Merge pull request #224539 from billmath/migrate1

Migrate1

Author: v-stsavell

articles/active-directory/cloud-sync/TOC.yml

@@ -14,7 +14,7 @@
     href: tutorial-single-forest.md
   - name: Integrate an existing forest and a new forest with a single Azure AD tenant
     href: tutorial-existing-forest.md
-  - name: Pilot cloud sync for an existing synced AD forest 
+  - name: Migrate to Azure AD Connect cloud sync for an existing synced AD forest 
     href: tutorial-pilot-aadc-aadccp.md
 
 
@@ -54,6 +54,8 @@
       href: how-to-sso.md
     - name: Directory extensions and custom attributes
       href: custom-attribute-mapping.md
+    - name: Migrate from Azure AD Connect
+      href: migrate-azure-ad-connect-to-cloud-sync.md
   - name: Plan and design
     items:
     - name: Topologies and scenarios for Azure AD Connect cloud sync

articles/active-directory/cloud-sync/migrate-azure-ad-connect-to-cloud-sync.md

@@ -0,0 +1,97 @@
+---
+title: 'Migrate Azure AD Connect to Azure AD Connect cloud sync| Microsoft Docs'
+description: Describes steps to migrate Azure AD Connect to Azure AD Connect cloud sync.
+services: active-directory
+author: billmath
+manager: amycolannino
+ms.service: active-directory
+ms.workload: identity
+ms.topic: overview
+ms.date: 01/17/2023
+ms.subservice: hybrid
+ms.author: billmath
+ms.collection: M365-identity-device-management
+---
+
+
+# Migrating from Azure AD Connect to Azure AD Connect cloud sync
+
+Azure AD Connect cloud sync is the future for accomplishing your hybrid identity goals for synchronization of users, groups, and contacts to Azure AD.  It uses the Azure AD cloud provisioning agent instead of the Azure AD Connect application.  If you're currently using Azure AD Connect and wish to move to cloud sync, the following document provides guidance.
+
+## Steps for migrating from Azure AD Connect to cloud sync
+
+
+
+|Step|Description|
+|-----|-----|
+|Choose the best sync tool|Before moving to cloud sync, you should verify that cloud sync is currently the best synchronization tool for you.  You can do this task by going through the wizard [here](https://setup.microsoft.com/azure/add-or-sync-users-to-microsoft-365).|
+|Verify the pre-requisites for migrating|The following guidance is only for users who have installed Azure AD Connect using the Express settings and aren't synchronizing devices.  Also you should verify the cloud sync [pre-requisites](how-to-prerequisites.md).|
+|Back up your Azure AD Connect configuration|Before making any changes, you should back up your Azure AD Connect configuration.  This way, you can role-back.  For more information, see [Import and export Azure AD Connect configuration settings](../hybrid/how-to-connect-import-export-config.md).|
+|Review the migration tutorial|To become familiar with the migration process, review the [Migrate to Azure AD Connect cloud sync for an existing synced AD forest](tutorial-pilot-aadc-aadccp.md) tutorial.  This tutorial guides you through the migration process in a sandbox environment.|
+|Create or identify an OU for the migration|Create a new OU or identify an existing OU that contains the users you'll test migration on.|
+|Move users into new OU (optional)|If you're using a new OU, move the users that are in scope for this pilot into that OU now.  Before continuing, let Azure AD Connect pick up the changes so that it's synchronizing them in the new OU.| 
+|Run PowerShell on OU|You can run the following PowerShell cmdlet to get the counts of the users that are in the pilot OU.  </br>`Get-ADUser -Filter * -SearchBase "<DN path of OU>"`</br> Example: `Get-ADUser -Filter * -SearchBase "OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM"`|
+|Stop the scheduler|Before creating new sync rules, you need to stop the Azure AD Connect scheduler.  For more information, see [how to stop the scheduler](../hybrid/how-to-connect-sync-feature-scheduler.md#stop-the-scheduler).
+|Create the custom sync rules|In the Azure AD Connect Synchronization Rules editor, you need to create an inbound sync rule that filters out users in the OU you created or identified previously.  The inbound sync rule is a join rule with a target attribute of cloudNoFlow.  You'll also need an outbound sync rule with a link type of JoinNoFlow and the scoping filter that has the cloudNoFlow attribute set to True.  For more information, see [Migrate to Azure AD Connect cloud sync for an existing synced AD forest](tutorial-pilot-aadc-aadccp.md#create-custom-user-inbound-rule) tutorial for how to create these rules.|
+|Install the provisioning agent|If you haven't done so, install the provisioning agent.  For more information, see [how to install the agent](how-to-install.md).|
+|Configure cloud sync|Once the agent is installed, you need to configure cloud sync.  In the configuration, you need to create a scope to the OU that was created or identified previously.  For more information, see [Configuring cloud sync](how-to-configure.md).|
+|Verify pilot users are synchronizing and being provisioned|Verify that the users are now being synchronized in the portal.  You can use the PowerShell script below to get a count of the number of users that have the on-premises pilot OU in their distinguished name.  This number should match the count of users in the previous step.  If you create a new user in this OU, verify that it's being provisioned.|
+|Start the scheduler|Now that you've verified users are provisioning and synchronizing, you can go ahead and start the Azure AD Connect scheduler.   For more information, see [how to start the scheduler](../hybrid/how-to-connect-sync-feature-scheduler.md#start-the-scheduler).
+|Schedule you remaining users|Now you should come up with a plan on migrating more users.  You should use a phased approach so that you can verify that the migrations are successful.|
+|Verify all users are provisioned|As you migrate users, verify that they're provisioning and synchronizing correctly.|
+|Stop Azure AD Connect|Once you've verified that all of your users are migrated, you can turn off the Azure AD Connect synchronization service.  Microsoft recommends that you leave the server is a disabled state for a period of time, so you can verify the migration was successful
+|Verify everything is good|After a period of time, verify that everything is good.|
+|Decommission the Azure AD Connect server|Once you've verified everything is good you can use the steps below to take the Azure AD Connect server offline.|
+
+
+
+
+
+
+## Verify Users script
+```PowerShell
+# Filename:    VerifyAzureUsers.ps1
+# Description: Counts the number of users in Azure that have a specific on-premises distinguished name.
+#
+# DISCLAIMER:
+# Copyright (c) Microsoft Corporation. All rights reserved. This 
+# script is made available to you without any express, implied or 
+# statutory warranty, not even the implied warranty of 
+# merchantability or fitness for a particular purpose, or the 
+# warranty of title or non-infringement. The entire risk of the 
+# use or the results from the use of this script remains with you.
+#
+#
+#
+#
+
+
+Connect-AzureAD -Confirm
+
+#Declare variables
+
+$Users = Get-AzureADUser -All:$true -Filter "DirSyncEnabled eq true"
+$OU = "OU=Sales,DC=contoso,DC=com"
+$counter = 0
+
+#Search users
+
+foreach ($user in $Users) {
+    $test = $User.ExtensionProperty
+    $DN = $test["onPremisesDistinguishedName"]
+    if ($DN -match $OU)
+	{
+	$counter++
+	}
+}
+
+Write-Host "Total Users found:" + $counter
+
+```
+## More information 
+
+- [What is provisioning?](what-is-provisioning.md)
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
+- [Create a new configuration for Azure AD Connect cloud sync](how-to-configure.md).
+- [Migrate to Azure AD Connect cloud sync for an existing synced AD forest](tutorial-pilot-aadc-aadccp.md) 
+``

articles/active-directory/cloud-sync/tutorial-pilot-aadc-aadccp.md

@@ -1,46 +1,47 @@
 ---
-title: Tutorial - Pilot Azure AD Connect cloud sync for an existing synced AD forest
+title: Tutorial - Migrate to Azure AD Connect cloud sync for an existing synced AD forest
 description: Learn how to pilot cloud sync for a test Active Directory forest that is already synced using Azure Active Directory (Azure AD) Connect sync.
 services: active-directory
 author: billmath
 manager: amycolannino
 ms.service: active-directory
 ms.workload: identity
 ms.topic: tutorial
-ms.date: 01/18/2023
+ms.date: 01/23/2023
 ms.subservice: hybrid
 ms.author: billmath
 ms.collection: M365-identity-device-management
 ---
 
 
-# Pilot cloud sync for an existing synced AD forest
+# Migrate to Azure AD Connect cloud sync for an existing synced AD forest
 
-This tutorial walks you through piloting cloud sync for a test Active Directory forest that is already synced using Azure Active Directory (Azure AD) Connect sync.
+This tutorial walks you through how you would migrate to cloud sync for a test Active Directory forest that is already synced using Azure Active Directory (Azure AD) Connect sync.  
+
+> [!NOTE]
+> This article provides information for a basic migration and you should review the [Migrating to cloud sync](migrate-azure-ad-connect-to-cloud-sync.md) documentation before attempting to migrate your production environment.
 
 ![Diagram that shows the Azure AD Connect cloud sync flow.](media/tutorial-migrate-aadc-aadccp/diagram-2.png)
 
 ## Considerations
 
 Before you try this tutorial, consider the following items:
 
-1. Ensure that you're familiar with basics of cloud sync.
-
-1. Ensure that you're running Azure AD Connect sync version 1.4.32.0 or later and have configured the sync rules as documented. 
-
-1. When piloting, you'll be removing a test OU or group from Azure AD Connect sync scope. Moving objects out of scope leads to deletion of those objects in Azure AD.
+ 1. Ensure that you're familiar with basics of cloud sync.
+ 2. Ensure that you're running Azure AD Connect sync version 1.4.32.0 or later and have configured the sync rules as documented.
+ 3. When piloting, you'll be removing a test OU or group from Azure AD Connect sync scope. Moving objects out of scope leads to deletion of those objects in Azure AD.  
 
     - User objects, the objects in Azure AD are soft-deleted and can be restored. 
     - Group objects, the objects in Azure AD are hard-deleted and can't be restored. 
-    
-    A new link type has been introduced in Azure AD Connect sync, which will prevent the deletion in a piloting scenario.
+ 
+     A new link type has been introduced in Azure AD Connect sync, which will prevent the deletion in a piloting scenario.
 
-1. Ensure that the objects in the pilot scope have ms-ds-consistencyGUID populated so cloud sync hard matches the objects.
+ 4. Ensure that the objects in the pilot scope have ms-ds-consistencyGUID populated so cloud sync hard matches the objects.
 
    > [!NOTE]
    > Azure AD Connect sync does not populate *ms-ds-consistencyGUID* by default for group objects.
 
-1. This configuration is for advanced scenarios. Ensure that you follow the steps documented in this tutorial precisely.
+ 5. This configuration is for advanced scenarios. Ensure that you follow the steps documented in this tutorial precisely.
 
 ## Prerequisites
 
@@ -55,6 +56,9 @@ The following are prerequisites required for completing this tutorial
 
 As a minimum, you should have [Azure AD connect](https://www.microsoft.com/download/details.aspx?id=47594) 1.4.32.0. To update Azure AD Connect sync, complete the steps in [Azure AD Connect: Upgrade to the latest version](../hybrid/how-to-upgrade-previous-version.md).  
 
+## Back up your Azure AD Connect configuration
+Before making any changes, you should back up your Azure AD Connect configuration.  This way, you can role-back.  See [Import and export Azure AD Connect configuration settings](../hybrid/how-to-connect-import-export-config.md) for more information.
+
 ## Stop the scheduler
 
 Azure AD Connect sync synchronizes changes occurring in your on-premises directory using a scheduler. In order to modify and add custom rules, you want to disable the scheduler so that synchronizations won't run while you're working making the changes. To stop the scheduler, use the following steps: