Merging on prem domain with cloud domain to manage in Azure AD

%3CLINGO-SUB%20id%3D%22lingo-sub-1430218%22%20slang%3D%22en-US%22%3EMerging%20on%20prem%20domain%20with%20cloud%20domain%20to%20manage%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1430218%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EWe%20created%20a%20O365%20tenant%20with%20a%20domain%20%22abcd.edu%22%20and%20assigned%20all%20our%20users%20credentials%20online%20(azure%20AD)%20because%20we%20were%20not%20ready%20to%20migrate%20the%20on-prem%20maiboxes%20which%20are%20on%20another%20domain%20abcd.ac.in.%20We%20are%20now%20considering%20an%20express%20migration%20of%20all%20the%20on%20prem%20(abcd.ac.in)%20accounts%20to%20the%20cloud%20and%20ultimately%20use%20azure%20ad%20as%20source%20of%20authority.%26nbsp%3B%3C%2FP%3E%3CP%3EOnce%20we%20are%20in%20the%20cloud%2C%20we%20would%20like%20to%20use%20the%20abcd.ac.in%20upn%20for%20all%20users%20and%20either%20merge%20or%20retire%20the%20abcd.edu%20domain.%20We%20would%20ideally%20like%20to%20merge%20it%20in%20someway%20to%20avoid%20recreating%20all%20the%20other%20resources%20including%20teams%20with%20the%20new%20UPN.%20We%20have%20adequate%20licenses%20for%20both%20usernames%20to%20coexist%20for%20a%20while.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20thoughts%20or%20resources%20I%20can%20read%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1430218%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMigration%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1431764%22%20slang%3D%22en-US%22%3ERe%3A%20Merging%20on%20prem%20domain%20with%20cloud%20domain%20to%20manage%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1431764%22%20slang%3D%22en-US%22%3EI%20would%20you%20advise%20you%20to%20setup%20Azure%20AD%20Connect%20and%20match%20all%20on-prem%20users%20to%20the%20cloud%20users.%20That%20way%20users%20have%20single%20sign-on%20access%20to%20the%20cloud.%3CBR%20%2F%3E%3CBR%20%2F%3EOffice%20365%20will%20disable%20the%20cloud%20mailbox%20and%20will%20continue%20utilizing%20the%20on-prem%20mailbox%20of%20all%20users%20until%20you%20have%20migrated%20them%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1432412%22%20slang%3D%22en-US%22%3ERe%3A%20Merging%20on%20prem%20domain%20with%20cloud%20domain%20to%20manage%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1432412%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3B.%20If%20I%20get%20you%20right%2C%20the%20steps%20would%20be%20to%20do%20a%20soft%20match%20first%20and%20use%20on-prem%20credentials%20in%20step%201.%20Then%20migrate%20the%20users%20to%20the%20cloud%20and%20stop%20using%20Azure%20AD%20connect%3F%20I%20am%20trying%20to%20be%20sure%20that%20soft%20matching%20does%20not%20prevent%20me%20from%20passing%20the%20source%20of%20authority%20back%20to%20Azure%20AD%20once%20my%20migration%20is%20over.%26nbsp%3B%3C%2FP%3E%3CP%3EJacob%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1432628%22%20slang%3D%22en-US%22%3ERe%3A%20Merging%20on%20prem%20domain%20with%20cloud%20domain%20to%20manage%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1432628%22%20slang%3D%22en-US%22%3ECould%20you%20elaborate%20more%20on%20your%20end%20goal%3F%3CBR%20%2F%3EWould%20you%20like%20all%20users%20to%20be%20in%20AAD%20and%20not%20in%20AD%20anymore%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1448608%22%20slang%3D%22en-US%22%3ERe%3A%20Merging%20on%20prem%20domain%20with%20cloud%20domain%20to%20manage%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1448608%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20covid%20situation%20here%20is%20quite%20bad%20and%20I%20got%20caught%20with%20my%20clinical%20responsibilities%20for%20the%20last%20week.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3B%20we%20are%20hoping%20to%20manage%20all%20users%20on%20AAD%20once%20the%20migration%20is%20done.%20No%20role%20for%20AD%20after%20the%20migration.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1448631%22%20slang%3D%22en-US%22%3ERe%3A%20Merging%20on%20prem%20domain%20with%20cloud%20domain%20to%20manage%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1448631%22%20slang%3D%22en-US%22%3EYeah%2C%20so%20you%20should%20soft%20merge%20first%20so%20that%20on-prem%20sync%20to%20AAD%20again.%3CBR%20%2F%3ENote%3A%20if%20you%20have%20made%20any%20changes%20to%20the%20user%20in%20AAD%20(passwords%2C%20phone%20numbers%2C%20job%20descriptions...)%2C%20these%20changes%20will%20be%20overwritten%3CBR%20%2F%3E%3CBR%20%2F%3EAfterwards%20you%20can%20easily%20change%20the%20source%20of%20authority%20back%20to%20AAD.%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi,

We created a O365 tenant with a domain "abcd.edu" and assigned all our users credentials online (azure AD) because we were not ready to migrate the on-prem maiboxes which are on another domain abcd.ac.in. We are now considering an express migration of all the on prem (abcd.ac.in) accounts to the cloud and ultimately use azure ad as source of authority. 

Once we are in the cloud, we would like to use the abcd.ac.in upn for all users and either merge or retire the abcd.edu domain. We would ideally like to merge it in someway to avoid recreating all the other resources including teams with the new UPN. We have adequate licenses for both usernames to coexist for a while. 

 

Any thoughts or resources I can read?

 

5 Replies
Highlighted
I would you advise you to setup Azure AD Connect and match all on-prem users to the cloud users. That way users have single sign-on access to the cloud.

Office 365 will disable the cloud mailbox and will continue utilizing the on-prem mailbox of all users until you have migrated them
Highlighted

Thanks @Thijs Lecomte . If I get you right, the steps would be to do a soft match first and use on-prem credentials in step 1. Then migrate the users to the cloud and stop using Azure AD connect? I am trying to be sure that soft matching does not prevent me from passing the source of authority back to Azure AD once my migration is over. 

Jacob

Highlighted
Could you elaborate more on your end goal?
Would you like all users to be in AAD and not in AD anymore?
Highlighted

The covid situation here is quite bad and I got caught with my clinical responsibilities for the last week.

@Thijs Lecomte  we are hoping to manage all users on AAD once the migration is done. No role for AD after the migration. 

Highlighted
Yeah, so you should soft merge first so that on-prem sync to AAD again.
Note: if you have made any changes to the user in AAD (passwords, phone numbers, job descriptions...), these changes will be overwritten

Afterwards you can easily change the source of authority back to AAD.