I recently worked on a project whereby I was migrating a Global Company that owned a number of business and they wanted to break down the barriers between the different brands and all collaborate under a new brand in Office365.
I synchronized a number of forests from around the world into the organization’s Office365 tenant using the new Azure Active Directory synchronization tool.
One of the businesses shared their Exchange Server (Business A) with another business (Business B) and to migrate their mailboxes I implemented an Exchange Hybrid and migrated the mailboxes into Exchange Online.
Business A Active Directory was authoritative for Business B mailboxes. So how do we disjoin them from Business A and synchronize them with Business B , so that Business B can perform identity management on their own Active Directory Forest.
So the following steps explain how to do this. This can of course be scripted if there were hundreds or thousands of users.
- Run this command on Business B Active Directory Forest to obtain all user’s immutable ID
ldifde -f con -r email@example.com -l objectguid
- Then on in the AAD tool stop synchronizing the users’ from Business B
- This will then delete the users accounts, got to the Office365 recycle bin and restore the user’s account. This will also convert the user’s account to a cloud identity.
- The run this command in the ‘Windows Azure Active Directory Module for Windows PowerShell’ to convert the cloud user’s immutable id so that it matches the object guids obtained in step 1
set-MsolUser -UserPrincipalName firstname.lastname@example.org -ImmutableID I3/MGNcBbUWWVs+jXPTH4g==
- Finally their are some attributes that we need to match from Business A Active Directory Forest with each user’s account in Business B Active Directory
- No we are ready to sync the OU with the AAD tool from Business B and Business B Active Directory will be the authoritative Active Forest for these mailboxes.