Merge local wie Azure AD users, if both are in use and have name differences

Copper Contributor

Hi, I'm new here and am currently dealing with Azure in our company.
We have had MS 365 with Office licenses for a few years and use them actively, locally we have a small server including a domain.
I would now like to synchronize my local AD users with Azure via AD Connect. It works theoretically and practically, but I have two problems.
For example, my local users are called email address removed for privacy reasons
The names in the AD are like email address removed for privacy reasons

 

I now have both users in the AD, one managed via the cloud and one locally managed.

 

How do I get the two users together in such a way that nothing explodes or e-mails etc. get lost or something is destroyed locally?

Or is that difficult to impossible without pain due to the advanced usage of both sides?
Microsoft clearly advises against it, so I'm wondering: what to do?

 

My boss would like to merge both to minimize the amount of passwords and for any other possible gimmicks.

It seems like best practice seems to be, first create the things local and then merge them with azure and give them licences etc, right?

 

 

13 Replies

@Sebastian_Wenning 

you need to match your local users with your AAD users using the soft match through the SMTP proxy address attribute , refer to the below link:

https://support.microsoft.com/en-us/topic/how-to-use-smtp-matching-to-match-on-premises-user-account...

 

Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily.

@Sebastian_Wenning 

Do you think there is any key to match your user account between on-prem and Cloud (M365)? Say SMTP?

@Kidd: Yes, if its needed.

@ eliekarkafy: So i dont have to change my usernames, i only have to give my local useres the O365 Mailadress in their mail-adresse field?

Does this work without changing my local usernames, or is this still needed?

And if i do this, now O365 things like Mails are lost?

@Sebastian_Wenning no need to change the upn of your users , you just need to match the smtp in your proxy address attributes for your local users with the smtp in your o365 users and when you run the sync the users in the cloud will appear synced instead of cloud only 

okay, i will give it a try.

So its no problem that the upn and the usernames dont fully match?
Because our local usernames are longer (Local: jsmith@ 365: js@).

And what username do i use aufter the merge?
Usernames needs to be matched for sure but upn no

@eliekarkafyokay, adding the mailadress to the user and changing the username is needed, but changing the the upn isn´t needed, but ok, if i do so.

 

 

correct , keep me posted please
Hi, I have the feeling that I did something wrong.
My sync with Azure AD was already running and I currently have the MS 365 mail account in the user overview and my local account.

Then I just added my email address to the contact details on my local AD, changed the UPN as discussed and entered the following in the attributes under "proxyadresses": {SMTP:email address removed for privacy reasons}

Didn't merge anything after the refresh, so I edited it again and added the following: {SMTP:email address removed for privacy reasons; SMTP:email address removed for privacy reasons}
Apparently that didn't change anything either.
My MS 365 mail account is still not marked with "local synchronization" in the AD.

What am I doing wrong?

Do I have to stop the sync service first and delete the local users from Azure again and start the process again?

@Sebastian_Wenning here the steps to follow: 

 

  1. Disable the sync between AAD and the local domain. 
  2. Make sure that username, UPN and proxy address match between user in on prem and user in AAD
  3. Sync again 

 

 

@eliekarkafyThanks, i stopped the sync last friday and change the attributes.

- Userloginname is now fully like my mailadress.

- Userloginname pre Win2k isn´t changed, so it doesnt match my AD User, but if i read your steps correct, it´s not needed.

- At "general" i filled "E-Mail" with my mailadress

- The attribute "proxyAdresses" is now filled with the attribute "SMTP:mymailadress"

 

I had an error with the user-rights if i look into the Synchronisation Service Manager, but this is solved.

 

My new status:

No seen errors in the Manager. AD User-Table shows no double users, but all users are not marked as "local synced". -> Has to change to "yes", or not?

Ontop of that, my bosses user has an deployment error, category PropertyConflict in his ProxyAdresses.

Thats curious, because the value in this error shows his "SMTP:hismailadress" like all 4 other synced users have it filled with teir adresses, but the other users didn´t get any errors at all.

 

 

 

if the users are not marked as local synced with a yes, that's means your users are cloud only and not merge with your local users on-premises. can you show me please an example of one your users on premises. username , UPN , smtp proxy and how its look like on O365 as well

@eliekarkafy

Thanks again for helping me via PM.


For everyone else, the solution was simple. You have to match the full UPN with the MS365 user and the attribute "proxyadresses" has to be filled with the SMTP entries of the MS365 user, e.g. SMTP:email address removed for privacy reasons for the main address and smtp:email address removed for privacy reasons for the alias address.


My mistake was that I merged my local users before filling in these entries. I had to delete my missynced on-premises users in Azure and Azure-DeletedUser Recycle Bin and do a new initial sync via PowerShell. After 2 minutes my users were properly synchronized.


Note that all your user entries in MS365 will be overwritten with your local user entries. Therefore, before synchronizing, check again whether all information is available with your local users.