Azure AD Connect for Exchange Hybrid Migration

Steps to configure Azure AD Connect for Exchange Hybrid Migration to Office 365

  1. Download and install Azure AD Connect on one of the domain joined Windows 2012R2 member server (NOT Domain Controller)

  2. Click continue

HybridMigration-AAD-01

  1. Ingrone the warning if you are using non-routable FQDN in AD, like mylab.local, and click Use Express Settings to continue

HybridMigration-AAD-02

  1. Enter the Global Administrator for Azure AD / Office 365

HybridMigration-AAD-03

  1. Enter the credential for Domain Administrator

HybridMigration-AAD-04

  1. Ensure that the public FQDN which you had assosciated in Office 365 is verified

HybridMigration-AAD-05

  1. Checked Exchange Hybrid Deployment and do NOT check the start the syncronization process when configuration complete yet

HybridMigration-AAD-06

  1. You will see the Active Directory Recycle Bin is NOT enabled if you do NOT enable this feature in early stage. however, you can safely ignore it as this is optional features

HybridMigration-AAD-07

  1. click Exit

HybridMigration-AAD-08

  1. Double click on the Azure AD Connect to configure Domain and OU Filtering to only sync users & groups in particular OU to Office 365

HybridMigration-AAD-09

  1. Click Customize Syncronization Options

HybridMigration-AAD-10

  1. Enter your credential for Azure AD / Office 365

HybridMigration-AAD-11

  1. Click Next

HybridMigration-AAD-12

  1. Select the OU that you would like to sync

HybridMigration-AAD-13

  1. Ensure Exchange Hybrid Deployment & Password Hash Synchronization is selected

HybridMigration-AAD-14

  1. Check Start the synchronization process when configuration completes to perform initial syncronization to Office 365

HybridMigration-AAD-15

  1. Close the wizard

HybridMigration-AAD-16

  1. Monitor the progress by opening MiiClient with PowerShell
#Start MiiClient 
$MiiClient = "C:\Program Files\Microsoft Azure AD Sync\UIShell\miisclient.exe"
Start-Process $DosCommand

HybridMigration-AAD-17

  1. AAD Connect will perform schedule sync with 30 minutes interval (default) and you can perform the sync manually with the following powershell

Password Changes will be synced from Local AD to Office 365 within 2 minutes

#PowerShell for ADSync
Import-Module ADSync

#Perform Delta Sync Only
Start-ADSyncSyncCycle -PolicyType Delta

#Perform Initial Sync
Start-ADSyncSyncCycle -PolicyType Initial

Notes from Deployment

You need to remove those cloud users in Office 365 (if any) who had been assigned with Global Administrator Role to normal User Role as the AAD Sync will failed to override those users even with same UPN name and O365 will create a new user wil random no assigned

If you come across this scenario, you have to

#Move those affected users out from the OU and peform Delta Sync
#Force Sync
Start-ADSyncSyncCycle -PolicyType Delta 

#Check to ensure that Syned users had been removed in Office 365
Get-MsolUser -ReturnDeletedUsers

UserPrincipalName                 DisplayName               isLicensed
-----------------                 -----------               ----------
adrian2737@snsntw.onmicrosoft.com Adrian                    False     


#Empty the RecycleBin
Get-MsolUser -ReturnDeletedUsers | Remove-MsolUser -RemoveFromRecycleBin -Force 

#Force Sync Again in AAD Connect Server
Start-ADSyncSyncCycle -PolicyType Delta 

#Assign Global Administrator Role
Add-MsolRoleMember -RoleMemberEmailAddress adrian@aventislab.com-RoleName "Company Administrator"

We will continue to Update Exchange 2016 to latest CU11, and install Hybrid Wizard in my next post

Leave a Comment