none
Consolidating 2 AD's and Office 365

    Question

  • We are currently looking to consolidate our user accounts across two Active Directory’s and Office 365. Our current setup is:

    Internal Office/LAN AD: User names are in the format firstname.lastname@internal.company.com. The SAM Account Name is in the format of a 3 letter company acronym for the domain name, followed by firstname.lastname e.g. COM\firstname.lastname

    Private Cloud AD: We have a private cloud hosted by an external vendor which hosts a number of servers hosting client systems. Additionally, it holds our company’s SharePoint 2013 portal, and other infrastructure services. It also has a domain controller which has user accounts for all of our internal users who also have accounts on our internal office LAN (in addition to user accounts for external users needing access to certain cloud servers). Usernames are in the format firstname.lastname@company.com , the SAM account name is however the same as the internal LAN e.g. COM\firstname.lastname . The full usernames match the users company email address.

    Office 365: We have user accounts for our users in Office 365 as we have a subscription for the Office desktop apps. The user names match the users email address/cloud usernames.

    The end goal is that users have one account and password that works across all of these environments, ideally which they manage within the Office LAN and which then sync across to the other environments e.g. a changed password internally replicates to Office 365/the cloud AD. Another point is that we currently use IBM Notes/Domino for email but the long term goal will be to migrate fully to Office 365/Exchange to host our email, so syncing our Office LAN/Office 365 accounts to match would be a good pre-requisite to sort out prior to the longer term migration to O365.

    I’ve looked a lot into the Azure AD Connect tool which I think will help us achieve what we want, however I’m not entirely clear on how best to approach this.

    • I’ve identified that we could change the UPN in AD on our internal user accounts so that they match the users email address, and hence should then sync seamlessly with their Office 365 accounts. Will this then cause problems for us when we try to access the Cloud servers, such as via RDP or logging onto SharePoint, given that the usernames will match but ultimately will have different user SIDs?
    • For another approach, whilst we can set up Azure AD Connect on our LAN to sync to Office 365, would it then be possible to sync passwords from O365 to the Cloud AD e.g. password sync will be LAN -> O365 -> Cloud AD. We do have ADFS set up on our Cloud infrastructure so if using ADFS to sync the two ADs and O365 is the best approach I’m happy to look into this route
    • Or, would it be more suitable to simply do away with user accounts in the Cloud AD for internal LAN users so they are only managed in one AD, and these accounts are  then sync’d to O365? As mentioned previously these users would need to be setup to have RDP access to the servers in the Cloud and they also need to be able to access the SharePoint portal which is currently connected to the Cloud AD for authentication. The internal users will need to be able to access the SharePoint portal and we would still need to keep the Cloud AD for external users who are permissioned for the SharePoint portal/some of the cloud servers (but who we don’t obviously want to have access to any internal LAN systems)
    • My colleague looked into setting up an AD trust between our internal LAN and Cloud AD with the idea that we could use the internal accounts on the Cloud servers via the Trust Relationship, however they weren’t able to get this fully working. Not sure if this is because our internal LAN is effectively a Child/Sub domain of our Cloud AD domain and so I assume it’s inherently trusted by virtue of being a child domain?

    My current thinking is that we need to change the UPN of our internal AD users to match their email address/Cloud usernames as this will allow us to then happily sync our internal accounts with O365 which will work well for our future O365 email migration. It’s the part of having one user name based on the email address to continue to work with our Cloud servers and SharePoint portal and/or syncing internal AD users passwords with their Cloud accounts that is currently a bit of a sticking point.

    Hope this provides sufficient information on our current set up and what we’re trying to accomplish. If anyone is able to assist with identifying a suitable solution that would really be greatly appreciated. Thanks again for reading and apologies for the long post J

    Friday, April 7, 2017 6:04 PM

All replies

  • Hi,

    I don't think it's possible to synchronize account passwords between AD forests, if you want to achieve single sign on, I suggest you deploy ADFS.

    If there are specific queries regarding Office 365, here is a dedicated Office 365 forum below for you:

    https://community.office365.com/en-us/f

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, April 10, 2017 3:33 PM
    Moderator