Forum Discussion

Paul Langham's avatar
Paul Langham
Copper Contributor
Nov 05, 2018
No the UPN's are all set to the local domain i.e. %USERNAME%.DOMAIN.LOCAL
Michel Zehnder's avatar
Michel Zehnder
Brass Contributor
Nov 05, 2018

If you don't want to have new/duplicate users, this would be the first thing you need to adjust prior to a migration.

 

https://quadro.tech - https://quadro.tech/autopilot, https://quadro.tech/reporting and https://quadro.tech/migration for Office 365 and Exchange

  • Paul Langham's avatar
    Paul Langham
    Copper Contributor
    Nov 05, 2018

    So in order to test I am going to filter out all OU's except a test OU. 

     

    Am I right in saying that so long as the UPN and ProxyAddress match that of the O365 object then the accounts will be merged?

     

    People have mentioned one-way sync, how and where can I check that my connection is in fact one-way only?

    • Ananya Tripathi's avatar
      Ananya Tripathi
      Copper Contributor
      Nov 05, 2018

      Hello Paul, 

      • Please note that incase you have an account on AD as well as on office365, then you may go for Hard match using the below: https://blogs.technet.microsoft.com/praveenkumar/2014/08/10/how-to-do-hard-match-part-2/
      • Other AD users and groups will be synced to Office365 tenant.

      Let me know if you still have any queries.

       

    • Adrienne Andrews's avatar
      Adrienne Andrews
      Brass Contributor
      Nov 05, 2018

      Hi Paul,

       

      Good call - a small test OU or pilot group is a great idea for this.

       

      Rather than using the express install wizard, you probably will want to go through the custom installation instead.  Have a https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-custom before deciding, of course, but by going through the custom install you'll have control over which OU's to sync (or just use a pilot group), and whether any write-back (two way sync) features are enabled.

       

      Something worth noting from my previous experience that may not be apparent from reading all this documentation is that the account in your on-prem Active Directory will become the master account, which means that the on-prem account's details will overwrite any information that may have been set in the cloud identity - so it's not really what I consider a true "merge".  In your testing you might want to make sure you check all of the proxy addresses before and after an account is synced to see if there could be any potential interruption to mail flow for users.  For instance, if your on-prem account has only the primary SMTP address in it's proxy addresses, but your cloud account has multiple proxy addresses, then when those accounts are synced only the primary SMTP address will remain and all those other proxy addresses will be removed.  This also means that you may have to adjust provisioning processes if you had some of that user information being updated in the cloud rather than on-prem, many of the settings will only be able to be managed from your on-prem directory at that point.

       

      Another thing to remember is that when an account in the cloud is synced to an on-prem object, it's always synced to that object.  The guid of the on-prem object is encoded and written to the cloud object forming a permanent link between the two objects.  It is really hard to unlink those accounts at that point, so just be cautious and test as many scenarios as you can before syncing your whole directory.  You might want to also check out the https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-object-not-syncing to see how you can view exactly what attributes are being written and where in your testing.