sync AD passwords to O365

dontworryok · 2019-07-08T18:03:15.000Z

So we do everything via O365 for most part right now, I want to sync the passwords so users can change that themselves. Is Azure AD Connect the way to go, please assist with how to only get passwords to sync with this so users can change themselves via ctrl alt del.

pbrain · 2019-07-08T18:25:22.000Z

Azure AD Sync is the correct way to synchronize your local AD users and passwords with O365. Then any changes to local credentials will replicate over to AzureAD (and O365).

Caveat is that any changes to the email user profile will need to be made in AD (I prefer this because it brings most of the user management to ADUC).

alex3031 · 2019-07-08T18:41:13.000Z

If you set up write back they can also change their password online and have it sync back to AD as well.

derekswitzer · 2019-07-08T18:41:54.000Z

Juanoflo is correct. However, Azure AD will not JUST bring the passwords. Your active AD users will be brought into your O365 account as well. Then, you will have to assign mailboxes to those people. Usually, its just as easy as making sure all the email information in your AD is their actual email address. Its pretty easy. Then those that don’t have email accounts will just show up as unlicensed in the O365 account. Its very simple and easy to use once it is setup. The only difficulty you will have is the possibility that some accounts won’t match up to the already-existing email accounts in O365. That will just take some fine tuning and is very easy to correct.

dontworryok · 2019-07-08T19:28:44.000Z

So on the micro admin page for active users, all users are showing twice, one with normal domain and other with the onmicrosoft one, how can I remove those and just keep the regular domain ones.

Also, i tested it and my password is changing on the laptop if I do ctrl alt del as well as in on premise AD, but how can I get that to sync to O365 and all.

derekswitzer · 2019-07-08T19:33:16.000Z

You will need to merge the onmicrosoft ones with the others. I believe this is what you will need to follow:

https://www.codetwo.com/admins-blog/how-to-merge-an-office-365-account-with-an-on-premises-ad-account-after-hybrid-configuration/

dontworryok · 2019-07-09T11:38:09.000Z

I have to follow this for every single user? Is there a way to re-sync it with Azure tools so it doesnt do this?

da-schmoo · 2019-07-09T11:43:20.000Z

You need to create an alternate UPN suffix in your AD that matches your email domain and assign that as primary for each user. If not, those “onmicrosoft” accounts will be created. The change will be seamless to the user, they can still log in locally via their normal method and will now have the ability to logon as user@emaildomain.com if they wish.

learn.microsoft.com

Prepare a nonroutable domain for directory synchronization - Microsoft 365...

Learn what to do if you have a nonroutable domain associated with your on-premises user accounts before you synchronize them with your Microsoft 365 tenant.

Also you want to have AADConnect only sync OU’s with user accounts in them - if not it will create O365 accounts for accounts you probably don’t want. (service accounts, etc.)

dontworryok · 2019-07-09T12:16:36.000Z

how can i resync only user accounts if i already have synced everything. Also, I got AD password to match with the COMPUTER but how do i sync with exchange if I do ctrl alt del?

alex3031 · 2019-07-09T13:20:15.000Z

The directory sync will auto sync changes every 15 minutes but you can do an on demand delta or full using powershell as well How To Run Manual DirSync / Azure Active Directory Sync Updates - 250 Hello

DragonsRule · 2019-07-09T18:27:31.000Z

Dontworryok:

how can i resync only user accounts if i already have synced everything.

Inside AADC options, if you remove OUs that you don’t want, then do a full sync, the items from those OUs will be removed from O365.

dontworryok · 2019-07-09T18:36:17.000Z

i did that but they are still there, I added the UPN with our domain, set it under the Account page as the new UPN i created but still nothing.

onmicrosoft.png898×296 12.9 KB

alex3031 · 2019-07-09T21:22:11.000Z

have you set the onmicrosoft accounts as an alias in the proxyaddresses attribute of the user accounts?

dontworryok · 2019-07-09T21:35:27.000Z

I have not I did the opposite, so if I add the user@domain.onmicrosoft.com in proxy address in attrib BUT set the Account drop down list to the @domain.com instead of Contoso.local, that should remove the unlicensed listing from portal in O365?

alex3031 · 2019-07-09T22:38:25.000Z

I can’t say for sure, I’ve always prepped and had that configured before a AD sync, but it should theoretcally remove them as long as you are tied on the UPN or the Email address as 365 would see them now as aliases

alex3031 · 2019-07-09T22:42:35.000Z

Your UPN should match the .com domain, the email address should also match and proxyaddresses should at a minimum have SMTP:email.com and smtp:email.domain.onmicrosoft.com to specify the onmicrosoft email as an alias.

dontworryok · 2019-07-09T23:32:24.000Z

So adding the onmicrosoft to the proxyaddress should drop the onmicrosoft duplicates from portal? Have you seen this occur with all due respect

alex3031 · 2019-07-10T01:22:16.000Z

Like I said I’ve never been in your scenario, I’ve always cleaned up AD and had everything in place before doing the sync, so I have never run into your specific scenario. However, I can make a logical assumption that this will work, based not having had the problem when set up the way I suggest. To ensure you are not wasting time though, pick a single user and update the proxyaddresses, do a sync and see if your unlicensed onmicrosoft account disappears. The worst that can happen is it won’t sync and complain of duplicates.

da-schmoo · 2019-07-10T08:56:46.000Z

This issue is being discussed in two threads, down from three. It really should be one thread:

AD sync creating onmicrosoft accounts Cloud Computing & SaaS

I have correctly installed AD sync to our server and it syncs with office365. All the users that only had 1 email @company.com moved over correctly and are syncing with on premises. However all the users with aliases did not move over correctly and got a onmicrosoft.com account on office365. After going through the forums i found that I need to add their aliases to the attributes tab, which I have now done correctly for all users. I manually removed all the incorrect onmicrosoft accounts a…

DragonsRule · 2019-07-10T10:23:36.000Z

Now that this thread has moved from how to sync into the duplicate issue, which is covered in another thread, I’m going to lock this one. Please reply in the thread linked above.

edit - I just noticed that the above thread is NOT from OP.

This is OP’s other thread on this topic:

onmicrosoft accounts Cloud Computing & SaaS

so i just used aadc and synced everything, now there is a onmicrosoft unlicensed account for all users in the O365 admin portal, how can i easily just get rid of these in bulk. If it is not advised to delete those how can i just merged or remove them from the listing.