Sync Office 365 / AzureAD down to ADDS

Sync Office 365 / AzureAD down to ADDS

I recently found myself needing to build out an on premise Active Directory environment and populate it from objects found in Office 365 (AzureAD). The local Active Directory would then be configured as the identity source and would sync up to AzureAD using Azure AD Connect. Unfortunately, Azure AD Connect is currently a one way sync from your on premise Active Directory Domain Services environment to AzureAD and wont sync objects down. AADConnect does have the ability to match our AzureAD objects to their corresponding Active Directory objects but, if an attribute like City, Phone Number, Department, Title, etc. is present in your existing AzureAD and not in ADDS, the attribute may remain in AzureAD but not replicate down to ADDS. So we will want to copy over as many attributes from AzureAD to our local Active Directory as possible in preparation for the Azure AD Connect sync. We will also want to recreate groups (distribution, mail-enabled security, security) in Active Directory and also replicate their membership and owners.

I tried searching ways Microsoft recommended to accomplish a downward sync from AzureAD but was met with a feedback forum, and an article from Microsoft explaining all the steps involved with this specific situation. In the end to accomplish the downward sync I was looking for, I created a PowerShell function. You can skip all the function details and just go straight to the download at the end of the article.

Function Features

Automatic Domain Move Objects

I added the ability to auto move objects like users, based on their UPN domain. If I call the switch parameter, “DomainMoveUsersToOU” the function will parse the UPN, extract just the domain name and find an Active Directory OU with the same name. So if my user’s UPN was [email protected] it would see “TheLazyAdministrator” and see if there was an OU with that name, if true, it will place my user (or contact or group) in that OU.

Object Matching

Luckily Azure AD Connect is able to match your AzureAD objects to your on-premise objects. “When you install Azure AD Connect and you start synchronizing, the Azure AD sync service (in Azure AD) does a check on every new object and try to find an existing object to match. There are three attributes used for this process: userPrincipalNameproxyAddresses, and sourceAnchor/immutableID. A match on userPrincipalName and proxyAddresses is known as a soft match. A match on sourceAnchor is known as hard match. For the proxyAddresses attribute only the value with SMTP:, that is the primary email address, is used for the evaluation.”1

Attribute Write-Back and Conflict Resolution

The next item we would want to consider are the syncing of other attributes and find out which source would take precedence if an attribute it populated in AzureAD and ADDS. According to Microsoft, “if Azure AD finds an object where the attribute values are the same for an object coming from Connect and that it is already present in Azure AD, then the object in Azure AD is taken over by Connect. The previously cloud-managed object is flagged as on-premises managed. All attributes in Azure AD with a value in on-premises AD are overwritten with the on-premises value. The exception is when an attribute has a NULL value on-premises. In this case, the value in Azure AD remains, but you can still only change it on-premises to something else.”1. This means that ADDS will always be the master in an ADConnect configuration. If the attribute is populated in AzureAD and empty in ADDS, the attribute will remain in AzureAD but will not be written down to ADDS. So we will want to copy over as many attributes from AzureAD to ADDS as possible.

Existing Object Detection

The PowerShell function will always look in your current Active Directory environment for the object it is going to create prior to creating it. This is benficial so if you run it more than once it will not keep making duplicate objects or causing errors when attempting to create AD Objects that are already present.

Move All Sync Objects to a Specific OU

The function contains a parameter to specify a single OU that all of your sync objects will be moved to after creation. If for example you were syncing you Azure AD Users, you can call the, “UsersOU” parameter which you can input the OU Distnguished Name and all Users will be moved to that OU. This is the same with Contacts, and Groups.

Auto Add UPN Suffixes

The PowerShell function will look up your domains in Office 365 prior to doing anything and auto create the domains as valid active directory UPN suffixes. This is crucial because each domain in Office 365 can be a user’s UserPrincipalName, Email Address, etc. and if the domain is not a UPN suffix in Active Directory it will be unable to create the AD Object at all.

Sync Switch Parameters

Each sync “object group” is configured as a switch parameter. If you want to just sync users you would run “Sync-O365toADDS -SyncUsers”, and if you wanted to sync users and Distribution Groups you would run Sync-O365toADDS -SyncUsers -SyncDistributionGroups”. You can sync Users, Contacts, Distribution Groups, Mail-Enabled Security Groups, and Security Groups.

Attributes Synced to ADDS

Currently the following attributes are copied from your AzureAD objects to your Active Directory object:

Users

  • First Name
  • Last Name
  • Display Name
  • User Principal Name
  • Email Address
  • Proxy Addresses
    • SMTP
    • SPO
    • SIP
    • EUM
  • Office
  • Title
  • Department
  • City
  • Office Phone (telephone number)

Contacts

  • Display Name
  • External Email
  • Proxy Addresses
  • First Name
  • Last Name

Distribution Groups

  • Name
  • Display Name
  • Primary SmtpAddress
  • Proxyaddresses
  • Description
  • Members
  • Group Owner (Managed By)

Mail-Enabled Security Groups

  • Name
  • Display Name
  • Primary SmtpAddress
  • Description
  • Members
  • Group Owner (Managed By)

Security Groups

  • Name
  • Display Name
  • Primary SmtpAddress
  • Description
  • Members
  • Group Owner (Managed By)

Screenshots of Function Running

Below are some screenshot of the function running in a test environment.

Users

Here we see the console output when creating users from AzureAD to local AD. It checks to

In Active Directory Users and Computers I can see my users and groups with a UPN / email address of “TheLazyAdministrator.com” are automatically placed in my TheLazyAdministrator OU.

Groups

My groups are automatically created and my membership is already populated. The membership will match the membership in AzureAD.

Group manager / owner is also replicated, along with the group Office and City attributes.

Domains

The function get all domains in your tenant and adds them as valid UPN Suffixes in your Active Directory enviornment

Module Check

The function will check for the MSOnline module as well as the AzureAD module. If it’s not present it will automatically download and install. It will also check to see if you are connected to MSOnline or AzureAD before attempting to connect again.

Download

You can download the function, track bugs and follow the project on GitHub.

 

 


Sources:

1: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-existing-tenant

 

 

2 thoughts on “Sync Office 365 / AzureAD down to ADDS

    1. Its a function so are you loading into memory? What is your command you are trying to run? Are you running it on an AD server?

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: