In the last two sections we talked about setting up the Office 365 tenant from scratch and them applying the external domain to it. It is now ready to go but we now need to add the users/groups/contact etc from your Active Directory On Premises into the new Azure AD and Office 365 configuration. To do this you are going to need the following.
- A server in your organization that can see the local DC’s and GC servers.
- That server will need outbound internet access.
- An account setup (service account) for the sync of the accounts.
- Admin address to the Office 365 tenant.
Firstly lets take a look at the local Active Directory structure for the Light Blue Frog organization. The AD is relatively new and was thought out well in advance. This is not normally the case in most AD deployments so I recommend using the following tool – idfix – which is available from Microsoft using this link. https://www.microsoft.com/en-us/download/details.aspx?id=36832 This will tell you what remediation needs to be done on the domain before you sync to Office 365.
UPN – Discussion. It is an important factor to think about what ID your users will login to the cloud services with. The UPN (User Principal Name) is in Active Directory and I will speak more on this later. In the mean time have a look at this to assist – Why your UPN should match your email address
You also need to think about what you actually want to sync, as later on we will pick out the OU’s that will go up to the cloud. Below is a layout of the Light Blue Frog domain structure.
Now let’s login to the AAD Connect Server and install the Azure AD Connect software. This can be found at this link. https://www.microsoft.com/en-us/download/details.aspx?id=47594 This needs to be installed on the AAD Connect server. Download the software and start the installation process. Before we do that it might be worth having a quick look at this Microsoft article that talks about what you can/can’t do with AAD Connect. https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-topologies
On the first run through of AAD Connect when you start you will get the normal Welcome screen and get the opportunity to do an Express or Custom Install. I will select the custom install because I want to specify the account that AAD uses to connect to Active Directory. Let’s go ahead an put in the account ‘svc_aadconnect’ which is a privileged account in Active Directory.
Then click Install and the process will begin. Now of course we could have customized other options here but for this tutorial we will keep it pretty basic for now. Once everything is installed you will then have the option to custom things further.
For the sign in options I am keeping this as Password Hash Synchronization to keep the passwords in the cloud. I am not configuring ADFS at this point. This will be an add-on in a later tutorial. So click next and carry on. The next part is to configure the Cloud account that will perform the synchronization. I also suggest here created a specific account as a Global Administrator in the tenant. I have used ‘firstname.lastname@example.org’ for this purpose. As you can see from the screen shot below and then entered into the AAD Connect configuration. Oh and it doesn’t need a license either.
Hi Next and let’s get on with the rest of the configuration. The next screen shows us that there are no current Active Directory trees connected and we need to add one. Just click on Add Directory and enter the service account details. This is the lightbluefrog\svc_aadconnect account we spoke about earlier and press next.
Click next and we can move on to the section on how the users will login. We spoke briefly before that the best way is to use the UserPrincipalName so we will keep that option and continue.
We can then decide what OU’s are synced to Azure AD. I have chosen the top level of the Light Blue Frog structure, but feel free to check or uncheck what ever OU’s are relevant to your organization.
Click Next. Now we get to configure who the users are identified at a core Azure AD structure. I prefer to use the ObjectGUID and not to let Azure AD pick one for me. Also I know that the users are represented once across the domains. So my options look like this.
On the following page we have the option to perform some LDAP queries and expressions to filter out particular users. I will leave them as default for now.
The last part is to choose any additional items. Currently we don’t have an Exchange server in play and the other items aren’t relevant to what we are achieving here right now. I will leave them as they are but remember we can always go back and modify anything later on without hurting anything.
Click on next and then ‘Install’ on the following screen.
Once this has all completed, run the ‘Azure AD Synchronization Service’ program from the AAD Connect server. This will look like this. Also, the Active Users screen will look like the second screenshot.
So with that in place you are all done. Users can now login to the Cloud using their UPN and start working inside Office 365. Now we haven’t configured much for them to do yet. That is the next part.