Mark Minasi's Tech Forum
Sign up Calendar Latest Topics

  Author   Comment  
Michael Pietrzak

New Friend (or an Old Friend who Built a New Account)
Posts: 86
Reply with quote  #1 
I am reading, training with Pluralsight, and watching tons of youtube videos on all things Azure, Azure AD and O365.

I am confused about where are user accounts located? Azure, Azure Active Directory or 0365? I found a video where a gentleman explains how to create a tenet in 0365 and manages users in the Office 365 Admin Center

In another video, the demonstrator sets up an Azure tenant and uses the Azure AD Connecter to his Office 365 tenent.

And what about Azure AD DS? When and why would I want this versus Azure AD?

I am trying to set this up in a lab at home. I have the free trial to Azure in place. No tenent for Azure or O365 yet.

If I have a fictional business with on-premises Active Directory (my home lab), what pieces do I need to get my op-prem users into 0365 and Azure?

I want to learn topics like setting up vm's for my on-prem business. Set up blob storage for backups, single sign on etc.

Any thoughts would be greatly appreciated.

Mike Pietrzak


Still Checking the Forum Out
Posts: 4
Reply with quote  #2 
Hi Michael,

The thing to remember is Azure AD is a separate database of users. It can be synchronized with your on-prem AD (users/passwords); when you do that, it becomes an extension of your on-prem identities (but both remain separate databases). To set synchronization up you need to install Azure AD Connect on a server in your on-prem environment. Azure AD Connect keeps track of changes in both databases (password changes, new users).

Here is what I used for testing single sign-on (SSO):
  • Set up synchronization from on-prem AD to Azure AD (see above)
  • Set up DropBox SSO through the Azure AD Enterprise Application (You can get a 30-day free evaluation for DropBox for Business)
  • Verify you can access your DropBox account using SSO (either with the client you can install on a VM, or just by going to and see if you're automatically logged in)

Azure AD DS is an offering where Azure installs/configures/maintains two domain controllers in the cloud. If you have a site-to-site VPN connection (or ExpressRoute, etc.) with your Azure tenant, you can then join machines to this domain just as you would if your DCs were on-prem. (After they are built you would need to set your DNS to point to these DCs, obviously, so you could join VMs to this domain, users could authenticate to the DCs, etc.) With this offering, however, you don't have full access to the domain controllers (you can't log into them directly, Microsoft patches them automatically, etc.). You access Group Policies, ADUC, etc., through a separate domain-joined machine (either on-prem or in the cloud; your choice). It costs around $110 per month for up to 25,000 users right now.
Benefits: Highly available solution for authentication; you don't need on-prem DCs; and the management part (patching) is taken care of by Azure

All this can be a bit daunting when you're trying to learn me, I've been doing just that for the last year or so myself. I still have a lot of learning to do. 

I love PluralSight. (John Savill is my favorite instructor and he has some great videos on YouTube you should watch if you haven't already regarding Azure.) I'm currently going through the Azure videos myself. I got my AZ-103 in July and am now working towards getting my AZ-500.

I hope this helps bridge some knowledge gaps. You are not alone in the struggle. Keep it up and you'll be very glad you did!


Michael Pietrzak

New Friend (or an Old Friend who Built a New Account)
Posts: 86
Reply with quote  #3 
Thanks Roger!

This is very helpful! The folks over in the sysadmin group on Reddit have been helpful as well. Several folks there trying to learn this tech so it seems to be a common theme.

This thread helped me a great deal...

Michael Pietrzak

New Friend (or an Old Friend who Built a New Account)
Posts: 86
Reply with quote  #4 
So hypothetically....I have a business that makes widgets. I have registered the domain name We have on-prem AD and a simple website.

The boss wants to move services to Azure. Okay, do I create the O365 tenant first or the Azure tenant?

At what point do I implement the Azure AD connect to sync my users to Azure etc?

Michael Pietrzak

New Friend (or an Old Friend who Built a New Account)
Posts: 86
Reply with quote  #5 
Can anyone tell me if I have on-premises AD now, do I create the O365 tenant or the AD tenant first?

I have received wildly different answers.

Avatar / Picture

Associate Troublemaker Apprentice
Posts: 940
Reply with quote  #6 


You can create them at any stage you like.
The different stages bring in slightly different issues but we can discuss them as we go.
In an ideal world, on-prem AD, then create a tenant and then sync with Azure AD Connect.
You'll need to deal with UPN's.
So lets assume on-prem is as follows
Domain is bigco.local
Email is
Username joe.bloggs@bigco.local
Username bigco\joe.bloggs
Email address is

Cloud tenant is
When we sync Joe to the cloud what will happen his UPN/ login?
If we have done nothing so far it will be
Cloud name

How, in O365/ AAD do we make it

I will answer this, but you need to think a little.
I'll offer the following Domains and Trusts and an addition.
If you get this yourself then you get and addition q about it all...joking, ask away

If you have a MCP and work for a MS partner, you should be able to get Azure Credit for free!
Or try here

Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
Michael Pietrzak

New Friend (or an Old Friend who Built a New Account)
Posts: 86
Reply with quote  #7 
Thanks again for this! My Azure traning has slowed but I hope to get back into it after the crazy holidays.

Merry Christmas and happy new year everyone!

Previous Topic | Next Topic

Quick Navigation:

Easily create a Forum Website with Website Toolbox.