Synchronize Azure AD users to local AD

%3CLINGO-SUB%20id%3D%22lingo-sub-1752624%22%20slang%3D%22en-US%22%3ESynchronize%20Azure%20AD%20users%20to%20local%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1752624%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Community%2C%3C%2FP%3E%3CP%3EI%20have%20the%20following%20topic%20that%20I%20couldn't%20find%20how%20to%20handle.%20We%20have%20many%20existing%20Office365%20users%20(the%20organization%20is%20a%20University).%20We%20need%20to%20create%20a%20new%20empty%20local%20Active%20Directory%20and%20sync%20those%20users%20from%20Azure%20to%20the%20local%20AD%20(one%20way%20from%20Azure%20to%20local%20AD)%2C%20so%20we%20can%20have%20the%20local%20AD%20as%20authentication%20provider%20for%20some%20local%20applications.%20We%20need%20to%20be%20able%20to%20use%20the%20same%20username%20and%20password%2C%20that%20is%20already%20set%20in%20Azure.%20I%20read%20many%20Microsoft%20articles%20but%20always%20the%20the%20sync%20is%20in%20the%20opposite%20direction%20to%20what%20we%20need.%3C%2FP%3E%3CP%3EIs%20this%20possible%20and%20how%3F%3C%2FP%3E%3CP%3EThank%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1752624%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1753348%22%20slang%3D%22en-US%22%3ERe%3A%20Synchronize%20Azure%20AD%20users%20to%20local%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1753348%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F822991%22%20target%3D%22_blank%22%3E%40IvanBelev%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAll%20your%20users%20are%20actually%20stored%20not%20in%20Office365%20but%20in%20Azure.%20As%20far%20as%20i%20understand%20you%20can%20do%20this%20in%20two%20steps%3A%3CBR%20%2F%3E1)%20Export%20Azure%20users%3CBR%20%2F%3E2)%20Import%20exported%20users%20in%20local%20AD%3C%2FP%3E%3CP%3EBut%20im%20not%20sure%20you%20can%20export%20them%20with%20their%20passwords.%3C%2FP%3E%3CP%3EHere%20is%20the%20example%3A%20%3CA%20href%3D%22https%3A%2F%2Fvmlabblog.com%2F2020%2F02%2Fhow-to-export-an-azure-ad-account-to-the-ad%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fvmlabblog.com%2F2020%2F02%2Fhow-to-export-an-azure-ad-account-to-the-ad%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1753352%22%20slang%3D%22en-US%22%3ERe%3A%20Synchronize%20Azure%20AD%20users%20to%20local%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1753352%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F822991%22%20target%3D%22_blank%22%3E%40IvanBelev%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAside%20for%20some%20very%20specific%20situations%20such%20as%20password%20and%20certain%20groups%2C%20write%20back%20from%20AzureAD%20to%20on%20Prem%20AD%20DS%20is%20not%20possible.%20In%20the%20past%20we%20have%20created%20a%20new%20on%20prem%20domain%2C%20exported%20out%20the%20relevant%20data%20from%20Azure%20AD%2C%20import%20it%20into%20the%20local%20AD%20then%20set%20up%20AzureAD%20connect.%20This%20would%20make%20the%20on%20Prem%20AD%20the%20source%20of%20authority%20going%20forward%20so%20changes%20would%20need%20to%20be%20done%20in%20AD%20DS%20and%20not%20Office365%20going%20forward.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20done%20this%20for%20small%20clients%2C%20but%20not%20at%20the%20scale%20of%20a%20university.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Visitor

Hello Community,

I have the following topic that I couldn't find how to handle. We have many existing Office365 users (the organization is a University). We need to create a new empty local Active Directory and sync those users from Azure to the local AD (one way from Azure to local AD), so we can have the local AD as authentication provider for some local applications. We need to be able to use the same username and password, that is already set in Azure. I read many Microsoft articles but always the the sync is in the opposite direction to what we need.

Is this possible and how?

Thank you.

3 Replies
Highlighted

@IvanBelev 

All your users are actually stored not in Office365 but in Azure. As far as i understand you can do this in two steps:
1) Export Azure users
2) Import exported users in local AD

But im not sure you can export them with their passwords.

Here is the example: https://vmlabblog.com/2020/02/how-to-export-an-azure-ad-account-to-the-ad/

 

Highlighted

Hi @IvanBelev 

 

Aside for some very specific situations such as password and certain groups, write back from AzureAD to on Prem AD DS is not possible. In the past we have created a new on prem domain, exported out the relevant data from Azure AD, import it into the local AD then set up AzureAD connect. This would make the on Prem AD the source of authority going forward so changes would need to be done in AD DS and not Office365 going forward.

 

I've done this for small clients, but not at the scale of a university.

Highlighted
Just adding to @HidMov that this is the way to go, but there is no way to export passwords.
So you will have to provide a temporary password for users to use once