Azure AD Connect questions

aaronp1551 · 2023-07-07T17:50:38.000Z

Hi there, we have a 2022 Active Directory on-prem with about 280 users, and we are currently on Office 365 for email.

We are wanting to use AD Connect to sync users with local AD and Office 365. End goal is to have users sign into their laptops with their email address. We are a heavily decentralized org.

Questions.

What happens to the existing user in Azure Active Directory when AD connect syncs from local to Azure?

Will passwords sync/change?

We have added our email domain as a UNC in our local AD, Do I need to change users account to reflect this new domain (as opposed to domain.local)

And finally can you choose which OUs you want to sync or is it the whole AD?

thanks!

stevenpeterson1053 · 2023-07-07T18:31:00.000Z

What happens to the existing user in Azure Active Directory when AD connect syncs from local to Azure?

No user object modifications except the reading of attributes to AAD. Additional configuration is required to allow attribute write-back.

Will passwords sync/change?

Passwords will sync one-way AD–>AAD unless you configure password write-back. Without password writeback, no password changes can be performed from M365 but can be performed from local AD. Password resets from local AD will be passed to AAD.

We have added our email domain as a UNC in our local AD, Do I need to change users account to reflect this new domain (as opposed to domain.local)

Updating the User’s UPN to the @domain.com will be needed for them to logon using that credential instead of domain\userName format.

And finally can you choose which OUs you want to sync or is it the whole AD?

In the AAD Sync Setup documentation it’s like the 5th step to scope which OUs you want to sync from. Look for Domain & OU Filtering.

To see the process from start to end I highly recommend some quick AAD Sync setup videos on Youtube. There are some extremely helpful step-by-step tutorials that’ll give you a better understanding of the process and what’s involved.

robertrasp · 2023-07-08T18:16:36.000Z

@stevenpeterson1053 is right.

I only want to give a few additional info’s:

use IDfix from MS to check if AzureAD-Connect can sync all accounts: Microsoft - IdFix
Not password will be synced, hased Password-Hashes will be synced. Function this is no difference. From security side it is a big one. And you should use Password Hash Sync!
Updateing you users UPN can be done easy with powershell and it does not matter which username the user uses to log on to their system.
You can and you should select which OU or which OUs should be synced. Don’t sync all but sync your Users and their Computers. Don’t sync Domain-Admins. Create new accounts for administration in the cloud!

aaronp1551 · 2023-07-10T16:46:10.000Z

Thanks. Do the laptops need to see our local Active Directory again to login with bpitt@domain.com ?

stevenpeterson1053 · 2023-07-11T19:01:11.000Z

Hybrid joined systems require network line of sight to your DomCons.

Azure joined systems can be used with @domain.com without local DomCon interaction.

aaronp1551 · 2023-07-20T19:29:42.000Z

Thanks. Is there any way We can have our decentralized laptops start logging into azure without making it back to the domain, and can they use the same profile?