SOLVED

Azure Active Directory to Azure AD Domain Services migration/synchronization

%3CLINGO-SUB%20id%3D%22lingo-sub-2518519%22%20slang%3D%22en-US%22%3EAzure%20Active%20Directory%20to%20Azure%20AD%20Domain%20Services%20migration%2Fsynchronization%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2518519%22%20slang%3D%22en-US%22%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EHi%2C%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EI%20have%2050%20users%20in%20Office%20365%2FAzure%20Active%20Directory.%20Because%20of%20new%20system%20which%20we%20introduce%2C%20I%20need%20to%20migrated%20or%20somehow%20sync%20existing%20Office%20365%20users%20to%20Azure%20AD%20Domain%20Services.%20I've%20tried%20to%20find%20any%20documentation%20about%20this%20scenario%20but%20for%20some%20reason%20wasn't%20able.%20Can%20somebody%20advise%20me%20if%20this%20is%20possible%20and%20what%20is%20involved%20please%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2518519%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2518946%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Active%20Directory%20to%20Azure%20AD%20Domain%20Services%20migration%2Fsynchronization%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2518946%22%20slang%3D%22en-US%22%3ESynchronization%20(one-way)%20between%20Azure%20AD%20and%20Azure%20AD%20DS%20happens%20automatically.%20For%20existing%20users%2C%20it%20is%20triggered%20once%20a%20user%20change%20their%20password%2C%20since%20this%20would%20also%20generate%20the%20required%20Kerberos%20and%20NTLM%20hashes%20which%20should%20be%20stored%20in%20Azure%20AD%20DS.%20For%20newly%20added%20users%20after%20Azure%20AD%20DS%20is%20enabled%2C%20these%20hashes%20will%20automatically%20be%20created%20when%20the%20new%20user%20is%20added.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2519052%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Active%20Directory%20to%20Azure%20AD%20Domain%20Services%20migration%2Fsynchronization%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2519052%22%20slang%3D%22en-US%22%3EHi%20Paul%2C%3CBR%20%2F%3EThank%20you%20for%20your%20reply.%3CBR%20%2F%3EDo%20I%20understand%20correctly%20that%20synchronization%20works%20opposite%20way%20than%20AD%20to%20O365%3F%20I%20mean%2C%20I%20create%20user%20in%20Office%20365%20(Azure%20AD)%20and%20then%20it%20is%20sync%20back%20to%20Azure%20ADDS%3F%20And%20there%20is%20nothing%20really%20else%20what%20I%20need%20to%20do%20to%20get%20Office%20365%20existing%20users%20back%20to%20AADDS%3F%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi,

I have 50 users in Office 365/Azure Active Directory. Because of new system which we introduce, I need to migrated or somehow sync existing Office 365 users to Azure AD Domain Services. I've tried to find any documentation about this scenario but for some reason wasn't able. Can somebody advise me if this is possible and what is involved please?

4 Replies
Synchronization (one-way) between Azure AD and Azure AD DS happens automatically. For existing users, it is triggered once a user change their password, since this would also generate the required Kerberos and NTLM hashes which should be stored in Azure AD DS. For newly added users after Azure AD DS is enabled, these hashes will automatically be created when the new user is added.
Hi Paul,
Thank you for your reply.
Do I understand correctly that synchronization works opposite way than AD to O365? I mean, I create user in Office 365 (Azure AD) and then it is sync back to Azure ADDS? And there is nothing really else what I need to do to get Office 365 existing users back to AADDS?
best response confirmed by Piotr-Alpha (Occasional Contributor)
Solution
Correct. One way. From Azure AD to Azure AD DS.

So if you’re in a hybrid environment your sync will run from AD DS -> Azure AD using AAD Connect and using the one way sync from Azure AD to Azure AD DS.

Key is that those hashes need to be available. And if the user already exists in AAD DS you would have to force the password hash to be synced again from AD DS to AAD.