Office 365 Connector: How to handle existing accounts?


our company uses Office 365 / Microsoft 365 for e-mail, calendar and contacts (and for offline Office stuff). My current challenge is to provide the Azure AD with our S/MIME certificates. According to »S/MIME for message signing and encryption in Exchange Online« these are the necessary steps:

  1. Publish the user certificate in an on-premises AD DS account in the UserSMIMECertificate and/or UserCertificate attributes.
  2. For Exchange Online organizations, synchronize the user certificates from AD DS to Azure Active Directory by using an appropriate version of Azure AD Connect. These certificates will then get synchronized from Azure Active Directory to Exchange Online directory and will be used when encrypting a message to a recipient.

As getting a local AD synced to Azure AD is no trivial task I tried the Office 365 connector. Ideally, when linked up the UCS AD should match local and remote user accounts by their primaryMailAddress, but I know that’s just a dream :slight_smile: .

Yesterday, I installed the Office 365 Connector and got it all up and running. SSO is nice but not a must-have in my usecase as our UCS is only reachable internally and thus error-prone if the connection gets lost for any reason.

I tested the login with a new test account and it worked flawlessly. But then I tried using my personal account (which also is an O365 admin account and the admin account I used for setting up the connector) and Microsoft complained about not finding my account in the directory. I don’t have the exact error message as I panicked a little bit and tried to rollback the connection. Thanks to Remove Office365 Connection for the necessary instructions. Luckily, I was still logged in with my personal account so I could create another admin account on our (now) primary domain to disable the connection. That stuff is dangerous :laughing:.

So, is there a way to connect both ADs and still be able to login with our existing accounts? If SSO must be for it to work then so be it, but the important part is how to get existing accounts on both sides linked up.

Best regards from Hoppegarten-Hönow,