James Parsons
asked on
How to Merge On-Prem AD with Existing Azure AD users?
We have an existing on-prem AD with a handful of users (domain.local). We also have Office 365 with Azure AD where all of our users have accounts (domain.ca). I want to use Azure AD Connect to sync user passwords between on-prem AD and Azure AD (Office365). Any tips?
I've tried syncing with UPNs ending in domain.local, and have also tried adding a UPN suffix of domain.ca to match Azure. However it seems like AAD Connect either creates new users in Azure, or throws "duplicate UPN" errors. I just want to sync existing on-prem accounts with existing AAD accounts. Is it possible?
I've tried syncing with UPNs ending in domain.local, and have also tried adding a UPN suffix of domain.ca to match Azure. However it seems like AAD Connect either creates new users in Azure, or throws "duplicate UPN" errors. I just want to sync existing on-prem accounts with existing AAD accounts. Is it possible?
Add the target users' email address to the list of proxy addresses onprem. The proxyaddresses attribute in AD can be modified by opening ADUC in Advanced Features view, opening a user's property screen, going to the attribute editor tab, then looking for the Proxyaddresses attribute. Add the email address as SMTP:user@domain.ca then either wait for sync or force it. Office 365 will compare the Email address for the account in O365 and what is synced, and will match the accounts up if the email addresses match.
ASKER
Thanks, Adam. I forgot to mention that I've already attempted SMTP matching, and it results in errors about "duplicate ProxyAddress".
Other things I've attempted:
Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [ProxyAddresses SMTP:user@domain.ca;UserPrincipalNam e user@domain.ca;]. Correct or remove the duplicate values in your local directory
Other things I've attempted:
- enable soft match on UPN
- clear ImmutableID on AzureAD
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The hard match is the only way forward
for manual steps:
$user=TestUSERID
Get the GUID of the on-premise user, convert it to ImmutableID and then stamp it Azure AD user object.
$ADGuidUser = Get-ADUser $user -properties * | Select Name,ObjectGUID
$UserimmutableID = [System.Convert]::ToBase64 String($AD GuidUser.O bjectGUID. tobytearra y())
Set-MsolUser -UserPrincipalName testUserID@domain.com -ImmutableId $UserimmutableID
for manual steps:
$user=TestUSERID
Get the GUID of the on-premise user, convert it to ImmutableID and then stamp it Azure AD user object.
$ADGuidUser = Get-ADUser $user -properties * | Select Name,ObjectGUID
$UserimmutableID = [System.Convert]::ToBase64
Set-MsolUser -UserPrincipalName testUserID@domain.com -ImmutableId $UserimmutableID
ASKER
The hard match was the key, and the script in the link that Adam posted is incredibly handy!