Forum Discussion

Anjana_S's avatar
Anjana_S
Copper Contributor
Mar 11, 2019

Migration from Office 365 to Active Directory Domain

Hi, We use Office 365 (Business Premium) for email, sharepoint etc. with close to 120 users. But there is no on-premise Active Directory Domain. We plan to have Active Directory installed and all th...
office 365
ChrisWebbTech's avatar
ChrisWebbTech
MVP
Mar 11, 2019
That's unfortunate that you have to go back to AD if you are already on 365, what is the driving factor to require that?

Couple things to note.
Any object you sync, will have to be modified on local AD. So any e-mail changes etc. have to be done going forward from onprem AD. "Technically" you can do it without exchange onprem, but it's not supported. So in this case you need to make sure the local AD you do build, has the exchange schema extenations added so you can modify and exchange attributes on the AD Objects.

When you create your users, you neeed to make sure their Login and logon domain match what's in O365 and their mail attribute. If you have any additional e-mail domains you will have to also make sure your Proxy addresses attribute is updated with the SMTP: primaryemail@domain.com and any additoinal aliases for smtp: alias@domain2.com etc.

Any local security groups from AD that you want to use in cloud and on-prem in tandem need to be synced to o365 as well.

Passwords will also need to be reset and or matched when doing sync. I do this all the time where I get the users password and setup a local account, same login, match e-mails and password, and it's seamless, but when you sync from on-prem the password takes hold from on-prem.

Anyway, some notes I can provide I've experienced, don't really know of documentation, but I'm sure someone else might have some.

  • Anjana_S's avatar
    Anjana_S
    Copper Contributor
    Mar 12, 2019

    Thanks Chris for your reply.

     

    Giving more details for you to have a better picture on our scenario. 

     

    We are close to 120 in head count and we do use Office 365 and associated services (Outlook, Skype, OneDrive, Share Point etc.).

    The machines are not joined to any domain and are part of stand alone work groups. User accounts are created locally on machines for login.

    Office 365 credentials are used to access Email (web and outlook client), Skype, Office apps and rest of the resources in cloud.

     

    We started as above when we were small in number. As the organization grows, I look forward to have the best way for user identity and centralized management of user and computer accounts.

     

    Which option would be the best in this scenario - Onprem AD (with Group Policy, SCCM etc.)and have it synchronized with Office 365 using AD Connect... OR leveraging Azure cloud services itself (Azure AD join and management using a MDM solution or Intune)?

     

    If we choose the latter (Azure AD join and MDM) , I wonder if we miss the control, policy and configuration management offered by Group policy (that is offered by on-prem AD - ADDS)

     

    Will the latter be a challenge when we grow in head count. Or is there any better way you can suggest.

     

    ChrisWebbTech , Spiros Karampinis , Sai Gutta - Your insights would be helpful.

     

    Regards,

    Anjana

     

    • ChrisWebbTech's avatar
      ChrisWebbTech
      MVP
      Mar 12, 2019
      Since Intune now allows pretty much any admx to be imported and used, the gap has been closed where GPO's are concerned with Cloud joined machine management. If you do not have any onprem resources such as file shares etc. that need it, then I would go the cloud route. The future is heading that way and might as well start there.

      The only thing you need to consider is licensing costs will go up a bit if you include Intune, but so would buying any other management tools for on prem usage as well, so you will need to balance that out as well as management / hardware costs etc.

      You also will want to have Intune licensed and setup before hand so you can enroll the devices as you join them to azure ad.

      Hope this helps.
      • Rick_CC_IT's avatar
        Rick_CC_IT
        Copper Contributor
        Jun 19, 2019

        ChrisWebbTech 


        ChrisWebbTech wrote:
         If you do not have any onprem resources such as file shares etc. that need it, then I would go the cloud route. The future is heading that way and might as well start there.

        I cannot disagree with this more - If you don't have on-prem file shares, why not? I am in the same boat as OP - and our previous admin apparently took this kind of advise.. the result is I have NO CONTROL over any computer owned by the company. I have no way to reset (computer) passwords for users, remote or local. 

        I have begun joining some to the Azure AD but that is EXTREMELY limited and has none of they typical paths an IT Admin might expect. 

         

        Teams and OneDrive are complete nightmares to deal with - I have personal OneDrives and Business OneDrives all mixed and mashed and people sharing files everywhere and everyway but then resorting to DropBox because nothing works the way they expect. My plan is to suck all that back down into a traditional environment where I have some control of at least some of the files and services I'm supporting. I'll still use OneDrive (business) to sync profile files but business critical shares will be secured on-prem and backed up with versioning, etc. 


        I now need to manually build out an AD environment - figure a way to password sync with O365. The good news is I get to build a fresh AD (the right way) - but the bad news is there's no easy path to get this place back on track. I'd love to discuss the issues with @Anjana_S (hopefully you didn't go the "Cloud only" route) and find out what, if anything, has worked for this process. And please, by all means, send me those thoughts and prayers!