Azure AD Connect Synchronization

Shannon Harvey 21 Reputation points
2021-09-20T19:05:25.097+00:00

Hello All,

I'm relatively new to Azure and AD Connect, I have a couple of questions and thought I'd ask them here. With AD Connect in the Synchronization two way?....I know that I can write to Azure by making a change to my local AD but does the same apply to my being able to make a change in reverse? In other words can I make a change in Azure prior to Syncing and have that change reflect in my local AD?

Something I've found in my testing is that users cannot logon to Azure using a SAMAccountName that is different than that of the UPN or Mail attribute. In other words if a user has a SAMAccountName that is shannon, and their logon name in Azure is shannon.lastname then the user cannot logon to Azure using shannon that being said we need to devise a plan to change the logon name in Azure to match the SAMAccountName, as we will be leveraging Azure for MFA against our VPN.

Something to note here is that this currently these two environments are managed and treated as two separate entities and currently are not synchronized. Local AD is present with present as is O365. So a user can have a completely separate set of credentials to logon to either platform. Thank you in advance for your assistance with this.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,664 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 34,306 Reputation points Microsoft Employee
    2021-09-20T19:41:12.903+00:00

    Only one-way object synchronization is supported. You can't write back users from Azure to on-premises. User writeback used to be a supported functionality but that feature was removed in 2015 and I don't think it's likely that it ever will be added back.

    Passwords and certain attributes can be written back, but for the most part the synchronization is one way. https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback
    https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized#exchange-hybrid-writeback

    0 comments
  2. Shannon Harvey 21 Reputation points
    2021-09-20T19:47:47.943+00:00

    Thank you Marilee, so it sounds as though I need to make my changes in local AD and write those changes to Azure. If that be the case can you provide any recommendations for how you believe this should be done?

    0 comments