Skip to main content

Overview

Use this recipe when new users are created in on-prem Active Directory and then synced to Microsoft 365 through Azure AD Connect. In a hybrid identity environment, Neo creates or updates the user in Active Directory, then triggers an Azure AD Connect sync so the change appears in Entra ID and Microsoft 365.
If users are created directly in Entra ID, use the cloud Microsoft 365 setup. If users only exist in local Active Directory and never sync to Microsoft 365, use on-prem Active Directory setup without Hybrid.

When to use Hybrid

ScenarioCompany identity provider
Users are created in on-prem AD and synced to Microsoft 365Hybrid
Both directories exist but AD Connect does NOT sync themHybrid (no AD Connect sync)
Users are created only in Microsoft Entra IDEntra ID
Users are created only in local Active DirectoryOn-prem AD
“Hybrid” assumes a working Azure AD Connect sync. If your AD Connect was decommissioned (or never existed) but you still maintain both directories, pick “Hybrid (no AD Connect sync)” instead — Neo will then create and manage users in both on-prem AD and Entra ID directly. With plain “Hybrid” and no working sync, the on-prem user is created but never reaches Microsoft 365, so licensing and mailbox steps can’t proceed.

Setup checklist

CheckWhat the MSP needs to do
Company is configured as HybridSet Identity Provider Type to Hybrid in Company Settings
Neo can run AD PowerShellSet the AD runner hostname, upload the Neo wrapper script, and run an RMM sync
Neo can trigger AD Connect syncSet the AD Connect server hostname and make sure the service account can trigger sync. Not needed for Hybrid (no AD Connect sync) — Neo writes to both directories directly
Optional license buying is configuredIf the agent should buy Microsoft licenses, connect a license marketplace integration and add the company’s marketplace ID

Configure the company

Go to Companies in Neo and open the end-client company. Set:
  • Identity Provider Type: Hybrid
  • AD Runner Hostname: the RMM device Neo should use to run Active Directory commands
  • AD Connect Server Hostname: the server running Azure AD Connect
  • AD Service Account Username / Password: only if the runner needs a dedicated domain service account
Hostnames must match the device names discovered from your RMM. See the on-prem setup guide for field details.

Configure the RMM path

Neo runs on-prem Active Directory commands through your RMM. Before using a hybrid onboarding agent:
1

Upload the wrapper script

Follow the Neo wrapper script setup for your RMM.
2

Sync RMM devices and scripts

After uploading the script, run an RMM sync in Neo so the script and devices are discoverable.
3

Confirm the runner machine

If Neo should run AD commands from a runner instead of directly on the domain controller, follow the runner machine setup.
4

Verify connectivity

Run the checks in Verify Connectivity before running the agent live.

Configure the onboarding agent

Create or edit an Onboard/Offboard M365 User agent or workflow. On the agent’s Integrations tab, use a Microsoft 365 access profile that allows the onboarding work you want Neo to perform. For hybrid onboarding, the key requirement is that Neo can make the on-prem AD change and trigger Azure AD Connect sync. If the agent also needs to create or manage mailboxes through on-prem Exchange, see Exchange Hybrid setup.
Start with Technician-in-the-Loop enabled for write actions. Once the workflow is proven, reduce approval steps where appropriate.

Common errors

ErrorMeaningAction
AD Connect sync is only available for hybrid environmentsThe agent tried to sync AD changes, but the company is configured as On-prem ADSet the company Identity Provider Type to Hybrid, or remove AD Connect sync from the agent if the company is truly on-prem-only
...no AD Connect sync to triggerThe company is set to Hybrid (no AD Connect sync), where directories are independentUsually nothing — Neo manages both directories directly in this mode. If the company actually has a working AD Connect, change its Identity Provider Type to Hybrid
Neo wrapper script not found in RMMNeo cannot run PowerShell through the RMMUpload the Neo wrapper script, then run an RMM sync
Target server not found in RMMThe configured runner hostname does not match an RMM deviceUpdate the hostname in Company Settings or sync RMM devices
No license marketplace integration is configuredNeo cannot buy licenses automaticallyConnect a license marketplace integration
Marketplace company ID is not setNeo knows the marketplace, but not this company’s marketplace IDAdd the company’s marketplace company ID in Companies

Before running live

1

Confirm company identity mode

The company should be set to Hybrid if Neo needs to trigger Azure AD Connect sync.
2

Confirm RMM script execution

The Neo wrapper script should be uploaded and visible after RMM sync.
3

Confirm AD Connect access

The service account should be able to trigger sync on the AD Connect server.
4

Run with approval first

Use Technician-in-the-Loop approval for the first few onboarding runs.