AD Azure Sharepoint Rights...

  • 183 Views
  • Last Post 11 November 2015
kebabfest posted this 23 October 2015

i have recently populated AdAzure with On-premises Credentials for a company.ADFS and ADConnect are doing their job well without any problems.However there has been a load of accounts already created in the cloud for online sharepoint access for a  different namespace, but used by the same users. Is there any way of mapping the rights of these already existing accounts with the syncronised on-premises directory ?I probably should have thought about this before I started, but it is only a small company and the sharepoint isnt business critical, so even if it is a manual process it won't be a major hassle.The only way I can think of doing it is adding the onpremises domain users to synched domain groups and then adding the SIDs of the cloud accounts to the SID HISTORY of the on premises accounts .Can anybody see any technical problems with this approach ?

Order By: Standard | Newest | Votes
dddugan posted this 23 October 2015

Remove the synchronized users from Azure AD. Rename the cloud users to match the on-premises users. Sync again and let soft-matching connect them for you.

Cheers.

 

show

kebabfest posted this 23 October 2015

Thanks for this. Is there a clean way of removing the synchronised users ? I read somewhere that de selecting the ous and then trying to reselect them could cause problems?




show

kebabfest posted this 23 October 2015

I have moved the users to unsynched ous and this looks to work. Ill do the changes on the test accounts and then re add to the synched ou. Thanks for pointing me in the right direction.




show

dddugan posted this 23 October 2015

Glad to hear it. I’d have to double-check, but the last time I did this I had to ensure the on-premises users had the mail attribute set for soft matching to

work. In that case the cloud users were for Exchange Online, and there was no Exchange or hybrid on-premises. So don’t panic if the export fails to match the first time!

Darin

 

show

kebabfest posted this 03 November 2015

Unfortunately it looks like I can't change the cloud users to the target domain accounts as it is already part of a federated trust. Now I have tried going down the path of populating the ImmutableID using the ObjectGUID of the Active Directory account (This is the SourceAnchor) without success. What am I missing ? (At this stage quite a lot of hair !!)


show

kebabfest posted this 11 November 2015

Right I am 90% there now I reckon. I was able to rename the accounts as soon as I changed the Domain from Federated to Standard. Removed the users from the synched ou.Renamed the cloud users to the correct UPN. Put the users back in the synched OU and then it synches fine.Now the only problem is that when I apply an Office365 License it creates a mailbox on the target side and so screws up mail delivery back to the source forest.So how can I remove the mail part of the cloud account ? Once I have this piece working I am comfortable enough to batter on with this migration...... 


show

kebabfest posted this 11 November 2015

Got there. On the User Side you can go the Licenses for the user and unselect the Exchange Online License only which leaves all the other services unaffected (SharePoint.OneDrive etc.)  Mail delivery back to the source still works. and now when I migrate the user all I have to do is re-assign the license and it should work without any other problems.


show

Close