notacomputergeek

Step-by-step instructions:
1) Add your Entra domain, such as mycompany.com UPN Suffix in the on-prem AD Domains and Trusts server.

• Right-click Active Directory Domains and Trusts, click Properties and add your domain.

2) Download Microsoft Entra Connect to your on-prem domain controller that will be synced.

• Go to portal.azure.com and sign in with an Admin account
• Click View under Manage Microsoft Entra ID
• Click Go to Microsoft Entra Connect
• Click the Manage tab
• Click Download Connect Sync Agent
• Click Accept terms & download

3) Run the AzureADConnect.msi download and follow the prompts.

• Check the box and click Continue
• Click Use Express Settings.
• Make sure the domain you added in Step 1 is listed as Verified and check ‘Continue without matching all UPS suffixes to verified domains’.
• Uncheck ‘Start the synchronization process when configuration completes’ at the end). This will install the program, but not start the syncing process.
• Uncheck ‘Enable staging mode’ unless you understand what this does and want to enable it.

4) Create a test organizational unit (OU) in your on-prem AD. Name it something such as ‘Test AD Sync’.

• In the on-prem Active Directory Users and Computers (ADUC), right-click the domain -> New -> Organizational Unit.

5) Move a few accounts into the test OU or create a couple dummy accounts in this OU if you are uncomfortable working with any of your active users. If you use active accounts, let the users know of the effects while you test – mainly the Microsoft 365 (M365) password change.

6) In ADUC, change each test user’s login account to the mycompany.com suffix.

• Right-click a user, click Properties, click Account tab, change ‘User login name’ from the local domain to the Azure domain (you added in Step 1) in the dropdown.

7) Re-run AAD Connect on the on-prem server to sync this test OU.

• Click ‘Configuration synchronization options’ and sign in
• When you get to ‘Domain and OU filtering’, check ‘Sync selected domains and OUs’, expand the domain and select only the ‘Test AD Sync’ OU.
• On the ‘Optional features’ page, check ‘Password hash synchronization’, ‘Password writeback’, and ‘Directory extension attribute sync’.
• Don’t worry about which ‘Directory extensions’ for now, I’ll discuss them later.

8) Verify everything is working with the test accounts. Remember, for existing accounts, the Entra ID password is overwritten by the on-prem AD account password. The user’s applications, such as Outlook or Teams, will ask for the new password when they need it. If you created new accounts to use for testing, they will be added to Azure without licensing. Another thing to check – sign into your Microsoft Entra Admin Center, click Identity -> Users -> All users, there will be a column ‘On-premises sync enabled’. Make sure the test user says ‘Yes’ in this column.

When you’re comfortable that the sync is working, move on to Step 9 to go live! Send an email to all staff letting them know of the changes and when you’ll be doing this. It really is a lot less painful than you might think.

9) (Optional) Move any accounts to their own OU that you don’t want to sync. Name the OU something like ‘On-Prem Only’. These accounts might include admin, generic, temp, or VPN-only domain accounts that don’t have an associated M365 account.

• In the on-prem Active Directory Users and Computers (ADUC), right-click the domain -> New -> Organizational Unit
• Right-click the account to move, then click Move

10) Add all contact info, attribute info, and aliases to the on-prem accounts that are syncing. Since the on-prem AD will rule after the syncing, any addresses, department info, titles, aliases, etc. will need to be populated in the on-prem AD for it to flow through to Entra ID.

• Aliases – You may need to run a PowerShell script to get all current SMTP aliases to make sure you’ve added them to the on-prem AD. In ADUC, click View and check Advanced Features, double-click the user, click the Attribute Editor tab, scroll to proxyAddresses, enter smtp:alias@mycompany.com, click Add, click OK, click OK
• Attribute Editor tab in a users’ properties (Directory Extensions page in AAD Connect) – the following user’s on-prem attributes match to Entra ID. These are the only ones I mapped, but you may be using others. There are lists on the internet of what attributes will sync, but I couldn’t find what maps to what, so it may be trial and error to figure out how they map. Very few attributes are named the same in both environments. I’ve used the Custom Attributes in M365 extensively to set up dynamic distribution lists:

On-prem Attribute Editor -> Entra ID

• extensionAttribute1-15 -> Custom Attribute 01-15
• department -> Department
• office -> Location
• postalCode -> Zip or postal code
• telephoneNumber -> Office phone
• title -> Title

11) Change all on-prem accounts that will be syncing to use voaok.org UPN suffix

• Right-click a user, click Properties, click Account tab, change ‘User login name’ from the local domain to the Azure domain in the dropdown. I’ve seen PowerShell scripts that can do this step if you have hundreds of users.

12) Run AAD Connect again to sync all OUs needed

• When you get to ‘Domain and OU filtering’, expand the domain and select all OUs to be synced including your test OU. You may be able to switch steps 12 and 13, but I didn’t test it. The important thing is that you don’t want to uncheck an OU or it will delete the Entra ID accounts it previously synced – lesson learned!

13) Move the test OU accounts back to their original OU and optionally delete the test OU. Do this after the destination OU is syncing or the account will be deleted in M365!

• Right-click the account, then click Move

14) Run AAD Connect again to sync all OUs needed (uncheck your test OU).

15) See Step 8 to verify the sync again. This time verify that all attributes and aliases are present in Entra ID.

Microsoft states that once the syncing has started, the automatic sync cycle is 30 minutes. If you want the sync to start immediately, run this PowerShell command on the on-prem server to manually initiate a sync: Start-ADSyncSyncCycle -PolicyType Delta

Notes:

• The ‘On-Premises Directory Synchronization Service Account’ account created by the app will not work if MFA is turned on for that account.
• If you moved on-prem user accounts to different OUs, you may need to change any on-prem domain Group Policy Objects affecting these accounts or OUs.
• Domain users will now use their on-prem AD password for their local and M365 accounts. Computer sign-ons will not change and they will continue to use the same computer profile. If they choose to use their email to sign into Windows, it will still use the same Windows profile. To clarify, whether they sign-in as firstinitial+lastname or firstinitial+lastname@mycompany.com, it’s the same profile.
• Non-domain users (local computer logins) will not see any changes.
• If you have non-domain users with email accounts, their Entra ID accounts will not be affected.
• When creating a new domain user, you MUST add them with the mycompany.com UPN suffix or they will not match the Entra ID domain. The new user will show up in M365 within about 30 min. and you will need to assign them a license in M365.
• When deleting a user, delete them from the on-prem domain and they will be automatically deleted from M365. License will be adjusted automatically. Alternatively, you can move them to a non-syncing OU if you want to keep the on-prem account.
• If you want to hide an account in Entra ID, set the on-prem attribute msExchHideFromAddressLists of the account to TRUE.
• If you move a user from an OU that is syncing to one that is not, it will delete the M365 account. You can recover the M365 account, if necessary, since it puts the account in the Deleted users list.
• If you recover a deleted user in Azure AD and want to delete it again, you will have to delete it from entra.microsoft.com, not admin.microsoft.com.
• If a user resets their password during Windows login, it could take up to 30 minutes to sync to M365.
• All user account management needs to occur in the on-prem server, but there are still many things that are only in M365 and need to be managed there.
• Two helpful PowerShell commands: 1) ‘Get-ADSyncScheduler’ shows current settings and ‘Set-ADSyncScheduler –CustomizedSyncCycleInterval 00:60:00’ will set the sync interval to 60 minutes. 30 minutes is the minimum.
• After the initial installation, the Synchronization Service Manager UI can be used to configure more advanced aspects of the sync engine and to see the operational aspects of the service.
• Password complexity is managed within an on-prem server GPO.