Azure AD to On-Premise AD Migration: Implementing Bidirectional Sync with DirSync/FIM


4 views

When transitioning from a pure Azure AD environment to a hybrid model with on-premise Active Directory as the authoritative source, you're essentially reversing Microsoft's standard cloud-first synchronization flow. The key challenge lies in the initial object provisioning while maintaining existing Azure AD attributes.

  • Windows Server with AD DS role installed (2012 R2 or later recommended)
  • Azure AD Connect installation with DirSync components
  • Global Administrator privileges in Azure AD
  • Enterprise Administrator rights in on-premise AD

Here's how to perform the initial synchronization from Azure AD to on-premise:

# PowerShell snippet to prepare your environment
Import-Module ADSync
$AzureADConnector = Get-ADSyncConnector | Where-Object {$_.Name -like "*Azure*"}
$OnPremConnector = Get-ADSyncConnector | Where-Object {$_.Name -like "*Local*"}

# Verify connector configuration
$AzureADConnector | Select-Object Name, ConnectedSystem, ConnectorType

The MIISClient.exe approach you mentioned is indeed viable for advanced scenarios:

  1. Open MIISClient from the Sync Service installation path
  2. Navigate to Management Agents and create a new one for Azure AD
  3. Set the direction to "Import" from Azure AD
  4. Configure attribute flow rules to match your schema

Use this XML snippet as a template for your synchronization rules:

<synchronizationRule>
  <sourceAnchor attribute="objectGUID"/>
  <attributeFlow type="direct">
    <source attribute="userPrincipalName"/>
    <target attribute="userPrincipalName"/>
  </attributeFlow>
  <attributeFlow type="expression">
    <source expression="IIF(IsPresent([displayName]), [displayName], [givenName] + " " + [surname])"/>
    <target attribute="displayName"/>
  </attributeFlow>
</synchronizationRule>

After the initial sync completes, you'll need to:

  • Verify object linkage using Get-MSOLUser -All | Where-Object {$_.DirSyncEnabled -eq $true}
  • Configure ongoing delta synchronization
  • Test password hash synchronization
  • Validate group membership preservation

If you encounter soft matching failures, use this diagnostic command:

# Check for unmatchable objects
Get-ADSyncCSObject -ConnectorName "yourAzureADConnector" | 
Where-Object {$_.DisconnectorReason -eq "NoMatchFound"} | 
Select-Object DisplayName, ObjectType, DistinctAttributeValue

html

When transitioning from cloud-first Azure AD to an on-premise Active Directory while maintaining Office 365 integration, we face a unique synchronization paradox: Azure AD doesn't natively support object write-back for standard user accounts. Here's how to architect the solution.

Essential Tools:
- Azure AD Connect (formerly DirSync)
- Microsoft Identity Manager (MIM) 2016 SP2
- Optional: PowerShell for custom attribute mapping

1. Prepare the Sync Infrastructure:
Install Azure AD Connect with staging mode enabled. Configure the basic settings without enabling sync:

Import-Module ADSync
Start-ADSyncSyncCycle -PolicyType Initial

2. Implement MIM for Bidirectional Sync:
Deploy MIM 2016 SP2 with the Azure AD connector. Configure management agents:

<Configuration>
  <MaData name="AAD">
    <ExportFlowType>Update</ExportFlowType>
    <ImportFlowType>FullImport</ImportFlowType>
  </MaData>
</Configuration>

Create explicit mappings for critical attributes to prevent sync collisions:

// Sample MIM synchronization rule
SyncRule {
  Source = "AAD",
  Target = "AD",
  Precedence = 100,
  RelationshipType = "Join",
  Conditions = [
    {SourceAttribute = "objectId", TargetAttribute = "msDS-cloudAnchor"}
  ],
  FlowRules = [
    {Source = "userPrincipalName", Target = "userPrincipalName"},
    {Source = "proxyAddresses", Target = "proxyAddresses"}
  ]
}

Password Hash Sync:
Enable password writeback in Azure AD Connect before initiating user migration:

Set-ADSyncAADPasswordSyncConfiguration -Enable $true

Group Policy Migration:
Export Azure AD conditional access policies and translate them to GPOs:

Get-MsolDeviceRegistrationPolicy | Export-Clixml .\AADPolicies.xml

Implement the following PowerShell validation checks:

$SyncedUsers = Get-ADUser -Filter {msDS-cloudAnchor -like "*"} 
$AADUsers = Get-MsolUser -All

if ($SyncedUsers.Count -ne $AADUsers.Count) {
  Write-Warning "Sync count mismatch detected"
}

Configure monitoring for the sync infrastructure:

# Create scheduled task for sync health checks
$Trigger = New-ScheduledTaskTrigger -Daily -At 3am
$Action = New-ScheduledTaskAction -Execute "Powershell.exe" -Argument "-File C:\Scripts\SyncMonitor.ps1"
Register-ScheduledTask -TaskName "AD Sync Monitor" -Trigger $Trigger -Action $Action