How To Setup a Hybrid AD When Users Already Exist in M365
Setting up a New On-Premise Active Directory (AD) when Office 365 Users already Exist and Sync'n Both
Plan, Communication & Process Notes:
A. As part of syncing each user’s office 365 account with their on-premise AD account, each user’s on-premise AD account password will overwrite their office 365 account password. If you want to enable self-service password reset (SSPR):
Validate that SSPR is enabled in Office 365 and that each user’s account on Office 365 has a phone number and/or an alternate email address. If desired, you can create a “self_service_password_reset” group to limit who is allowed to use SSPR.
Let users know that they should re-login with their new password to any apps they were signed into before the hybrid AD work, for example Outlook on the PC and on the phone.
B. Getting your workstation ready for connecting to and executing commands in Azure AD
Download and install the appropriate Microsoft Online Services Sign-In Assistant version for your operating system (see Microsoft Online Services Sign-In Assistant for IT Professionals RTW).
Install Windows azure ad module - http://download.microsoft.com/download/5/0/1/5017D39B-8E29-48C8-91A8-8D0E4968E6D4/en/msoidcli_64.msi
Start Admin PowerShell
Install-Module MSOnline
Install-Module MSOnline -Force (if newer version available)
Connect-MsolService
C. Preparing user accounts for a successful sync between Office 365 and On-prem AD
Remove global admin permission for any licensed user in office 365. This is to avoid sync issues. After the sync work, restore the global admin permissions to the applicable users.
Microsoft recommends that you do not sync your on-prem Active Directory admin accounts with Azure AD. On-premises admin accounts have the following restrictions: a)can only change their password in their on-prem environment. b)can never use the secret questions and answers as a method to reset their password. c)on-premises enterprise or domain administrators can't reset their passwords through SSPR.
Validate username format and check for duplicates
Run this command to get a csv file of all licensed users in the office 365 tenant:
Get-MSOLUser | Where-Object { $_.isLicensed -eq "True"} | Export-Csv "K:\LicensedUsers.csv"
Review the output file - making sure each user has a first name, last name, display name, and temporary password
Make sure there are no conflicting or duplicate UPNs/emails addresses either in the cloud or on prem (new/clean AD)
D. On on-prem AD, enable AD recycle bin and install Azure AD connect.
Enable password hash sync and password write-back in AD Connect. Follow steps in this KB to properly enable and configure password write back.
After installing azure ad connect, if you get this error “Unable to connect to the Synchronization Service” when you try to run a sync, make sure that the MIISAdmins group exists. If the group is missing, create a group that's named MIISAdmins. Add yourself to the group. Logoff and logback in. This resolves the error. See this KB for more details.
E. Create the same users that are in Azure AD on on-prem AD by importing the users to on prem AD using this command:
import-csv K:\O365Export.csv -Encoding UTF8 | foreach-object {New-ADUser -Name ($_.Firstname + "." + $_.Lastname) -SamAccountName ($_.Firstname + "." + $_.Lastname) -GivenName $_.FirstName -Surname $_.LastName -City $_.City -Department $_.Department -DisplayName $_.DisplayName -Fax $_.Fax -MobilePhone $_.MobilePhone -Office $_.Office -PasswordNeverExpires ($_.PasswordNeverExpires -eq "True") -OfficePhone $_.PhoneNumber -PostalCode $_.PostalCode -EmailAddress $_.SignInName -State $_.State -StreetAddress $_.StreetAddress -Title $_.Title -UserPrincipalName $_.UserPrincipalName -Enabled $True -AccountPassword (ConvertTo-SecureString -string "somerandompassword" -AsPlainText -force) }
F. After importing the user accounts, run an AD Connect sync job. After the sync job; in azure AD, make sure that the source of all users you exported shows “windows server”.