How to Export/Import the Identity from Azure AD to Local AD


DirSync or AAD Sync supports you can sync from local AD to Azure AD no matter for Office 365, Intune or Azure RMS. But in a Cloud First World, customer might also experience a Cloud First IT environment. That is, customers might have Azure AD first than they want to build their on-premise AD. They will face a challenge that current tool do not support two-way sync. There is only one-way sync from on-premise to Azure AD. Although we have this feature roadmap on Azure AD Connect, it still takes time to wait until General Available. We need a temporary solution for now and that's what this post for.

But I would like to address first that there are also some limitations in my methodology:

  1. The password cannot be exported from Azure AD. Therefore, you might need to recreate the password and ask users to change password after migration.

  2. If you want to sync on-premise AD and Azure AD, the user password will follow on-premise AD.

 

The high level steps are:

  1. Export the user list from office 365 via PowerShell

  2. Generate random password for each user

  3. Import the user list to local AD via PowerShell

Tools will be included:

Azure AD Powershell

https://msdn.microsoft.com/en-us/library/azure/jj151815.aspx#bkmk_installmodule

Notice:

  1. The export/import user data is in C:\temp\o365UserData.csv

  2. The password policy set password never expire, you could change it in the ImportUserToAD.ps1.

  3. The script will generate a random 8 digit password for each user, and user need to use this NEW password at first logon. You will find this password for each user in the .csv file.

  4. Assuming Users created from Azure AD, user should have first name and last name to make the scripts work.

Steps:

1. Create C:\Temp Folder

2. Execute Powershell ExportOffice365user.ps1 on a machine with Azure AD PowerShell installed. During the scripts, you might need to enter the Office 365 administrator credential two times.

3. After the scripts, you should find o365UserData.csv in C:\Temp, move it to the same location of AD Server (C:\Temp)

4. Execute PowerShell ImportUserToAD.ps1 on AD Server. After the scripts, you should find the users have been created in AD.

5. Now, your AD is ready to sync. The email property should be in user property. You could check the soft match for more detail but I already complete most steps in the script. (http://support.microsoft.com/kb/2641663) 

6. Once you Force Sync on-premise AD into Azure AD, the on-premise password will overwrite Azure AD password.

 

You could also try AAD Connect: https://connect.microsoft.com/site1164/program8612 which will have similar result.



 

 

 

 

ExportImportPS.zip

Comments (2)
  1. Andrew says:

    This is good, but where do I find these scripts? ExportOffice365user.ps1 and the import one?

  2. Andrew says:

    … ahh in the ZIP … I didn’t spot that… 🙂

Comments are closed.

Skip to main content