What you are looking for is SMTP matching: http://support.microsoft.com/kb/2641663

Typically the way AD -> O365 sync works is that a unique identity value is created for each user in AD, then the user is pushed to O365. Updates are performed using the identity value to match the accounts.

SMTP matching tells the DirSync tool to initially match based on the primary SMTP address. Further syncs are accomplished using the identity value.

Also, make sure you read this, as it includes how to change the authority of your directory: Directory synchronization and source of authority


I don't believe Microsoft currently has a solution for what you're looking for. As you've mentioned, this is the opposite of a typical Office 365 deployment.

In the longer-term, the Azure Active Directory Premium edition with the announced, but not yet available, "Identity Synchronization Tool" with "advanced write-back capabilities" (see http://channel9.msdn.com/Events/TechEd/Europe/2014/CDP-B312) might do what you want, but I get the feeling that this doesn't exactly exist yet.

You could code something up with the Azure Active Directory PowerShell Module to dump data out of your Azure tenant AD and provision users in your own Active Directory, but I cannot image that you're going to get password hashes back out of Azure. That's going to leave a sticky problem of passwords.

Microsoft is, ultimately, who needs to be supporting you on this. I'd engage with sales and support to determine the best way to achieve your business goals, rather than knocking together some awful one-off that ends up doing more harm than good.


Been asking this same question myself. Here's the approach I took:

So I did the standard setup of the server. Provisioned in Azure and installed Active Directory Domain Services.

Then I used this tool: http://blogs.technet.com/b/ad/archive/2014/12/15/azure-ad-connect-one-simple-fast-lightweight-tool-to-connect-active-directory-and-azure-active-directory.aspx

Of course, that doesn't work for me because none of my users are in AD!

So I did more research, and came across this: Migrate user accounts from Azure AD to on-premise AD?

Using the second answer, I was able to export from Azure and Import into AD.

A word of warning: On the first go, I broke authentication. But that seems to be because I set up DirSync/SSO and ADFS before I imported. All of the accounts I imported are blocked, so everytime DirSync runs, it blocks my accounts in Azure. So I recommend you start with this process:

1) Add two accounts to your AD. - One to your local AD, the one on your server. - One to your Azure AD that ISN'T part of your Office 365 subscription. Use your .onmicrosoft.com domain. Give it admin over your AD. 2) Set up Azure Active Directory Powershell, and make sure you have regular Active Directory Powershell: https://msdn.microsoft.com/en-us/library/azure/jj151815.aspx

3) Connect your MSOL using the Azure AD account you created.

4) Perform the export from Azure AD in the guide linked earlier.

5) Perform the import into your local AD, per the same guide.

6) Verify your accounts.

This is where I'm still figuring it out myself. The above should answer your question over how to transfer the users. But now, as for setting up SSO and DirSync, I can't direct you. But I used AD Connect and that seems like it's going to do the trick for me. But make sure you learn how to undo what it does! I managed to break authentication for almost an hour while I figured it out!

Good luck! Let me know how your project goes, and I'll let you know how mine does.