There are many proven strategies for successfully migrating users to Microsoft Office 365. For small and medium-sized businesses, understanding the different identity models and tools for importing or synchronizing users in bulk can help create a less stressful transition.
Office 365 uses Azure Active Directory as its directory services back end. Depending on your requirements, there are three identity models to choose from:
Cloud identities are created in AAD and are maintained independently from on-premises user directories. This is the easiest model to deploy, but it results in two accounts for each user: one in the cloud and one on-premises.
Synchronized identities link on-premises AD domains to AAD using Azure Active Directory Synchronization Services (AAD Sync) and synchronizes on-premises accounts and password hashes to the cloud.
Federated identities are the same as synchronized identities, except that password hashes are never synchronized to the cloud, and authentication takes place using the on-premises AD. It requires Active Directory Federation Services (AD FS) or a third-party identity management product.
When working with only a handful of users, accounts can be added manually using the Office 365 management portal. When accommodating a large number of users, use the bulk import feature.
Admins may also perform bulk imports using PowerShell. If you don’t want to use the synchronized identity model, import user account information from Active Directory into Office 365 to create user cloud identities.
There’s a sample CSV file that you can download from the portal, but before importing users remember that you shouldn’t change the order of the columns as they appear in the file. The User Name field must contain the user’s email address; otherwise, you’ll get an error. Then, create a separate CSV file for each region when users are based in different locations.
To synchronize your on-premises user accounts to the cloud, download Microsoft’s free AAD Sync tool, which runs on Windows Server 2008 (or later) and requires PowerShell v.3 (or higher) and the .NET Framework 4.5. The tool uses SQL Server Express to store identity information, but in cases with more than 100,000 objects, it should point to Microsoft SQL Server 2008 (or later).
Two accounts are required to enable synchronization: one on-premises AD account and another in the cloud. Depending on the AAD Sync features you intend to enable, you’ll need to carefully check the permissions required for the AD account.
If you want AD users to be represented by individual objects in the cloud, select “My users are only represented once across all forests” on the “Matching across forests” screen.
In more complex scenarios, there are several different options for representing users in the cloud. The AAD Sync tool wizard also allows you to restrict the number of AD object attributes synchronized. Ensure that the “Synchronize now” option is checked on the last screen of the wizard; otherwise, the scheduled task for synchronization will be disabled.