Changing AAD after domain migration
Looking for some guidance on reconfiguring our Azure AD connect tool. Some background: We recently underwent a domain migration where we moved from older 2012 AD boxes to newer 2019 boxes. Internally our domain has changed from an .edu domain to a .local domain, however externally everything remains the same. We’ve migrated all our users and groups using ADMT, and their attribute did NOT change, they retain the same samaccountname, UPNs, email addresses, mS-DS-ConsistencyGuid, etc. If I try to reinstall the AAD tool using the exported settings it pulls the old .edu domain as that is what it’s set to sync, when we’d like it to pull from our .local AD servers now instead. When I run through the Customize Sync Options wizard I can add the .local forest to the connected directories option (if I use the /skipLDAP command), and it allows me to go through the wizard with no issue. Before I continue with this process, I figure I’d see if I could get some questions answered: Our anchor is mS-DS-ConsistencyGuid, and they are the same on both domains, so if I go ahead and connect the .local forest, will it still create a new account still or will it simply make the connection with the current 365 account/mailbox? (Mailboxes/Exchange are in 365, we do not use on-prem exchange.) Would it be easier to just completely uninstall the Azure AD tool, and re-install it without importing the exported settings? The only reason I’m hesitant to do this is because I’m not all 100% sure on what settings are configured, other than what is shown to me on the View or Export Config settings page. Thanks!Cross-tenant synchronization (Private mode)
Cross-tenant synchronization enables you to automate provisioning identities across tenants in your organization and simplify collaboration within your organization. In addition, automate removing accounts when users don't need access and keep accounts synchronized across tenants. This feature will not appear on all tenants until Microsoft releases it as preview.Display On-prem Password Policy on SSPR Page
Hi All We are beginning to rollout SSPR with on-prem writeback. So far so good. Is there a way we can display our on-prem password policy requirements on the SSPR screen? I have seen the MS docs, but can't really make any sense of them so any help would be greatly appreciated. SKJoin Merill Fernando and other guests for our Identity and Network Practitioner Webinar Series!
This October, we’re hosting a three-part webinar series led by expert Merill Fernando for Identity and Network Access practitioners. Join us as we journey from high-level strategy to hands-on implementation, unifying identity and network access every step of the way. Each session builds on the last, helping you move from understanding why a unified approach matters to what are the foundations to get started, and finally to how to configure in practice. The goal is to equip you with actionable skills, expert insights, and resources to secure your organization in a unified, Zero Trust way. Register below: Identity and Network Security Practitioner Webinar Series | Microsoft Community HubMigration to Cloud Sync (passwords)
We want to migrate from AAD Connect Sync to Cloud Sync. When provisioning new users we could use temporarily passwords in AAD Connect Sync, through this feature: Set-ADSyncAADCompanyFeature -ForcePasswordChangeOnLogOn $true Is this feature still available in Cloud Sync? If not what is the workaround?
Implementing Azure ADConnect in a live environment
I have been tasked with implementing Azure ADConnect for my company. We currently have 2 locally virtualized domain controllers and are already utilizing Office365 for mail. What would be the easiest way to implement ADConnect while having the least amount of downtime/user interruptions.Double entries in userCertificate avoids Hybrid Join
Hey guys, I have an interesting situation at a customer. He utilizes a third party MFA provider while being on a federation. That means new computers never will have a registered state. For users it is mandatory that theirs clients have fulfilled the Hybrid Join to use M365 apps, what can be a real pain. So the Automatic-Device-Join task has to create the userCertificate on the OnPremises computer object, before it can be synchronized to Entra. Here comes the issue. In some cases we see that some computers will create two userCertificate entries. This situation will lead to an inconstistent Hybrid Join. I already tried to remove one of the certificates, but for me it is impossible to recognize which is the right one. Only solution for me was to remove both entries under userCertificate and let the Automatic-Device-Join task create a new one. Afterwards the Hybrid Join will work. I want to understand, which process or scenario might create the double userCertificate entries?Questions about moving Windows endpoint from locally joined domain to Azure AD
Just a couple questions, when moving a current AD domain joined endpoint (i.e. Windows 10/11 Pro) to Azure AD. 1. Does the user's desktop look/feel change upon their next Azure AD-centric login, versus their previous domain joined profile? 2. If there were previously changes pushed out to the endpoints via local AD Domain GPOs, do those changes still remain on the endpoint machine, even after the cutover to Azure AD? 3. Is there a way to have an Azure AD authenticating machine, while still allowing the machine to access local network SMB shares, if the Azure AD and Local AD domain are in hybrid mode?
