I need to set up Azure AD Connect between our on-premise AD and our existing Azure AD and have some questions.
Our Azure AD primary domain (xyzcorp.com) matches our company's email address SMTP domain, which doesnot match our on-premise AD domain that we will sync (child.root.xyzcompany.com). In prep for AD Connect we have added and verified our on-premise AD domain (child.root.xyzcompany.com) and its parents (root.xyzcompany.com and xyzcompany.com) to Azure AD. Fortunately, only a subset of employees are currently in Azure AD, for O365 OfficeProPlus use. All platforms including email are on-premise. We are not syncing the entire domain, we are only syncing specific OUs that only hold employees. Sync will only be one-way from on-premise to Azure; no writebacks.
I want to go with the MSFT recommendation to use on-premise AD UPN as the sync attribute. We want to end up with Azure AD UPN matching the on-premise AD UPN but not have the Azure AD email address change because it already matches the on-premise email address. In my research for AD Connect, I came across https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-existing-tenant, which talks about attribute matching between existing Azure AD users and on-premise AD. Some questions (assuming I am understanding the process correctly, which I am not sure I do):
- Should I switch the Azure AD primary domain to the one we added to match the on-premise domainbefore we use AD Connect? So that the Azure AD UPN suffix matches on-premise AD UPN suffix.
- Assuming I switch the Azure AD primary domain before using AD Connect to sync, what happens to the existing Azure AD users? Does their current Azure AD UPN suffix switch automatically to the new primary domain UPN suffix? What about their email address, does that stay as is? There will most definitely be a time lag (a few weeks) between the switch and using AD Connect to sync.
- After syncing - according to the article all Azure AD attributes for matching users are overwritten with the on-premise AD attributes - will OfficeProPlus recognize the user is the same user?
- Specifically with regard to the existing Azure AD accounts that are used to log into MSFT Business Center - will MSFT Business Center recognize and accept the new login?
Thanks,
Joan