can O365 creds be used for local accounts and still have configuration in the cloud?

I had this question after viewing Change Office 365 password when AD sync is enabled?.

I just added AD sync to a location as I thought it would allow me to manipulate local creds from a cloud location.  I see now that it doesn't allow that, you need P1 or P2 level. I am going to ask them for this level but before I do, Am I correct in thinking that they can then use their O365 creds (username.com)  to log on to local domain (username.Local) accounts? That would be the desired end game. If I'm wrong, what would it take to create a single sign on for both O365 and local machine accounts configurable from cloud?

It's a small non profit with about 25 accounts - about a third are email only, but there is an admin staff that uses the AD locally for login to their workstations and I run GPO's to map printers and drives etc.  Ideally I would leave a single Server on site and get rid of most of the other hardware.
LVL 1
Salad-DodgerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
If the machine are domain joined then you'll need to log on with local accounts, not AAD accounts.

You can make this *appear* seamless by setting the UPN and username to match their online account (easiest done when setting up AADConnect with the IDFix tool) and yes, a P1 or higher plan to keep passwords in sync.  In that setup, the domain login ID and password are the same as the AAD account, so this appears to act the same (with only minor differences.)
0
Salad-DodgerAuthor Commented:
What would be the minor difference?  

I recall when a group of us first set the domain up 20+ years ago we hosted our own email, DNS and web page so the local domain was a .com. All was fine.

When the web page got hosted elsewhere we  (well, by that time it was just I ) discovered that naming the local domain a .com was a bad idea ...so I started over and renamed it to something that a TLD could never be... .church. Then some years later these new TLD's started showing up, info,biz. tv etc. so I expect to be facing that again soon.

So with that in mind, are you are saying that if I change the UPN of the users on the local domain to the .com name, this will not screw up the local domain or the ability to browse to the .com web page? I just have to make sure that their username is the same on both to keep the illusion?

Then if I add P1 service, I can remove all the local DC's except one? Will GPO's run from the P1 level AD?

I'm old and this is starting to get way ahead of me so talk slowly into my good ear :)
0
Cliff GaliherCommented:
Well, in regards to your first comment, though it doesn't directly pertain to this question, I have *long* recommended that AD domains be a subdomain of a publicly owned domain.

If the company, church, whatever owns "mycompany.com" from a registrar like godaddy, then creating the AD domain as "corp.mycompany.com" won't conflict with public resources, but also won't ever run the risk of a new TLD suddenly causing a conflict.  Since the company has the domain name already, they can choose what to expose public and what not to as long as they don't let the DNS registration lapse. It's the "best of both worlds" scenario and has little to no downside.

"So with that in mind, are you are saying that if I change the UPN of the users on the local domain to the .com name, this will not screw up the local domain or the ability to browse to the .com web page?"

Correct, that is what I am saying.  It is still joined to the .local domain...but the domain controller is aware of the user's UPN and won't complain about logging them in with that UPN and format.  It doesn't impact DNS at all.

" I just have to make sure that their username is the same on both to keep the illusion? "

Again, correct.

"Then if I add P1 service, I can remove all the local DC's except one?"

If you want redundancy with your local logon then you should still use more than one DC.  No P* plan replaces what a DC does.   AAD is *not* AD.  It is its own thing. But it is what backs O365, and the P1+ feature of password write-back will write passwords back to your on-premises domain.  So the user can use the same password for both.

"Will GPO's run from the P1 level AD?"

No.  GPOs are not a part of AAD.  Like I said, AAD is not AD.  AAD has no GPO support with any plan.  Those will still run from your local domain controllers which means machines will still need to be able to reach the DCs to get any new GPOs.  If you have a lot of laptops in the field that rarely return home, and you don't have VPNs, then you'll want to look at something besides GPOs.  An MDM solution of some surt, such as intune.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Salad-DodgerAuthor Commented:
Thank you. that was very helpful.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Office 365

From novice to tech pro — start learning today.