How Do I Import Users From Microsoft 365?


Nerdio is tightly integrated with Microsoft 365, which relies on Microsoft Entra ID. Nerdio Active Directory is regularly synchronized with Microsoft Entra ID using the Microsoft Entra Connect tool that is installed on DC01.

All Microsoft 365, and other Microsoft Cloud services, rely on Microsoft Entra ID for identity information. Users (the identity objects) are independent of Microsoft 365 service (e.g. Exchange Online). A user in Microsoft Entra ID may or may not have an Microsoft 365 license assigned.

There are two types of users in Microsoft Entra ID:

  1. "In Cloud" users – these users were created directly in the Microsoft 365 admin portal and are not synchronized with Active Directory. In Cloud users have an object property called ImmutableID (not visible in admin portal, PowerShell only) that is null. In Cloud users often get created first during initial migration into Microsoft 365 before there is a requirement to synchronize with an existing Active Directory. These users can be edited in Microsoft 365 Admin Portal.
  2. "Synced with Active Directory" users – these objects are ones that were created in an on-premise AD and synced to Microsoft Entra ID. The ImmutableID object property for these users is set to a unique ID generated based on the AD GUID. These objects cannot be modified directly in Microsoft 365 Admin Portal and have to be managed in the AD where they were created and are being synched from.

Common on-boarding situation

It is very common for a new Nerdio customer to be already using Microsoft 365. This typically means that the customer has "In Cloud" Microsoft Entra ID users with Microsoft 365 licenses assigned to them. When a new Nerdio account is provisioned and linked to an existing Microsoft 365 tenant, any users that are added to Nerdio using Nerdio Admin Portal, will also be added to Microsoft Entra ID as "Synced with Active Directory" and can only be modified in Nerdio. Existing "In Cloud" Microsoft Entra ID users will be visible in the User’s module in NAP, but must be imported one at a time or in bulk to be synchronized with Nerdio AD and managed via NAP.



The table below shows how M365 user fields are mapped to Nerdio AD user fields:

Nerdio AD fields
M365 fields
City City
State State
Title Title
Street StreetAddress
Postal PostalCode
Office Office
UserUPN UserPrincipalName
DisplayName DisplayName
Faxnumber Fax
WorkNumber PhoneNumber
MobileNumber MobilePhone
FirstName FirstName (if 'FirstName' is empty then the first word of 'DisplayName')
LastName LastName (if 'LastName' is empty then the second word of 'DisplayName')
UserName part of 'UserPrincipalName' preceding '@'; PrimaryEmail <- if primary proxy is not empty then the part of primary proxy following 'SMTP:', otherwise 'UserPrincipalName' (primary proxy is an element of 'ProxyAddresses' starting with 'SMTP:')
AdditionEmail parts of additional proxies following ':' (additional proxies are elements of 'ProxyAddresses' starting with 'smtp:')


A brief FAQ about the Other Microsoft Entra ID users section

Q: Which users are shown in Other Microsoft Entra ID users section?
A: Users that are not synced with active directory on DC01.

Q: When is the Import button shown and not shown for a user?
A: Import button is shown for user if user is not synced, has a domain from account domains list, and is not an external user (does not have #EXT# in username).

Q: Which users are shown/not shown when "Show all users" settings is turned on/off.
A: When "Show all users" setting is turned off, we display only users available for import.

When importing a Microsoft Entra ID user to Nerdio AD, NAP will create a matching user account in Nerdio AD and trigger a synchronization with Microsoft Entra ID. This will perform an SMTP Match (aka soft-match) and will convert the existing "In Cloud" user in Microsoft Entra ID to one that’s "Synced with Active Directory". At this point all changes to this user object must be performed in Nerdio and they will be automatically synced to Microsoft Entra ID.

Nerdio Tip
  • When the user is imported the password is reset. The user will need to be notified of the new password and need to update all connected mobile devices to use the new password.
  • IMPORTANT: The procedure above only applies if the existing user objects are "In Cloud". If users have been previously synced with another Active Directory and therefore marked as "Synced with Active Directory" in Microsoft 365 Admin Portal then you should consult this article to turn these users to "In Cloud" status again before importing.
  • In order to import a user from Microsoft 365 into Nerdio the user's email address must be one of the ones listed in Onboard>Domains screen.  Users that have domain cannot be imported since that's not a valid Active Directory domain.
  • You will not be able to import Microsoft Entra ID users that are assigned to one or more host pools. You must first unassign the host pool(s), import user and assign to host pool.


Domain federation

Once Nerdio AD and Microsoft Entra ID users are matched the domain can be federated with Nerdio. Federating a domain enables ADFS for that domain, and makes Nerdio AD (DC01) authoritative for all authentication requests. When a user logs in to Microsoft 365, if the domain portion of the username is one that’s federated, the authentication request will be forwarded to Nerdio ADFS services.

To federate a domain whose user objects were matched with Microsoft 365, go to Onboard->Domains and select "Convert to federated" from action menu. The process will take a few minutes and once complete user authentication requests will be forward to (where XXXX is the Nerdio Account ID).

IMPORTANT: When importing users via Bulk User Add using a CSV file, NAP does not perform username uniqueness validation against Microsoft Entra ID. Therefore, be careful to not add users that are already part of Microsoft Entra ID (Microsoft 365). Use the import AD user functionality on the Users module instead.

Was this article helpful?

0 out of 0 found this helpful
Have more questions? Submit a request

Comments (0 comments)

Article is closed for comments.