SOLVED

Considerations regarding Azure AD Connect and Hybdrid identitys

%3CLINGO-SUB%20id%3D%22lingo-sub-1739264%22%20slang%3D%22en-US%22%3EConsiderations%20regarding%20Azure%20AD%20Connect%20and%20Hybdrid%20identitys%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1739264%22%20slang%3D%22en-US%22%3E%3CP%3EIm%20responsible%20for%20migrating%20our%20work's%20onprem%20enviorment%20to%20Azure.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOur%20onprem%20enviroment%20have%20an%20domain%20name%20of%20lets%20say%20%22%20%3CSTRONG%3Eonpremdomain.com%3C%2FSTRONG%3E%26nbsp%3B%22%26nbsp%3B%3C%2FP%3E%3CP%3EOur%20Office365%20domain%20tennant%20is%20%22%26nbsp%3B%3CSTRONG%3Ecompanynamex.com%3C%2FSTRONG%3E%20%22%20but%20however%2C%20this%20tenant%20is%20nothing%20i%20have%20administrativ%20control%20over%20more%20than%20my%20own%20personal%20office365%20own.%20I%20can't%20log%20in%20into%20portal.office.com%20and%20administrate%20the%20cloud%20users.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELet's%20say%20i%20install%20Azure%20AD%20Connect%20on%20our%20onprem%20domain%20controller%20and%20sync%20all%20our%20local%20users%20to%20the%20Azure%20AD%20Domain%20Services.%20Purpose%20of%20this%20would%20be%20if%20i%20want%20my%20local%20users%20to%20be%20cloud%20managed%20instead%20and%20maybe%20even%20add%20an%20Office365%20licens%20to%20the%20users%20that%20once%20were%20based%20on%20my%20onprem%20DC%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENote%2C%20its%20two%20different%20domains%20and%20preferbly%20all%20users%20in%20the%20future%20only%20want%201%20sign-in%20(same%20on%20pc%20and%20office365)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20should%20i%20do%20and%20do%20i%20have%20permissions%20to%20do%20this%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1739278%22%20slang%3D%22en-US%22%3ERe%3A%20Considerations%20regarding%20Azure%20AD%20Connect%20and%20Hybdrid%20identitys%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1739278%22%20slang%3D%22en-US%22%3E%3CP%3Ealso%20the%20problem%20with%20syncing%20onprem%20users%20to%20the%20azure%20ad%20and%20giving%20them%20an%20new%20office365%20licens%20is%20that%20i%20will%20have%20the%20wrong%20domain%20name...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Esince%20my%20local%20AD%20does%20NOT%20have%20the%20same%20name%20as%20the%20Azure%20AD.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1739346%22%20slang%3D%22en-US%22%3ERe%3A%20Considerations%20regarding%20Azure%20AD%20Connect%20and%20Hybdrid%20identitys%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1739346%22%20slang%3D%22en-US%22%3E%3CP%3EAn%20alternate%20UPN%20suffix%20can%20be%20added%20to%20Windows%20AD.%26nbsp%3B%20All%20users%20replicated%20to%20Azure%20AD%20will%20need%20the%20UPN%20Suffix%20changed%20to%20the%20alternate%20suffix%20before%20replicating%20the%20accounts%20with%20Azure%20AD.%26nbsp%3B%20Use%20the%20IdFIx%20tool%20to%20verify%20consistency%20before%20replicating.%26nbsp%3B%20As%20an%20alternative%2C%20you%20could%20add%20your%20Windows%20AD%20domain%20to%20Azure%20AD%20and%20continue%20using%20that%20domain.%3C%2FP%3E%3CP%3EAlso%2C%20you%20will%20need%20and%20account%20with%20Global%20Admin%20rights%20to%20the%20Azure%20AD%20tenant%20to%20setup%20AD%20Connect.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1753603%22%20slang%3D%22en-US%22%3ERe%3A%20Considerations%20regarding%20Azure%20AD%20Connect%20and%20Hybdrid%20identitys%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1753603%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20reply%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F78468%22%20target%3D%22_blank%22%3E%40Travis%20Roberts%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20i%20need%20to%20swap%20the%20old%20UPN%20Suffix%20to%20the%20new%20one%20before%20doing%20the%20synchronization%3F%3C%2FP%3E%3CP%3EI'll%20check%20out%20IDFIX%20aswell.%3C%2FP%3E%3CP%3EAm%20i%20able%20to%20use%20Single%20sign%20on%2Fpassword%20sync%20even%20though%20its%20different%20identities%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Im responsible for migrating our work's onprem enviorment to Azure.

 

Our onprem enviroment have an domain name of lets say " onpremdomain.com " 

Our Office365 domain tennant is " companynamex.com " but however, this tenant is nothing i have administrativ control over more than my own personal office365 own. I can't log in into portal.office.com and administrate the cloud users.

 

Let's say i install Azure AD Connect on our onprem domain controller and sync all our local users to the Azure AD Domain Services. Purpose of this would be if i want my local users to be cloud managed instead and maybe even add an Office365 licens to the users that once were based on my onprem DC?

 

Note, its two different domains and preferbly all users in the future only want 1 sign-in (same on pc and office365)

 

What should i do and do i have permissions to do this ?

 

4 Replies
Highlighted

also the problem with syncing onprem users to the azure ad and giving them an new office365 licens is that i will have the wrong domain name...

 

since my local AD does NOT have the same name as the Azure AD.

Highlighted
Best Response confirmed by SamirAbdou1999 (Occasional Contributor)
Solution

An alternate UPN suffix can be added to Windows AD.  All users replicated to Azure AD will need the UPN Suffix changed to the alternate suffix before replicating the accounts with Azure AD.  Use the IdFIx tool to verify consistency before replicating.  As an alternative, you could add your Windows AD domain to Azure AD and continue using that domain.

Also, you will need and account with Global Admin rights to the Azure AD tenant to setup AD Connect.

Highlighted

Thanks for reply @Travis Roberts 

 

Do i need to swap the old UPN Suffix to the new one before doing the synchronization?

I'll check out IDFIX aswell.

Am i able to use Single sign on/password sync even though its different identities?

Highlighted

@SamirAbdou1999 Hello,

You do need to add the alternate UPN suffix to Windows AD and then update all users that will sync to the new UPN.  

Single-sign on will work.  This is a common scenario with organizations that have non-routable Windows domains (domain.local).  Although both your domains are routable, the same principles apply. 

https://docs.microsoft.com/en-us/microsoft-365/enterprise/prepare-a-non-routable-domain-for-director...