cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

After User Sync to Azure AD, migrate to another OnPremise AD

Jeffrey_Goins
Copper Contributor

‎Jun 24 2020 12:51 AM - last edited on ‎Jan 14 2022 03:59 PM by

‎Jun 24 2020 12:51 AM - last edited on ‎Jan 14 2022 03:59 PM by

After User Sync to Azure AD, migrate to another OnPremise AD

Hi, 

 

we use an onpremis AD.. maybe contoso.dom, I sync users to Azure Ad jon@company1.com, ted@company2.com and so on.

 

No, the companies should be separated onpremise and contos.com disappeas so I have

somecompany1.dom on premise with jon@company1.com

somecompany2.dom on premise with ted@company2.com

 

but i dont want a different User in AzureAD, when Jon is synced from somecompany1.dom to azure he should find its Onedrive and Teams stuff. Is it possible?

 

I thougt I took the: employeeID as another attribut for Unique Identify, but select how user should identify with Azure Ad, whats would here the best.

Labels:
Preview file
74 KB
1,295 Views
0 Likes
1 Reply
Reply
1 Reply
ShellBlazer

‎Jul 15 2020 05:03 PM

‎Jul 15 2020 05:03 PM

Re: After User Sync to Azure AD, migrate to another OnPremise AD

@Jeffrey_Goins 

 

This is a way you could go about it: 

 

1. Disable sync: https://docs.microsoft.com/en-us/office365/enterprise/turn-off-directory-synchronization

2. Wait for your objects to get the status of cloud managed instead of synced

3. remove the imutableID of your cloud objects. 

For started: 

Get-MsolUser -All | Set-MsolUser -ImmutableId $null
4. Set up ADconnect in the new domains
5. Either hard match or soft match the on prem accounts: 
Softmatch: based on attributes: UPN, Default smtp, ... 
Hardmatch: generate and set immutableID
 
Generating immutableID as such: 
 

 

$User = Get-ADuser $UserSamAccount -Properties * -server $DC

$ImmutableID = [system.convert]::ToBase64String(([GUID]($User.ObjectGUID)).tobytearray())

 

 
Make sure your users in the new domains have the required attributes before you sync. (Correct UPN, ProxyAddresses, User attributes, ...) Or you will remove the attributes from your cloud objects by synching the incomplete users. You can export the old domain users and the cloud objects with PowerShell just to be on the safe side. 
 
Before you do any operations like this that you are not familiar with, always test run this in a demo environment!! 
0 Likes
Reply