Share this question

Welcome to Teachnovice Q&A, where you can ask questions and receive answers from other members of the community.

This is a collaboratively edited question and answer site for computer enthusiasts and power users. It's 100% free, no registration required.

Pull Office 365 Users to Active Directory?

0 like 0 dislike
369 views
I am currently working with an existing Office 365 subscription that needs to have a new instance of Windows Server 2012 R2 in Azure manage the users through Active Directory. The server 2012 VM is brand new and has nothing set up. I understand that when going the opposite way and creating a new 365 account you can simply use the DirSync tool and push your AD users to the 365 cloud.

I have not been able to get any support from MS on this, so I am wondering if anyone has any suggestions on how to get users from the cloud to AD so that I can eventually set up a SSO situation for server users.
asked Apr 16, 2015 by foochow  

"needs to have a new instance of Windows Server 2012 R2 in Azure manage the users through Active Directory" - why? Are you going to be utilizing AD and those accounts elsewhere going forward and you've never had AD before? Just curious since you only stated "manage the users" without mentioning other needs for having AD

yes. the current setup involves a "server" for user accounts and then the 365 accounts. now that there will be actual servers (ie, not a desktop running vista) its time to set up a domain, and SSO seems like a good addition while were at it.

3 Answers

0 like 0 dislike
 
Best answer

What you are looking for is SMTP matching: http://support.microsoft.com/kb/2641663

Typically the way AD -> O365 sync works is that a unique identity value is created for each user in AD, then the user is pushed to O365. Updates are performed using the identity value to match the accounts.

SMTP matching tells the DirSync tool to initially match based on the primary SMTP address. Further syncs are accomplished using the identity value.

Also, make sure you read this, as it includes how to change the authority of your directory: Directory synchronization and source of authority

answered Apr 16, 2015 by longneck  

If I understand: Install AD DS on server, use same domain as 365, run the DirSync tool to match users (which pulls down accounts to server), install AD FS 2.0 to enable SSO.

This helps the OP after provisioning all the users in his local AD, but this doesn't provision them for him.

If i were to provision ahead of time in local AD, i assume that the 365 passwords would be overwritten and the rest would be ok?

@foochow - check this: kraak.com/?p=69

0 like 0 dislike

I don't believe Microsoft currently has a solution for what you're looking for. As you've mentioned, this is the opposite of a typical Office 365 deployment.

In the longer-term, the Azure Active Directory Premium edition with the announced, but not yet available, "Identity Synchronization Tool" with "advanced write-back capabilities" (see http://channel9.msdn.com/Events/TechEd/Europe/2014/CDP-B312) might do what you want, but I get the feeling that this doesn't exactly exist yet.

You could code something up with the Azure Active Directory PowerShell Module to dump data out of your Azure tenant AD and provision users in your own Active Directory, but I cannot image that you're going to get password hashes back out of Azure. That's going to leave a sticky problem of passwords.

Microsoft is, ultimately, who needs to be supporting you on this. I'd engage with sales and support to determine the best way to achieve your business goals, rather than knocking together some awful one-off that ends up doing more harm than good.

answered Apr 16, 2015 by Evan Anderson  

As far as I know it should be possible, the rep I emailed mentioned I would need to change the source of authority and referenced: technet.microsoft.com/en-gb/library/jj863117.aspx but there are not really actual instructions there.

0 like 0 dislike

Been asking this same question myself. Here's the approach I took:

So I did the standard setup of the server. Provisioned in Azure and installed Active Directory Domain Services.

Then I used this tool: http://blogs.technet.com/b/ad/archive/2014/12/15/azure-ad-connect-one-simple-fast-lightweight-tool-to-connect-active-directory-and-azure-active-directory.aspx

Of course, that doesn't work for me because none of my users are in AD!

So I did more research, and came across this: Migrate user accounts from Azure AD to on-premise AD?

Using the second answer, I was able to export from Azure and Import into AD.

A word of warning: On the first go, I broke authentication. But that seems to be because I set up DirSync/SSO and ADFS before I imported. All of the accounts I imported are blocked, so everytime DirSync runs, it blocks my accounts in Azure. So I recommend you start with this process:

1) Add two accounts to your AD. - One to your local AD, the one on your server. - One to your Azure AD that ISN'T part of your Office 365 subscription. Use your .onmicrosoft.com domain. Give it admin over your AD. 2) Set up Azure Active Directory Powershell, and make sure you have regular Active Directory Powershell: https://msdn.microsoft.com/en-us/library/azure/jj151815.aspx

3) Connect your MSOL using the Azure AD account you created.

4) Perform the export from Azure AD in the guide linked earlier.

5) Perform the import into your local AD, per the same guide.

6) Verify your accounts.

This is where I'm still figuring it out myself. The above should answer your question over how to transfer the users. But now, as for setting up SSO and DirSync, I can't direct you. But I used AD Connect and that seems like it's going to do the trick for me. But make sure you learn how to undo what it does! I managed to break authentication for almost an hour while I figured it out!

Good luck! Let me know how your project goes, and I'll let you know how mine does.

answered Apr 16, 2015 by Chris Meek  
...