Active Directory Preparation for Azure Directory Synchronization

Home / Blog / Active Directory Preparation for Azure Directory Synchronization

Active Directory Preparation for Azure Directory Synchronization
*Notes: This is ONLY applicable for fresh Office365 tenant clients (do not have any user account in Office 365).


In an Office365 and Active Directory environment, users might have two different directory to manage, the Local Active Directory and Azure Active Directory (Cloud). Without synchronization, users might need to manage both directory separately. As an example, to add a new mail-enabled user and setup a new device for user, the administrator will need to create 2 account with same information in both On-premise Active Directory and Office365 Admin portal.

To solve this work duplication issue, Azure Directory Synchronization comes in place. It retrieves the information from an On-premise Active Directory and synchronize to Azure Active Directory. This makes sure both directory are having synchronized information regarding the users.
In order to activate Azure Directory Synchronization, there are few preparation steps needed.

A new Office 365 tenant subscriber which have the following requirements:
1) Office365 accounts are created based on the information retrieved from On-Premise Active Directory
2) User account are controlled by On-Premise Active Directory, Users will have single identity on both On-Premise Active Directory and Azure Active Directory.
3) Password synchronization from On-Premise Active Directory where it provides Same Sign-On (SSO) environment.
4) The current mail system is not Exchange On-premise. (For Exchange environment, will need to use different migration method such as hybrid configuration or Cut-Over migration.)

1. Perform AD users account clean up
– In order to synchronize in between on-premises AD and Office365, it requires on-premises directory attributes to be properly prepared. As an example, specific characters (@,$,#,~)

2. Organize and manage AD users account in proper Organizational Unit (OU) Structure
– The main purpose of Directory Synchronization is to synchronize user account and users group to Azure Active Directory, thus these account will need to be organized and managed in a proper OU structure.
– The computer account or default group (e.g. Enterprise Administrators, System-built Group) will need to manage in different Organization Unit if possible in order to prevent these account and groups that have been synchronized to Azure Active Directory.

3. Update user account attribute
– Before the user account can be synchronize with Azure Active Directory, their attribute will need to be updated.
– In order to integrate with Office365, the UPN suffix and “Email” address attribute must be updated first.
– To update UPN suffix, an external UPN address which had been verified in Office365 portal must be added in as additional UPN address.


 – After this, each user’s UPN suffix must be changed to this External UPN suffix.


– Follow by the next attribute to be updated would be “Email address” attribute. This email address UPN must also been verified in Office365 portal, else the onmicrosoft.com email address will be automatically assigned as primary SMTP address.


PowerShell Script:
1. To change all users UPN suffix.
Import-Module ActiveDirectory
$oldSuffix = “canitpro.local”
$newSuffix = “rebeladmin.com”
$ou = “DC=canitpro,DC=local”
$server = “DCM1”
Get-ADUser -SearchBase $ou -filter * | ForEach-Object {
$newUpn = $_.UserPrincipalName.Replace($oldSuffix,$newSuffix)
$_ | Set-ADUser -server $server -UserPrincipalName $newUpn
2. To update all users E-mail attribute.
$Users = Import-csv -Path myfile.csv
Foreach ($user in $Users)
Set-ADUser -Identity $user.Identity -EmailAddress $user.EmailAddress

To learn more, please contact us:  Contact US!