How to setup Azure Sync and OneDrive

 

Preparation

Enable AD Recycle Bin

Make sure all staff are members of an “All Staff” group and that the group is in an OU that can be synced to Azure. (Same for pupils)

Ensure all user’s default group is NOT set to the above group. Everyone’s default group should be set to “Domain Users”

Ensure all users have BOTH a User Logon Name AND a pre-windows2000 logon name in AD (account tab)

  1. User logon domain Suffix should match the Office 365 Email domain NOT the on-premises one.
  2. Open Active Directory Domains and Trusts
  3. Right click the top level -> properties
  4. Add the domain here:

Go in to Active Directors Users & Computers, and change everyone’s Suffix to the Office 365 domain (Account tab)

When syncing on-prem AD to Azure, all aliases are overwritten. SO you need to import them from Office 365, IN to Active Directory.

HOW TO - Add proxy addresses to multiple accounts.docx

NOTE: Moving forward all alias and password changes must be done ON PREM

All users should have a complex password (8 chars, 3 char sets etc).

Bypass MFA @ School – The cheapest way, is to purchase a Microsoft 365 A3 for Students license, then go to Multi Factor Authentication > Service Settings and add the school external IP/32 to the bypass list (don’t need to assign the license to anyone and works with the 1 month trial, we’re waiting to see what happens when the trial expires!).

 

 

 

 

Azure Sync Setup

Download and install AD Connect on the server from here: https://www.microsoft.com/en-us/download/details.aspx?id=47594

When you get to this point click “customize”, and follow the screenshots:

 

After clicking Exit above, you can check the status of the sync by opening the “Synchronization Service:

Once synced, you can setup licence assignment based on the groups. Go to https://aad.portal.azure.com/ and select “Groups”:

For each Group that was synchronized you’ll need to click the group, then Licenses, then Assignments:

The staff group needs the staff license and the pupils groups needs the students license.

 To avoid any conflicts run this PowerShell command (replacing the school’s local domain on line 2 and the email domain on line 4):

 

Import-Module ActiveDirectory

Get-ADUser -Filter * -SearchBase 'DC=test,DC=net' | `

    ForEach-Object { Set-ADUser -EmailAddress ($.samaccountname + '@test.net') -Identity $ }

 

Open Azure Ad Connect again: