Share via

Understanding the best pathway to establish Hybrid Azure AD

Tony 21 Reputation points
2025-01-12T21:03:33.62+00:00

Hello,

I have a client that has this setup:

On premise AD named abc.local

Microsoft hosted O365 Exchange belonging to a domain called abc.com.

The on premise domain and the hosted O365 email domain are not integrated and are separate. Thus, users need to be managed separately within each environment.

We want to establish a directory presence in the cloud using Azure AD to eventually establish SSO and provide a better user experience. However, I'm wondering what the best pathway would be to do that.

Do I extend our existing on premise domain into Azure with Azure AD first (that is extend abc.local to the Azure cloud), and then attempt to migrate the mailboxes once our hybrid domain has been established?

Or since we have a domain on O365 already (abc.com), use this as our primary domain, even though our user's on premise identities all belong to abc.local?

One thing we would like to do is not re-establish profiles on our on premise workstations. The windows 11 workstations all belong to the abc.local domain, and we would definitely not want to re-establish any user profiles by requiring us to move domain membership. Thus, the reason why we would like to maintain the abc.local domain if all possible.

Is there any best practice in terms of steps and what to do in this type of scenario that has been proven to work consistently?

Should I establish the abc.local into the cloud first (Entra ID) and then migrate the mailboxes?

Should I utilize the O365 domain already in Azure (abc.com) and migrate my local on premise domain to that? What about our user profiles?

Thanks for any info/input.

T

Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
2,208 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,016 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bruce Jing-MSFT 8,095 Reputation points Microsoft Vendor
    2025-01-13T08:01:20.51+00:00

    Hi,@Tony

    Thanks for posting your question in the Microsoft Q&A forum.

    According to your description, you want to synchronize your local domain to Azure AD.

    I need to confirm a question with you, does your local domain have an Exchange mailbox?

    Your On premise AD named abc.local can't be synced directly to Azure AD because .local is reserved for the local network and is not a valid public top-level domain (TLD), so it can't be routed over the Internet. While there are ways to change your primary domain to one that you have verified in Microsoft 365, such as contoso.com, this is this is an extremely complicated process.

    Here are my suggestions:

    Change your primary domain to a domain you've verified in Microsoft 365, for example, contoso.com. Every user that has the domain is then updated to contoso.com. This is an involved process, however, and an easier solution is described in the following section.contoso.local

    You can refer to this link for the exact process:https://learn.microsoft.com/en-us/microsoft-365/enterprise/prepare-a-non-routable-domain-for-directory-synchronization?view=o365-worldwide

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.