How to Sync an Existing Office365 Tenant into a New Active Directory Domain Using PowerShell

If you are in a situation where you currently use Office365 with lots of users and you now need to implement an on-premises active directory domain its not all that straight forward. The sync software is not quite able to take care of this for us yet but it is getting there with it’s AD write back features.

If you haven’t already then check out my post on how to perform this task manually by creating all of the accounts in the new AD.

Knowing how to manually create local AD objects which will successfully sync with Office365 is essential for any half decent Office 365 administrator. Having a PowerShell script which does it all for you is great also!

Download the script here Office365toADSync (206 downloads)

In our test lab I have an existing Office 365 tenant which has several user accounts, contacts and resources.

Here we have an info group with multiple members.

and here we have several equipment and room resources

So we have lots of accounts in our 365 tenant and likely you will have many more than this, possibly hundreds. You aren’t going to create them all by hand right!?

Your task is to configure your local network with a new domain into which you are going to sync your Office365 accounts and configure all of your PC’s to be part of the domain. You want users to login to the PC’s using the same usernames and passwords they already use to access resources in 365.

Next you install and configure a new domain controller into your network and create a brand new domain.

Download the PowerShell script to the server and open the PowerShell ISE tool as administrator

Open the script file and run the script or run the script directly from an administrator PowerShell window.

Before running the script there are two things to note:

  1. User accounts that get created in the local AD will have the password set to “Password123..” but you can change this in the script before running it. You will have to let all users know this beforehand or manually update the passwords. This password will sync back to Office 365 as soon as you configure Azure AD Connect to maintain a permanent sync.
  2. By default the script will create all accounts in the default user container. You can override this by manually creating a new OU in the AD and updating the $usersContainer variable in the script.

If all looks ok then run the script.

Hopefully you will see no errors produced by the script and if you refresh your AD you will see all of the user accounts, contacts and groups have been created. Each object is set to the correct logon name and has their email addresses set.

The script will also add all custom logon domains you have configured in Office365. Open up Active Directory Domains and Trusts on your DC, right click the root node and go to properties. You should see one or more Alternative UPN suffixes listed.

After performing a manual check of the accounts and once you are happy the users have logged into their PC’s and reset their passwords you are then ready to install AD Connect to enable a permanent sync between your Office 365 tenant and your new domain.


You will rarely be in a situation where you have a large Office 365 tenant and you have a need to install a brand new on-premises active directory domain but if you do then this script should save you a few hours!




Author: Ian@SlashAdmin

Share This Post On


  1. Hi! Would this script insure 100% match between O365 user and local (new) AD user?.
    We had previuosly used script to link O365 user with existing AD users.

    Disable Azure AD connect sync.

    $guid = (Get-ADUser -Identity samaccountname).ObjectGuid
    $immutableID = [System.Convert]::ToBase64String($guid.tobytearray())
    Set-MSOLuser -UserPrincipalName -ImmutableID $immutableID

    Enable Azure AD connect sync.

    And another thing! Is possible to make O365 users password take presedence over local AD password?
    Maybe use “password writeback” feature in AD connect

    Post a Reply
    • Hi Michael,

      It looks good but I wouldn’t bother personally. If users are setup correctly then it will work, I’ve never had an issue myself.

      So long as the username + UPN, mail and proxy address attributes are set correctly then AD Connect will match the accounts.

      As far as I know you cant make 365 take precedence but yes AD write back will sync changes from 365 to AD. Just be aware of any security implications that may have for you because any cloud based admin account that gets hacked could reset passwords in your AD and potentially gain access to other resources you publish to the internet. Obviously using 2FA on all accounts would help with this.

      Post a Reply
      • Hi Ian,

        i have run this script and works great for part of it.. however
        it is stopping at 100 users and i need to generate the extra 600 i have to get in is there a limitation of how many it can import or create?

        Post a Reply
        • Hi Josh,

          Try updating the last three lines of the script with these instead. Must admit I didn’t test with many users but thanks for reporting the issue!

          Please let me know if your project is successful and if I helped 🙂

          #Add users to local AD
          Get-AzureADUser -All $True | Add-LocalADObject

          #Add contacts to local AD
          Get-AzureADContact -All $True | Add-LocalADObject

          #Add groups to local AD
          Get-AzureADGroup -All $True | Add-LocalADObject

          Post a Reply
  2. Thanks! Using password write back setting in Ad connect might work, but think I would have to disable password sync until i’m sure password is the same in AD and in O365.
    By the way! Do you know of a script that does the exact oposite? That is created O365 users with local AD as source. I know AD sync would do that, but for this particuklar project, it’s not possible to use AD connect yet.

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *