Home / server / Questions / 834654
In Process
jbostoen
Asked: 2017-02-25 01:35:41 +0800 CST

Existing Azure AD Connect / existing AD on premises: sync?

  • 772

We're trying to link an existing on premises AD with an existing Office 365 (only mail).

We installed Azure AD Connect and went through the steps, we'd like our local AD passwords to be synced with Office 365 / Azure AD.

We set up filtering based on a group, in which we have one test user.

Questions:

  • does syncing only delete users on Azure AD if the user has been deleted from the local AD?

  • most importantly: our existing users on O365 which are not yet part of he filter (group) we use to configure the sync: they will NOT be deleted? (I'm assuming this but would like confirmation).

Thanks!

active-directory azure-active-directory

3 Answers

  1. most importantly: our existing users on O365 which are not yet part of he filter (group) we use to configure the sync: they will NOT be deleted? (I'm assuming this but would like confirmation).

    All existing user in O365 will stay, they wont be deleted.

    • 1

  2. We set up filtering based on a group, in which we have one test user.

    Questions: does syncing only delete users on Azure AD if the user has been deleted from the local AD?

    most importantly: our existing users on O365 which are not yet part of he filter (group) we use to configure the sync: they will NOT be deleted? (I'm assuming this but would like confirmation).

    If a user is synced and then becomes outside of the scope of the group (or OU) that is filtered at that time the synced account will be deleted in Office 365 (with a grace period of typically 30 days). So if you delete that user in local AD it is synced and deleted in Azure AD. If you remove the user from the "UsersSyncedWithTheCloud" group then it is deleted from Azure AD. So don't think that you have to delete a synced user in your local AD in order to delete the user account in Azure AD.

    The existing users in Azure AD will stay there unless/until you match them up with a local AD account. It's been a few years since I've done this, but in the dirsync days this was done via Primary SMTP matching (hint: the primary SMTP address is the local AD proxyAddresses attribute that has SMTP: in front of the email address -- anything else with the letters smtp at the beginning have to be lowercase smtp and AD does not validate having multiple entries starting with SMTP:). If the primary SMTP value in local AD matches the primary SMTP value in Azure AD the account is linked (if there isn't a duplicate) and an ImmutableID vaule then links the two accounts after that.

    • 1

  3. The answer to the questions:

    1)Sync will not delete any existing accounts in Azure AD because there aren't any connections between your on-premise AD and Azure AD yet.

    2)The same, your existing Office 365 accounts will not be affected.

    • 1