The disaster I had gave me some good pointers regarding how one should configure and use their Office 365 tenant and on-premises AD together.
Here’s some suggestions:
- Always use a separate “in cloud” global admin account for directory synchronization. In case you lose your synced admin accounts, you’ll still have another admin that can recover the rest.
- Whenever it becomes possible (WIP as of Preview 2), set up an accidental deletion threshold with a very low value, such as 2. You most likely only delete 1 user at a time, if at all. Come to think of it, I’ve never deleted any user, I always disable them.
- Don’t use multiple filtering mechanisms, e.g. OU filtering combined with group filtering.
- Once the sync is set up, take extra caution when modifying the filters, moving users between OUs or removing them from the security group that’s being filtered for sync. Users may fall out of the sync scope.
That’s all for now. Be safe!