Migrate Azure AD users to On-Premise Active Directory
If you have been experimenting with Azure AD or jumped in a while ago with O365 and Azure Active Directory and now want to migrate those users to your local datacenter, this post might be for you.
Rajen Das sent over these clear steps to accomplish the goal of syncing Azure Users to Local AD. Unfortunately, there is no easy button to click in the Azure Portal. That journey to the cloud is often built around a one-way street. 🙂
But if you are ready to step back into your own Active Directory, here is a great post from Raj!
Scenario
The client is using Office 365 with Azure AD. There’s a need for on-premises Active Directory Domain Services. In this situation, the new source of the identity must be an on-premises Active Directory. You will need the following prerequisites to accomplish this.
- Global admin or equivalent to export Azure AD using PowerShell.
- Working Domain controller on-premises
- Domain Admin Account to perform the Azure AD install and configuration
- Azure AD Connect (Modify if already configured)
- User passwords will need to be reset after syncing
Once ready, we will have to tackle the following high-level tasks.
- Export users from Azure AD
- Import users into local Active Directory
- Perform a hard match of the users
- Setup Microsoft Azure AD Sync (Use OU filtering)
- Stage the syncing
- Test email flow
Step One: Export Azure AD users
You can use the following scripts to export the Azure AD and import them into the local Active Directory. The scripts can be found in this Github Gist. Take note that this doesn’t export proxy addresses or any additional aliases.
Step Two: Import Users into Local AD
- Import the users using the PowerShell Script referenced in step 1. By default, imported users will appear in the “Users” OU.
- Create a new OU (“Corp”) (this will be the final OU where the users will live) in your local AD
- Install Azure AD Connect
- During the configuration, Select the “Corp” OU. Note: At this point, that OU should be empty.
Step Three: Hard Matching
Hard matching is used in hybrid environments so that there is a link between the synchronized users. Azure AD Connect will look at the sourceanchor attribute to link the user objects on both sides of the synchronization.
- From an elevated CMD prompt, run the following:
ldifde.exe -f C:\Temp\ExportAllUser.txt -r "(UserPrincipalname=*)" -l "ObjectGuid, userPrincipalName"
- The ExportAllUser.txt file should contain all the users ObjectGUID(s)
dn: CN=TestUser,OU=Corp,DC=Test,DC=com
changetype: add
objectGUID:: UyoRFGEUO/A1VslGJlGA==
userPrincipalName: [email protected]
- Identify the ObjectGUID for each user and run the following for each user
Set-MsolUser -UserPrincipalName [email protected] -ImmutableId UyoRFGEUO/A1VslGJlGA==
Step Four: Syncing the users
- Copy the Test User to the “Corp” OU
- Open PowerShell and force a Sync
Import-Module ADSync
Start-ADSyncSyncCycle -PolicyType Delta
- Keep in mind this sync is only occurring for the “Corp” OU
Step Five: Testing
- Login to Microsoft 365 Admin Portal
- Select the Active Users
- Update the Column to show Sync Status
- TestUser should show “Sync from On-premises”
- Test email flow for that account including all aliases.
At this point, you should have successfully tested that local User Account and Verified that Mail continued to work.
Step Six: Sync the remaining users (Caution: If in production, users will need to reset Passwords!)
- Repeat Step 3 to hard match the remaining users and have it ready
- Keep in mind that after the sync is completed, you’ll need to reset the password for each user on-premises. It’s a good idea to work with the user as you sync
From this point, all new user creation should be done on-premises. If you create an additional OU in Azure AD, update the Azure AD Connector to include and sync the new OU.
Thanks go out to Raj for writing this up and sending it over to me.
Have questions? Be sure to follow Raj on Twitter: @Neo124t