I'm working on a project where we need to set up a new on-premises Active Directory (AD) for a client. The catch is that the new AD will use the same domain name as their existing Azure tenant. In my past experience, when doing this kind of setup, implementing Azure AD Connect ended up causing duplicate user accounts because of conflicting information from the on-premises domain controller. My boss has gone through similar issues before and had to deal with migrating between duplicate accounts afterward. I want to find a way to connect the on-premises usernames to the existing accounts in Azure without creating duplicates. I was thinking of doing some research on my own but would love to hear from anyone who has experience with this issue. Any advice would be appreciated!
6 Answers
It sounds like you should definitely check if the accounts already exist in Entra. If you're migrating from an older domain to a new on-premises AD, there could be existing accounts in Azure that you'll need to match up.
I had a similar situation where two different on-prem domains were syncing into one tenant. I used the mail field in their AD objects to align users without duplicates, which simplified the process significantly. You can also run tests in staging mode to see how the sync will behave before fully implementing it. It’s helped me avoid issues for years!
That’s really interesting! We’re aiming to retire the old .local AD while transferring everything to this new setup.
I'm curious about why you're needing to set up a new AD. Are these organizations currently operating without any AD in place?
Yes, we're migrating everything from an older domain to a completely new AD setup.
Check into doing a hard match instead of a soft match when setting up the connection. I found it pretty straightforward with just a simple PowerShell script. It can help prevent those duplicate users from popping up.
Thanks for the tip! I came across a resource that outlines how to sync on-prem AD with existing Azure AD users, which looks helpful.
Would using a hard match resolve the issue with two users sharing the same email address, especially for setting up admin accounts?
The linking method in AD Connect is crucial. You can test your configuration safely without making any alterations in Azure by using non-export mode in AD Connect. This way, you can verify object links before syncing to Azure. Consider changing the anchor temporarily to link accounts properly—long-term you should go with msdsConsistencyGUID for stability.
Be cautious about matching. There are tons of articles discussing soft vs. hard matching strategies online. If your AD data is clean and consistent, you should be mostly fine, but conflicts can arise if the directories don’t perfectly align. You might want to pull some data from Azure to ensure that your on-prem set up corresponds well with it.
Yes, we’re definitely migrating from an old domain and users are already set up in Azure. Just want to make sure everything syncs without issues.