Share via

Why are some on-prem groups not showing up in Azure AD?

ADT 96 Reputation points
2021-02-09T16:58:15.577+00:00

So I am having an issue that is driving me crazy. We sync all of on-prem AD to Azure and we are not filtering out any OUs or anything like that. Only about a third of all on-prem groups show in Azure, this includes mail enabled, distribution and security. So why are 2/3 of our groups not in Azure? I have created multiple test groups of different types in different OUs, I have compared the attributes of groups I see in Azure with those I don't and there are no glaring issues. I have manually run Azure AD Connect to sync with Azure. There are no sync errors, I see the test groups I create being picked up in the Delta Import. I have run IdFix and none of the missing groups are listed.

So for the life of me I cannot figure out why it appears that all the groups are syncing but only 1/3 of them show up in Azure. We have both Azure AD Connect and Azure AD Cloud Sync running. We are only seeing 1046 out of 3018 groups.

Any help would be greatly appreciated.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,980 questions
Accepted answer
  1. ADT 96 Reputation points
    2021-02-17T22:37:35.207+00:00

    So after some digging around I found my issue. When Azure AD Connect was setup the Azure AD app and attribute filtering was set for only Office 365 ProPlus. This limits the attributes that are synced between on-prem and Azure AD. Office 365 ProPlus does not require the groups or membership to be synced to Azure so while it is pulled into the metaverse in Azure AD Connect it is not synced to Azure. So once I reconfigured it to include Lync (Teams) it pulled all the information that I was missing. Later we will add additional apps we intend to use or remove the filtering completely. I also disable Azure AD Cloud Sync at the same time because as @Andy David - MVP pointed out you have to make sure you are scoped properly to use both mechanisms in the same forest. The reason some of my groups were synced is because Azure AD Cloud Sync did not have any filtering so it pulled in some groups but then had issues because the scoping was not properly done.

    The list of attributes that are synced by application can be found at the following url.
    https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andy David - MVP 143K Reputation points MVP
    2021-02-09T19:28:23.36+00:00
    2 people found this answer helpful.
    0 comments