You need to sync an on-premises AD with Microsoft Entra ID External and then sync it with Identity as a Service.
Sync an on-premises AD with Microsoft Entra ID External
1. Use the AD Connect tool available at https://www.microsoft.com/en-us/download/details.aspx?id=47594 to port users from On-premises AD into Microsoft Entra ID.
2. When configuring Entra Connect to sync users into Microsoft Entra ID, you to ensure to do the following in the Entra Connect Wizard:
a. Select Password-hash synchronization on the User sign-in page.
b. In the Azure AD sign-in configuration page, select the on-premise AD attribute that maps to UPN on Microsoft Entra ID from the User Principal Name drop-down list.
c. In the Uniquely identifying your users page, do the following:
– Select Users are only represented once across all forests. This ensures that all users are created as individual objects in Microsoft Entra ID.
– Under Select how users should be identified with Azure AD, select A specific attribute and then select ObjectGUID from the drop-down list.
d. In the Optional features page, select Password synchronization and Password writeback.
3. Use PowerShell to run AD Connect commands to initiate the sync operation between on-premises AD and Microsoft Entra ID.
a. Disable the scheduler by running the following command:
Set-ADSyncScheduler
-SyncCycleEnabled $false
b. Initiate
a full sync cycle by entering the following command:
Start-ADSyncSyncCycle -PolicyType Initial
4. Use
the Azure AD Synchronization Services to confirm
the synchronization operations. When the Services reports a Success status,
go to the Azure AD portal at https://portal.azure.com
to verify the changes.
5. Return to PowerShell and run the following command to re-enable the scheduler:
Set-ADSyncScheduler
-SyncCycleEnabled $true
Note: If your On-premises AD user has a mail attribute that differs from the userPrincipalName attribute, the samAccountName attribute may change when synced to Microsoft Entra ID. You should review and resolve any issues before you sync an on-premise AD with Microsoft Entra ID. This could result in unexpected Identity as a Service userIDs.
Attention:
When performing the AD Connect operation, each user is automatically assigned
a Microsoft ImmutableID that allows O365 SAML
authentication. The value is equal to the on-premise AD objectGUID.
When performing sync an on-premise AD with Microsoft Entra ID, do not
map objectGUID to O365 ImmutableID
on the User Defined Attributes tab. Instead, manually copy the value from
the results of the following Powershell command into each users O365 ImmutableID field and save it:
Get-MgUser -All -Property OnPremisesImmutableId,UserPrincipalName
| Select OnPremisesImmutableId,UserPrincipalName