Azure AD, Office365, and On Premise Domain integration

Question

Good Morning my smart and intelligent brethren! I am humbly coming to you all for some clarification and maybe some assistance. First let me preface this by saying that I am new to the world of Azure/Office365. I've recently been hired at this new company where the previous staff had setup an Azure environment with Office 365. Azure has a few servers that users use and this requires them to have Azure AD Credentials to log into these servers. Office 365 is also synced to the Azure AD with AD Connect. Now we also have a local domain on premise that is completely separated from Azure so essentially I have USA.Company.com (Azure Domain) and Company.local (Local Domain) so my users have two accounts and two account passwords that they have to remember. I want to know if there is a way for me to get all three working in harmony I'd like to be able to created an account on our local domain controller and have that sync to Azure, and Office 365. Right now I have to create the account on the local domain and then log into the Azure server and recreate the account up there. Its not a huge ordeal but its not not efficient at all. Not to mention when passwords start expiring it creates some confusion with the end users. Especially when they go to RDP into the servers. Our users here don't understand the concept that there are two domains so I am always getting calls about RDP login issues because they forget to switch to the Azure domain when they are trying to log in. Anyway I hope this makes sense. Any guidance you can provide would be greatly appreciated!

Answer 1

Add your domain USA.Compaby.com as an UPN suffix and update your users to them. Best idea is to match it with your e-mail domain. You use AD Domains and Trusts for that.

https://learn.microsoft.com/en-us/office365/enterprise/prepare-a-non-routable-domain-for-directory-synchronization#add-upn-suffixes-and-update-your-users-to-them

Then sync those accounts with Azure AD Connect. Start with very few, so you see the results. In Azure AD Connect do OU filtering. And just chose a single OU as a start. Use standard PWD hast synchronization with SSO.

Use a Custom installation of Azure AD Connect
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-custom

If you start with one or two users in your OU, this operation should be completely non-destructive.
You might want to start with a test environment and document all steps with SnagIt. That's what I usually do. But if you are careful and follow the instructions, this should work the very first time.

Later you can add other users to the OU. If you remove some, they will be deleted from Azure AD. You can add other OUs as well. My usual setup is OU My Company and a lot of sub-OUs. My Company is then the only OU synced.

Answer 2

You should match the UPN to your e-mail addresses. So that would be company.com. The UPN can be different from the e-mail address, but this is not advised. Keep it simple for yourself and for your users.

One important thing which might confuse you a bit. Source for authority for synced users is your on-premises AD. These users are called hybrid users. You have to manage them there and wait for synchronization, which by default happens very 30 minutes. Of course there's PowerShell to force a sync and so on.

You may mix and match and have cloud-only users in addition; for them Azure AD is the source of authority.

And then I'm very happy that some of my posting made sense. Best regards from a sunny Norway, Jon Alfred

Answer 3

Okay so this is what we have going on it all makes a little more sense to me now. On premise we have our company.local domain and I've added our email domain company.com as a UPN Suffix for new accounts that way they sync to Azure AD correctly. I verified that AD Connect is working by creating a test account in our Test OU that we setup to sync to Azure. The account Test1 was created on the on premise DC and about 30 mins later it replicated to Azure AD. The issue I have is that the Test1 account I created is not able to RDP into any of the VM Servers in Azure. I get the permission error pop up that states that the account does not have permission to access the server. RDP permissions for the servers are set via the local Active directory services on one of the Azure VM Domain controllers which uses usa.company.com domain. I don't know what the previous employees were doing when they set all this up. So now I just have to figure out how to grant RDP access to the users on our local domain so they can remote into the servers in Azure with their local user accounts and passwords.