In the last few sections we talked about setting up the Office 365 tenant from scratch and them applying the external domain to it. It is now ready to go but we now need to add the users/groups/contact etc from your Active Directory On Premises into the new Azure AD and Office 365 configuration. To do this you are going to need the following.

  1. A server in your organization that can see the local DC’s and GC servers.
  2. That server will need outbound internet access.
  3. An account setup (service account) for the sync of the accounts.
  4. Admin address to the Office 365 tenant.

Firstly lets take a look at the local Active Directory structure for the Light Blue Frog organization. The AD is relatively new and was thought out well in advance. This is not normally the case in most AD deployments so I recommend using the following tool – idfix – which is available from Microsoft using this link. https://www.microsoft.com/en-us/download/details.aspx?id=36832 This will tell you what remediation needs to be done on the domain before you sync to Office 365.

UPN – Discussion. It is an important factor to think about what ID your users will login to the cloud services with. The UPN (User Principal Name) is in Active Directory and I will speak more on this later. In the mean time have a look at this to assist – Why your UPN should match your email address

You also need to think about what you actually want to sync, as later on we will pick out the OU’s that will go up to the cloud. Below is a layout of the Light Blue Frog domain structure.

Now let’s login to the AAD Connect Server and install the Azure AD Connect software. This can be found at this link. https://www.microsoft.com/en-us/download/details.aspx?id=47594 This needs to be installed on the AAD Connect server. Download the software and start the installation process. Before we do that it might be worth having a quick look at this Microsoft article that talks about what you can/can’t do with AAD Connect. https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-topologies

On the first run through of AAD Connect when you start you will get the normal Welcome screen and get the opportunity to do an Express or Custom Install. I will select the custom install because I want to specify the account that AAD uses to connect to Active Directory. Let’s go ahead an put in the account ‘svc_aadconnect’ which is a privileged account in Active Directory.

It is relevant to show what the Azure AD looks like before we start. We do need to create a Service Account that the AAD Connect software will use to synchronize the data. The screenshot below shows this configuration.

After this, the user list will look very simple. With just the Admin user we created at the start and the Service Account for the Sync.

Now we can go ahead on the local server and start the installation process.

Hit Continue and the configuration process will start.

At this point it is easy to just hit the Express Settings option and let it do what it says, but I am suggesting against this. There are various options that do need attention and are better served in the future work on the tenant that we will discuss later. So, hit customize and let me explain why.

And here is the reason, the service account that we want to use to pick the information from the local Active Directory can be set specifically here. If you haven’t created one that is similar, then go ahead and do it now. It will require Domain Admin but can be set to be not an Interactive Login to prevent any user from using it to get into a server. Carry on and hit Install.

Now here we are setting this up as Password Hash Sync to the cloud. Choosing not to go down the path of ADFS or Pass Through authentication at this point. We can discuss those in a later post. Now, I am also NOT selecting the ‘Enable Single Sign-On’ also. This is also covered in a later post. For now, accept those options and hit Next.

And this is where we enter the details of the service account that we will use to connect to Azure AD. This is the one we created at the beginning. Enter those details and carry on.

The system knows about the instance of LightBlueFrog because of the account that we connected with but we do need to tell it what we want to be synced. This starts with adding the lightbluefrog.com local domain to the list of domains that will be part of the sync. Hit Add Directory.

Here to connect to the LightBlueFrog domain we once again enter the credentials for the local service account that we created for that purpose. Do that and hit OK.

Once accepted it will get an acceptance icon next to it and you can then hit Next to continue.

Here we get to decide the source anchor linkage that is going to bind the accounts together. The suggestion is to leave this as the UPN. There is a post here that details why so check out under the Office 365 menu the UPN section to get a good understanding. Basically accept this page and hit Next.

Now we get to select what OU’s become part of the synchronization process. Now you can go back and amend these later on but for now select what you would like to get into Azure AD. Then hit Next.

This page relates to systems where there my be multiple instances and multiple ID’s for users. In this simple implementation we can just go ahead and hit Next.

Likewise, we do not intend to filter out any particular accounts and objects in Active Directory based on any LDAP queries. We can do much of this in the transformation models we can setup later if necessary. For now just hit Next.

With the base options set, currently no Hybrid Wizard is configured with Exchange and we have no reason to setup any password writeback options or other settings here. Continue with the Next button.

So now you are basically done. By hitting Install it will go ahead and setup the linkages to Azure AD and may spend about 5-10 minutes doing so. Once it is complete it will also start the first sync.

And this is the final screen. All done and hit Exit. In the next section we look at what it has done in Azure AD and how to monitor that the sync continues to occur every thirty minutes.