How to Sync an Existing Office365 Tenant into a New Active Directory Domain Using PowerShell
If you are in a situation where you currently use Office365 with lots of users and you now need to implement an on-premises active directory domain its not all that straight forward. The sync software is not quite able to take care of this for us yet but it is getting there with it’s AD write back features.
If you haven’t already then check out my post on how to perform this task manually by creating all of the accounts in the new AD.
Knowing how to manually create local AD objects which will successfully sync with Office365 is essential for any half decent Office 365 administrator. Having a PowerShell script which does it all for you is great also!
Download the script here Office365toADSync (1961 downloads)
In our test lab I have an existing Office 365 tenant which has several user accounts, contacts and resources.
Here we have an info group with multiple members.
and here we have several equipment and room resources
So we have lots of accounts in our 365 tenant and likely you will have many more than this, possibly hundreds. You aren’t going to create them all by hand right!?
Your task is to configure your local network with a new domain into which you are going to sync your Office365 accounts and configure all of your PC’s to be part of the domain. You want users to login to the PC’s using the same usernames and passwords they already use to access resources in 365.
Next you install and configure a new domain controller into your network and create a brand new domain.
Download the PowerShell script to the server and open the PowerShell ISE tool as administrator
Open the script file and run the script or run the script directly from an administrator PowerShell window.
Before running the script there are two things to note:
- User accounts that get created in the local AD will have the password set to “Password123..” but you can change this in the script before running it. You will have to let all users know this beforehand or manually update the passwords. This password will sync back to Office 365 as soon as you configure Azure AD Connect to maintain a permanent sync.
- By default the script will create all accounts in the default user container. You can override this by manually creating a new OU in the AD and updating the $usersContainer variable in the script.
If all looks ok then run the script.
Hopefully you will see no errors produced by the script and if you refresh your AD you will see all of the user accounts, contacts and groups have been created. Each object is set to the correct logon name and has their email addresses set.
The script will also add all custom logon domains you have configured in Office365. Open up Active Directory Domains and Trusts on your DC, right click the root node and go to properties. You should see one or more Alternative UPN suffixes listed.
After performing a manual check of the accounts and once you are happy the users have logged into their PC’s and reset their passwords you are then ready to install AD Connect to enable a permanent sync between your Office 365 tenant and your new domain.
You will rarely be in a situation where you have a large Office 365 tenant and you have a need to install a brand new on-premises active directory domain but if you do then this script should save you a few hours!