Hello,

I’m in the early planning / testing phase of preparing to migrate our staff from on-prem DC’s & Exchange 2013 to MS365 and Exchange Online.

Looking to have a hybrid AD solution in the end so authentication can occur on premise using our DC’s, and when off-net they can use AzureAD. I believe the AzureAD Sync Tool will assist with 2-way synchronization so account records are kept up to date.

We have around 100 staff, that will be migrated, and we’ll be setting up a domain alias because our on-prem domain was a “.local” domain.

Has anyone gone through this sort of process before, if so what was your experience like?

Were there any gotcha’s or major issues that you came across?

After completing your migration, was there something you wish you knew at the beginning that would have saved you time?

Thanks in advance for any feedback.

  • xubu@infosec.pub
    link
    fedilink
    arrow-up
    1
    ·
    2 years ago

    Currently in hybrid situation. 65k+ users, two main forests.

    A lot of things. -What is your auth strategy? How do you want users to log in? You said you want to use local dc auth but you have three different ways of doing it: password hash sync, pass thru auth, or federation (typically adfs). (Don’t do federation though, I really don’t recommend it).

    -make sure your users user principal names match their email addresses. In most cases when MS asks a user for email for their username, they are asking for their upn. It’ll be easier on everyone when their upn and email match.

    -what is your two factor strategy? If you don’t have one, maybe look at Microsoft’s offering. This may sway your auth strategy slightly.

    -look at Azure Cloud Sync first before Azure AD Connect. They both perform the same function -synchronizing on prem objects in AD to AAD. Cloud sync is where MS wants to go but it’s not feature parity with AAD Connect. Likely would guess you’d end up with AADConnect

    -We are currently doing Exchange migrations to Azure now. And it’s going I guess. It’s not easy, particularly with the sync side of things. I don’t have a lot to say here except I know it’s a massive process for us. I only see parts of it. GPOs, conditional access, adjusting in our MDM solutions to work with migrated mailboxes, etc.

    -Use dynamic licensing groups where you can. Makes app on boarding easier.

    I could go on for days. Looking back I really wish I had banged the drum to do password hash sync. Federation domains into Azure feels pretty bad in a lot of ways and only helpful in a small subset of others. I expect you’d do seamless sso too, to make using m365 apps easy.

    • fouloleron@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      2 years ago

      Password hash sync is definitely worth it. I also agree on the subject of UPN matching email address. I’ve got some legacy apps that cause all kinds of problems if we change a UPN, and I have a mixture of users where their UPN is definitely not their email address - and that’s just something I have to explain over and over again.