Migrating Azure Active Directory

This post is a product of a project I recently completed a few weeks ago. In my conversations with Microsoft, it was stated that this project is pretty much the worse scenario to have in Azure, especially if Azure is already in production and is being used.

How did we get here?

This is the first big question because naturally with Azure you are given an Active Directory and if everyone has their eyes on things, then how do you end up with two Azure Active directories? Well I can tell you this, you do get an Azure Active Directory with your Azure Subscription, and you might get another one with your Office 365 subscription. If you started using Office 365 first, this isn’t such a big deal because you can just delete the Azure one and have it relinked, but if you’ve started using Azure first, this becomes a big deal. This is where I was. I had an Azure subscription already used for production apps, and we were going to start using Office 365. I might have just adopted the same Active Directory but I wasn’t happy with the namespace used, see my blog post on namespaces in Azure. So the decision was made to migrate Azure Active Directories.

What do you need to know?

We need to understand here that Azure Active Directory is linked to everything in Azure, even if it’s not directly ready from the Azure Active directory. In other words if you are using Azure services, part of migrating Azure Active Directory will involve migrating and possibly re-configuring services. Make sure you have the right people helping you. Also make sure you have a good inventory of what’s on Azure. In larger companies it’s easy to lose track of this.

Tips

  • Take inventory of what’s in Azure, you will need to migrate these services.
  • Line up the right people with the right skills, you will need some reconfiguration when you migrate services.
    • Someone that has access to your DNS to add verification records (TXT or MX)
    • Developers/SME’s that can fix services once you’ve migrated them
    • Azure SME’s
  • Change your service administrators to Outlook accounts and make sure those accounts have Global Admin to both directories. Once you might your services you’ll still need to access them and your domain accounts will stop working when you do your migration until you run re-add those accounts.
  • It’s a good idea to have Microsoft Premier support in case you run into some issues. I ran into a bug where when I changed my service admin account, it would change back. It took a few weeks until a hot fix got released.
  • Be prepared, there will be a mix of GUI configurations as well as PowerShell. Make sure you have the Azure Active Directory PowerShell module setup and working.
  • Plan this over a weekend, some of the cmdlets can take awhile to change. If you have thousands of records it will take awhile to delete AAD objects and resync your Azure AD.
  • Have unique accounts available to each. I like to use an account on the Microsoft namespace that aren’t used in both domains to make sure I am connecting to the correct default domain.

Process:

Step 1: Stop the synchronization of your existing Azure Active Directory.

When you are using Directory Sync, it’s important to note that you cannot manage accounts in the cloud, that is to say any account synchronized by Azure Active Directory Connect is read only in Azure and can only be deleted by Azure Active Directory Connect. However you can orphan them in the cloud by turning off synchronization, and you will want to do this so new changes aren’t made.

Once connected to Azure Active Directory with PowerShell, run the following cmdlet.

Set-MsolDirSyncEnabled –EnableDirSync $false

and then to verify

(Get-MSOLCompanyInformation).DirectorySynchronizationEnabled

The cmdlet will return true or false, you are expecting it to be false before you continue. If you have thousands of objects in AAD, it might take awhile to turn false

Step 2: Delete users and groups from your existing Azure Active Directory.

Before you can delete your domain from the existing Azure Active Directory, you need to remove the existing orphaned users and groups. I had to do bunch of searching for this because most existing instructions have you deleting one user at a time, I had 5000 users and 6000 groups. I will put the steps here, but you can read more on this in another blog entry I wrote. These cmdlets are performed in PowerShell connected to Azure Active Directory. Pay special attention to step 2.

  1. Get-MsolUser –All | Export-CSV C:\users.csv
  2. Open the CSV and remove the Microsoft accounts and global administrator accounts.
  3. Get-MsolGroup –All | Export-CSV C:\Groups.csv
  4. Import-CSV C:\Users.csv | Remove-MsOlUser –Force
  5. Import-CSV C:\Groups.csv | Remove-MsOlGroup –Force

Be patient with step 4 and 5, it might seem like Azure AD isn’t doing anything, but if you refresh your Azure AD you’ll notice accounts starting to be deleted.

Step 3: Remove the Domain from your current Azure Active Directory

This step can be done in either PowerShell or through the portal. It is a necessary step as you cannot have two internet routable domains existing in more than 1 Azure Active Directory at a time.

PowerShell Cmdlet

Remove-MsolDomain -DomainName contoso.com -force

GUI

1-gui-del-domain

Once this step is completed, you are ready to decomission this Azure AD and start syncing users to your New Azure AD to align Azure and Office 365.

Step 4: Add Domain to your New Azure Active Directory

This step is the opposite of the previous step. You will want to be-careful here and make sure you’ve disconnected from your existing Azure Active Directory and connected to your new one. I prefer using the GUI here as the wizard is really good with setting you up with a TXT record, if you are on a popular DNS service it can also add the record for you.

Steps:

  1. Connect to https://portal.azure.com
  2. On the left click on Azure Active Directory
  3. Click on Domain names
  4. Click Add
  5. Follow your nose

You will need someone that has access to your external DNS to add a TXT or MX record. For some reason I’ve had much better success with TXT records and it’s much less invasive, less chance of screwing up an MX record which can affect receiving email.

The basic steps involved here are Add DNS, Add DNS record, Verify that you own the domain.

2-add-domain

Step 5: Turn on Directory Synchronization

This step is the inverse of Step 1. Instead of making directory sync to false we are making it true to allow us to now connect Azure Active Directory Connect and sync our AD objects. This command tells Azure that we are going to be syncing our accounts. This is done in PowerShell.

Set-MsolDirSyncEnabled –EnableDirSync $true

and to verify, this time it should turn to true quickly as there aren’t many records in AAD at this point.

(Get-MSOLCompanyInformation).DirectorySynchronizationEnabled

Step 6: Setup Azure Active Directory Connect to sync your records

And finally you’re done. If you prepare for this project and get everyone on board, this project should easily be a success and the big victory is it will allow you to move forward on your Office 365 or other project this was blocking in the first place.

 

 

 

Leave a comment

Your email address will not be published.


*