync. I do this all the time where I get the users password and setup a local account, same login, match e-mails and password, and it's seamless, but when you sync from on-prem the password takes hold from on-prem. Anyway, some notes I can provide I've experienced, don't really know of documentation, but I'm sure someone else might have some.

Yeah, pretty much, just some things I noticed having to move users around environments where I am.

It would be interesting to try to soft match the cloud only accounts with on-premises accounts.That means, install ADDS, create one test user that match a test cloud only user (same UPN and E-Mail Adress) , install Azure AD Connect and sync that user in the cloud.The cloud only test user should be converted to AD Sync user.Sai Gutta, unfortunately no, a Office 365 Business Premium license doesn't include the right ro join a user to Azure AD, for that purpose we need a Microsoft 365 Business license which includes Office 365 Business Premium , Intune and the right to upgrade from Win7-8.1-10 Pro to Win10 BusinessKind regardsSpikar

The fact you think you can't have login scripts, or change browser settings with cloud only already tells me you lack research and training when it comes to Office 365 services, mainly Intune. Therefore in your case, you're right, your company needs to stay old school. I've been moving my company to cloud managed devices using InTune and it works just fine, since you can use all ADMX with intune, you have the same GPO functionality and then some now. We are 180+ strong at this point, so 10 users thing gave me a chuckle. Also I didn't say DON'T, I asked for the scenario and recommended the approach after I had already recommended and told him how he could accomplish what they were doing. Cloud only still isn't 100% there yet, but a mostly Cloud setup is totally viable and setting yourself up now for when it is makes your future transition that much easier. But hey, if you want to keep your skills and your company old school then that's your prerogative.

Agree with Chris that it is unfortunate you have to go back to AD, If it is really just to join computers, you can always join the computers to Azure AD with your office 365 Business Premium ( I am assuming Business Premium allows this) and for more feature you can buy Azure AD Premium licensing as an add-on ChrisWebbTech- Notes you have mentioned below is manual process right?

Migration from Office 365 to Active Directory Domain

13 Replies

Spiros Karampinis
Brass Contributor
Mar 11, 2019
It would be interesting to try to soft match the cloud only accounts with on-premises accounts.

That means, install ADDS, create one test user that match a test cloud only user (same UPN and E-Mail Adress) , install Azure AD Connect and sync that user in the cloud.
The cloud only test user should be converted to AD Sync user.

Sai Gutta, unfortunately no, a Office 365 Business Premium license doesn't include the right ro join a user to Azure AD, for that purpose we need a Microsoft 365 Business license which includes Office 365 Business Premium , Intune and the right to upgrade from Win7-8.1-10 Pro to Win10 Business

Kind regards
Spikar
Sai Gutta
Iron Contributor
Mar 11, 2019
Agree with Chris that it is unfortunate you have to go back to AD, If it is really just to join computers, you can always join the computers to Azure AD with your office 365 Business Premium ( I am assuming Business Premium allows this) and for more feature you can buy Azure AD Premium licensing as an add-on

ChrisWebbTech- Notes you have mentioned below is manual process right?
- ChrisWebbTech
  MVP
  Mar 11, 2019
  Yeah, pretty much, just some things I noticed having to move users around environments where I am.
ChrisWebbTech
MVP
Mar 11, 2019
That's unfortunate that you have to go back to AD if you are already on 365, what is the driving factor to require that?

Couple things to note.
Any object you sync, will have to be modified on local AD. So any e-mail changes etc. have to be done going forward from onprem AD. "Technically" you can do it without exchange onprem, but it's not supported. So in this case you need to make sure the local AD you do build, has the exchange schema extenations added so you can modify and exchange attributes on the AD Objects.

When you create your users, you neeed to make sure their Login and logon domain match what's in O365 and their mail attribute. If you have any additional e-mail domains you will have to also make sure your Proxy addresses attribute is updated with the SMTP: primaryemail@domain.com and any additoinal aliases for smtp: alias@domain2.com etc.

Any local security groups from AD that you want to use in cloud and on-prem in tandem need to be synced to o365 as well.

Passwords will also need to be reset and or matched when doing sync. I do this all the time where I get the users password and setup a local account, same login, match e-mails and password, and it's seamless, but when you sync from on-prem the password takes hold from on-prem.

Anyway, some notes I can provide I've experienced, don't really know of documentation, but I'm sure someone else might have some.
- Anjana_S
  Copper Contributor
  Mar 12, 2019
  Thanks Chris for your reply.
  
  Giving more details for you to have a better picture on our scenario.
  
  We are close to 120 in head count and we do use Office 365 and associated services (Outlook, Skype, OneDrive, Share Point etc.).
  The machines are not joined to any domain and are part of stand alone work groups. User accounts are created locally on machines for login.
  Office 365 credentials are used to access Email (web and outlook client), Skype, Office apps and rest of the resources in cloud.
  
  We started as above when we were small in number. As the organization grows, I look forward to have the best way for user identity and centralized management of user and computer accounts.
  
  Which option would be the best in this scenario - Onprem AD (with Group Policy, SCCM etc.)and have it synchronized with Office 365 using AD Connect... OR leveraging Azure cloud services itself (Azure AD join and management using a MDM solution or Intune)?
  
  If we choose the latter (Azure AD join and MDM) , I wonder if we miss the control, policy and configuration management offered by Group policy (that is offered by on-prem AD - ADDS)
  
  Will the latter be a challenge when we grow in head count. Or is there any better way you can suggest.
  
  ChrisWebbTech , Spiros Karampinis , Sai Gutta - Your insights would be helpful.
  
  Regards,
  Anjana
  - ChrisWebbTech
    MVP
    Mar 12, 2019
    Since Intune now allows pretty much any admx to be imported and used, the gap has been closed where GPO's are concerned with Cloud joined machine management. If you do not have any onprem resources such as file shares etc. that need it, then I would go the cloud route. The future is heading that way and might as well start there.
    
    The only thing you need to consider is licensing costs will go up a bit if you include Intune, but so would buying any other management tools for on prem usage as well, so you will need to balance that out as well as management / hardware costs etc.
    
    You also will want to have Intune licensed and setup before hand so you can enroll the devices as you join them to azure ad.
    
    Hope this helps.

Forum Discussion

Migration from Office 365 to Active Directory Domain