Sync New Active Directory with Existing Office 365 Tenant

Todd NelsonSystems Engineer
Synchronize a new Active Directory domain with an existing Office 365 tenant
These are some high level projects tasks I put together based on an existing Office 365 tenant who is creating a "greenfield" (new) on premise Active Directory forest/domain for the purpose of being able to manage Office 365 users through the utilization of Active Directory synchronization.
1.  Connect to Office 365 via Azure AD PowerShell Module with customer's Office 365 global admin account.
2.  From the Azure AD PowerShell console, collect user information from Office 365 using this command. The exported data will be used to create on premise Active Directory user objects that will be synchronized with the associated O365 users.
Get-User | Export-Csv "C:\O365Export.csv" –NoTypeInformation
3.  Add UPN suffix(es) in Active Directory Domains and Trusts to match email domain(s) in Office 365 (as needed).
4.  Create OU(s) for filtering of users (as needed).
5.  From Windows PowerShell, create new Active Directory users from CSV file. Using this command with the CSV file created in step 2, AD users are added based on an UPN suffix, to a specific OU, and assigned a password that does not expire.
Import-Csv "C:\O365Export.csv" | ForEach-Object{ $Domain = ""; $UPN = $_.Identity+$Domain; New-ADUser -SamAccountName $_.Identity -UserPrincipalName $UPN -Name $_.Name -DisplayName $_.DisplayName -GivenName $_.FirstName -Initials $_.initials -Surname $_.LastName -Department $_.Department -Company $_.Company -Fax $_.Fax -City $_.City -State $_.StateOrProvince -PostalCode $_.PostalCode -Title $_.Title -EmailAddress $_.WindowsEmailAddress -Office $_.Office -OfficePhone $_.Phone -MobilePhone $_.MobilePhone -StreeAddress $_.StreetAddress -Path "OU=Users,OU=Company A,DC=onpremdomain,DC=local" -AccountPassword (ConvertTo-SecureString "Password" -AsPlainText -Force) -Enabled $True -PasswordNeverExpires $True -PassThru }
6.  After the user objects are created, have users log on to their newly domain joined workstations with their Active Directory account to change passwords to what they currently have set in Office 365.
7.  Download Azure Active Directory Connect (AAD Connect).
8.  Create AAD Connect service account (in Active Directory) and set as a member of the Enterprise Admins group.
9.  Prepare member server to install AAD Connect on...
  • Set AAD Connect service account as a member of the Local Administrators group
  • Log in as AAD Connect service account
10.  Install AAD Connect (with Express Settings).
  • Provide O365 global admin account
  • Provide AAD Connect service account
  • Use Express Settings
  • Do not enable start synchronization (we will start later)
  • Reboot after install to verify "Microsoft Azure AD Sync" service has started
  • If the service doesn't start, make sure the "AAD_" auto created account is set to "log on as a service" in the "Local Security Policy"
11.  Configure filtering with AAD Connect.
  • Configure to sync accounts in previously created OU(s)
  • Run manual sync per article
12.  From O365 Admin Center, enable Active Directory synchronization via Users > Active Users.
13.  Check Office 365 for account status of "Synchronized with Active Directory" instead of "In cloud".
Todd NelsonSystems Engineer

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.