I'm in the early planning / testing phase of preparing to migrate our staff from on-prem DC's & Exchange 2013 to MS365 and Exchange Online.
Looking to have a hybrid AD solution in the end so authentication can occur on premise using our DC's, and when off-net they can use AzureAD. I believe the AzureAD Sync Tool will assist with 2-way synchronization so account records are kept up to date.
We have around 100 staff, that will be migrated, and we'll be setting up a domain alias because our on-prem domain was a ".local" domain.
Has anyone gone through this sort of process before, if so what was your experience like?
Were there any gotcha's or major issues that you came across?
After completing your migration, was there something you wish you knew at the beginning that would have saved you time?
I hate running in hybrid. I can't wait to shutdown our local DCs and go entirely Azure AD.
Managing users, groups, devices, policies... Is all so much easier directly in Azure/365 admin tools.
You can manage a lot right from the Admin app on your phone.
You don't have to join new PCs to the network. You can ship a new laptop directly to a user and they log to it at setup using their 365 login and it joins your cloud domain. It's a PITA to get PC joined to the domain to join the cloud/hybrid and it doesn't offer as much control over the device.
I also love that you can join Android devices to your domain the same way! Manage users, apps, wifi connections, remote wipe/lock. GPS tracking. Remote reboot or play lost alarm sound. It's slick.
Currently in hybrid situation. 65k+ users, two main forests.
A lot of things.
-What is your auth strategy? How do you want users to log in?
You said you want to use local dc auth but you have three different ways of doing it: password hash sync, pass thru auth, or federation (typically adfs). (Don't do federation though, I really don't recommend it).
-make sure your users user principal names match their email addresses. In most cases when MS asks a user for email for their username, they are asking for their upn. It'll be easier on everyone when their upn and email match.
-what is your two factor strategy? If you don't have one, maybe look at Microsoft's offering. This may sway your auth strategy slightly.
-look at Azure Cloud Sync first before Azure AD Connect. They both perform the same function -synchronizing on prem objects in AD to AAD. Cloud sync is where MS wants to go but it's not feature parity with AAD Connect. Likely would guess you'd end up with AADConnect
-We are currently doing Exchange migrations to Azure now. And it's going I guess. It's not easy, particularly with the sync side of things. I don't have a lot to say here except I know it's a massive process for us. I only see parts of it. GPOs, conditional access, adjusting in our MDM solutions to work with migrated mailboxes, etc.
-Use dynamic licensing groups where you can. Makes app on boarding easier.
I could go on for days. Looking back I really wish I had banged the drum to do password hash sync. Federation domains into Azure feels pretty bad in a lot of ways and only helpful in a small subset of others. I expect you'd do seamless sso too, to make using m365 apps easy.
Password hash sync is definitely worth it. I also agree on the subject of UPN matching email address. I've got some legacy apps that cause all kinds of problems if we change a UPN, and I have a mixture of users where their UPN is definitely not their email address - and that's just something I have to explain over and over again.
If you've never done this before, you may want to hire an outside consultant. I’ve done a million of these migrations, and there can be issues, and MS support sucks these days.
That said, broad overview: first step is installing Azure AD Connect and syncing to your 365 tenant.
Second step is updating UPN suffixes to match your public domain.
Third step is installing the Hybrid Wizard on your exchange server and doing a test migration.