Need advice on AD sync to existing Office 365

chrispeterson3258 · 2019-03-14T20:45:29.000Z

Hey everyone, I’ve done a lot of reading the past 24 hours about this and still not sure what to do so hoping I can get some clarification on how to best implement local AD sync with Office 365.

Background information:

We acquired a company with an existing local domain being managed by a third party firm. They already migrated away from Exchange some time ago and only use Office 365 for email, no exchange server. They have bad password habits/rules and were never required to change their passwords. Users don’t even know their Office 365 passwords as they were set up in Outlook for them by the third party.

I’ve been tasked with getting their local AD accounts synced up with their Office 365 mailboxes so they can use the same password to sign on to both using new rules and then we will move forward with enabling 2FA.

I understand that I can create a group of users and have only those sync, but what I don’t understand how that works with the existing mailbox accounts on Office 365. Will it link the user based on a profile setting?

Our primary focus is to get them using their AD password on their Office 365 account. Will the initial sync overwrite existing Office 365 passwords?

I have installed Azure AD connect but have not yet enabled sync.

Thanks in advance.

dimforest · 2019-03-14T20:54:14.000Z

Your local AD passwords will sync up and replace their 365 passwords (if they have any set currently). When changing passwords moving forward, you’ll want to change them locally and have them sync up to 365, as a best practice.

chrispeterson3258 · 2019-03-14T20:56:44.000Z

Yes that’s what we want for them. Local password change syncing to 365. Are there any gotchas with getting their AD accounts mapped to the existing mail accounts? Or is it all “automagic”? Does something need to match like username or email address field?

dimforest · 2019-03-14T21:01:49.000Z

Make sure their email, samaccountname, and probably the main SMTP proxyaddresses entry in the user object matches and you should be set. Really I think you only need to match samaccountname to make it, though.

matthart5 · 2019-03-14T22:22:40.000Z

It uses the UserPrincipalName (UPN) to sync, and will fallback to samaccountname if it can’t find a match.

Like Dim said, make sure to have all the proxy addresses setup in the user attributes in AD as well

Then let 'er rip!

deanmoncaster · 2019-03-15T10:42:03.000Z

make sure your emails are filled in correctly in AD too. i had a problem where if i didn’t fill in the SMTP areas in the AD it wouldn’t replicate correctly to office 365,

chrispeterson3258 · 2019-03-15T13:15:07.000Z

Great, thanks for the responses! I’ll dig through the user accounts and verify. Fortunately they only have about 35 users. Do I need to be concerned about setting up any filters beyond just filtering based on the group that I intend to sync or just leave all the default settings for sync?

johnaboud3743 · 2019-03-15T17:08:21.000Z

The one BIG gotcha occurs with the email address, as defined, or not defined, in the account Attributes Editor - ProxyAddress. If the O365 email address is different from the AD user logon and/or the ProxyAddress, you will either get duplicate accounts in O365 or a failed sync. Just make sure that before you sync that the ProxyAddress is the same as the primary O365 email (make sure to include the SMTP: prefix in all caps when specifying the ProxyAddress.) address and that the AD user logon is the same as the O365 logon. Whatever is listed as the SMTP:email@address.com will be the primary email address for that account.

chrispeterson3258 · 2019-04-03T15:52:06.000Z

Not sure how I missed your response. This project got sidetracked, but now I’m looking at it again. So what happens if there are multiple entries in the proxyAddresses?

Looking at a user right now and this is what is in that attribute:

smtp:bsmith@mycompany.com (external email address/domain)

smtp:BobS@mycompany.local (internal domain name)

SMTP:BobS@mycompany.com

In office 365, BobS@mycompany.com is his username/email address with bsmith@mycompany.com as an alias.

Thanks

@johnaboud3743

matthart5 · 2019-04-03T15:58:15.000Z

The entry in CAPS SMTP is the default address, so make sure that in any scripting that you do, you remember to use SMTP if you want to set the primary, and smtp if you want to set an alias

matthart5 · 2019-04-03T15:58:50.000Z

AD Sync will sync users with conflicting smtp addresses listed in the proxyaddresses, but it will complain to you until you fix them

johnaboud3743 · 2019-04-03T16:34:23.000Z

Any entry you specify in the ProxyAddress using lowercase smtp: will be used as aliases. CrazyLefty is right, ADSync will definitely not let you forget about conflicting addresses.

In your list, the primary address will be the return address on emails he sends out. The alias will receive emails only. Just out of curiosity, why do you set it up that way?

chrispeterson3258 · 2019-04-03T17:05:45.000Z

I personally didn’t set it up. I’m the lucky guy inheriting this set up via an acquisition and have been tasked with getting AD Sync working. This environment is ugly to say the least. At some point as we integrate them further into our environment, they’ll be moved off Office 365 as we are a G Suite shop. But until their contract is up, I get to learn more about Office 365!

johnaboud3743 · 2019-04-03T17:08:52.000Z

There should be a stiff tax on this type of inheritance! Actually you should find that ADSync is fairly seemless. Once you remember what goes where, that is. Good luck!

chrispeterson3258 · 2019-04-03T17:12:14.000Z

I appreciate the advice and will be closely referencing this thread as I move forward. They were adamant we not create any new users in the Office 365 via this process, so I’ll be using a group only sync. Starting with a single user for testing. That way I only break his account! hah