After User Sync to Azure AD, migrate to another OnPremise AD

Copper Contributor

Hi, 

 

we use an onpremis AD.. maybe contoso.dom, I sync users to Azure Ad jon@company1.com, ted@company2.com and so on.

 

No, the companies should be separated onpremise and contos.com disappeas so I have

somecompany1.dom on premise with jon@company1.com

somecompany2.dom on premise with ted@company2.com

 

but i dont want a different User in AzureAD, when Jon is synced from somecompany1.dom to azure he should find its Onedrive and Teams stuff. Is it possible?

 

I thougt I took the: employeeID as another attribut for Unique Identify, but select how user should identify with Azure Ad, whats would here the best.

1 Reply

@Jeffrey_Goins 

 

This is a way you could go about it: 

 

1. Disable sync: https://docs.microsoft.com/en-us/office365/enterprise/turn-off-directory-synchronization

2. Wait for your objects to get the status of cloud managed instead of synced

3. remove the imutableID of your cloud objects. 

For started: 

Get-MsolUser -All | Set-MsolUser -ImmutableId $null
4. Set up ADconnect in the new domains
5. Either hard match or soft match the on prem accounts: 
Softmatch: based on attributes: UPN, Default smtp, ... 
Hardmatch: generate and set immutableID
 
Generating immutableID as such: 
 

 

$User = Get-ADuser $UserSamAccount -Properties * -server $DC

$ImmutableID = [system.convert]::ToBase64String(([GUID]($User.ObjectGUID)).tobytearray())

 

 
Make sure your users in the new domains have the required attributes before you sync. (Correct UPN, ProxyAddresses, User attributes, ...) Or you will remove the attributes from your cloud objects by synching the incomplete users. You can export the old domain users and the cloud objects with PowerShell just to be on the safe side. 
 
Before you do any operations like this that you are not familiar with, always test run this in a demo environment!!