Azure – How to map Active Directory user to existing Azure AD Admins in Azure AD Connect

azureazureadconnectoffice365

I have had the following scenario working fine for years.

One simple local AD domain (local.whatever.com) with user LOCAL\john.doe (Domain Admin)
One isolated Office 365 tenant (whatever.com) with user john.doe@whatever.com (Office 365 Global Admin)

Even though the local AD user conceptually corresponded to the Office 365 user, there was no specific link between them, so the local domain and Office 365 tenant were isolated repositories.

Now, I decided to deploy and configure Azure AD Connect to get my local domain and Azure AD synchronized, so I did the following:

Added whatever.com UPN to the local active directory (local.whatever.com)
Set the email address on LOCAL\john.doe to john.doe@whatever.com
Installed and configured Azure AD Connect
Ran the first full synchronization

The result was:

A new account was created in Azure AD in the form john.doe1234@whatevercom.onmicrosoft.com (note the random number at the end of the username)
The Office 365 account and the local AD account did not get linked.

This makes sense because I never had the chance to instruct Azure AD Connect to map the local AD user with the Office 365 user.

So, I found this article:
Azure AD Connect: When you have an existent tenant

After reading the previous article, it seems to me that I should set up a mapping between both users to make it work.
However:

I don't understand what would be the steps to make this mapping happen
Deleting the existing user in Azure AD would not be an option due to the fact that the non-synched user is the only Global Administrator in the Office 365 tenant.

In addition, I came across the following warning in the Microsoft documentation:

Microsoft strongly recommends against synchronizing on-premises accounts with pre-existing administrative accounts in Azure Active Directory.

Any known fix or workaround?

Best Answer

I don't understand what would be the steps to make this mapping happen.

The article you linked spells it out pretty succinctly here:

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-existing-tenant#admin-role-considerations

So to expound on that,

Azure AD Connect won't match an existing on premises user account to an Office 365 account that is a Global Admin in Office 365. That's why a new user was created in Office 365. To fix this you should do the following:

Create a new Global Admin in Office 365.
Log into Office 365 as this new Global Admin.
Delete the john.doe1234@whatevercom.onmicrosoft.com user.
Remove the john.doe1234@whatevercom.onmicrosoft.com user from Deleted users in Office 365 (https://practical365.com/exchange-server/permanently-remove-deleted-users-office-365/).
Remove the Global Admin role from the john.doe@whatever.com user in Office 365.
Initiate an Azure Ad Connect sync cycle (https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-scheduler#full-sync-cycle).
Verify that the on premises user account is now matched to the existing john.doe@whatever.com user in Office 365.
Add the Global Admin role back to the john.doe@whatever.com user in Office 365.

Deleting the existing user in Azure AD would not be an option due to the fact that the non-synched user is the only Global Administrator in the Office 365 tenant.

You know that you can create additional Global Admins in Office 365, right? If you're logged in as a Global Admin you can create additional Global Admins or grant that role to other existing Office 365 users. Additionally, Microsoft recommends that if you're using Azure Ad Connect to sync your on premises AD to Office 365 that you have at least one "cloud only" Global Admin in Office 365, meaning that you should have a Global Admin in Office 365 that isn't being synced from your on premises directory.

Related Solutions

Azure – Migrate user accounts from Azure AD to on-premise AD

@MDMarra: Thanks for the hints, so I did:

The users from O365 can be exported by powershell using

Get-MsolUser | Select-Object City, Country, Department, DisplayName, Fax, FirstName, LastName, MobilePhone, Office, PasswordNeverExpires, PhoneNumber, PostalCode, SignInName, State, StreetAddress, Title, UserPrincipalName | Export-Csv C:\Temp\Azure_Export_2014_12_05.csv -Encoding UTF8

This exports all columns to CSV where I could find a mapping that looked appropriate. Those are not all columns, but many of them cannot be mapped to attributes in AD. Others, like the password, cannot be exported.

To import the users to AD, run in powershell

import-csv C:\Temp\Azure_Export_2014_12_05.csv -Encoding UTF8 | foreach-object {New-ADUser -Name ($_.Firstname + "." + $_.Lastname) -SamAccountName ($_.Firstname + "." + $_.Lastname) -GivenName $_.FirstName -Surname $_.LastName -City $_.City -Department $_.Department -DisplayName $_.DisplayName -Fax $_.Fax -MobilePhone $_.MobilePhone -Office $_.Office -PasswordNeverExpires ($_.PasswordNeverExpires -eq "True") -OfficePhone $_.PhoneNumber -PostalCode $_.PostalCode -EmailAddress $_.SignInName -State $_.State -StreetAddress $_.StreetAddress -Title $_.Title -UserPrincipalName $_.UserPrincipalName -AccountPassword (ConvertTo-SecureString -string "Secret!" -AsPlainText -force) -enabled $true }

This creates new users with the name Firstname.Lastname. Other attributes like SignInName could not be used because they are not a valid AD account name.

Country cannot be imported because AD requires the country to actually exist while O365 accepts free text.

The password will be set to "Secret!", because if no password is provided, the account will be created, but disabled.

It may be handy to edit the CSV-file in Excel or something, but I would recommend using PowerShell only. Excel deletes leading zeros from phone numbers or reformats other stuff. Also, mind UTF8.

Azure – “User with an existing Microsoft account” cannot access app using Azure AD SSO

It may be that the account is both a valid Microsoft Account (formerly Live ID) AND a valid Organisational Account (Azure AD). This can happen (you have a Live ID for years then your company signs up for Office 365) and leads to all sorts of fun and games because 'home realm discovery' defaults to Azure AD.

In the first login box provided by Azure try typing any address with an '@outlook.com' address - you will be redirected to the Outlook login page (which uses Live IDs). On the Outlook login page enter your 'david@mycompany.co.uk' email and password. I expect you'll login.

I talk about the background (and reason) for this scenario on my blog.

Best Answer

Related Solutions

Azure – Migrate user accounts from Azure AD to on-premise AD

Azure – “User with an existing Microsoft account” cannot access app using Azure AD SSO

Related Topic