Azure AD Connect using Security Groups

Question

We are in a test envioronment for AD Connect using Security Groups.

We have installed AD Connect and resolve the Security Group "Jing_Users" during the initial setup.

On-Premise AD, within the group, we have added 1 user.

Also we have selected the specific OU during the initial setup.

After running several full syncs we can only find "Jin_Users" under the active groups and shows Members "0" & the user who is the member of the group doesnt show under Active Users.

What may I be doing wrong here?

Answer 1

@Sunith We show the UPN for the user on AAD portal as username so you would see JDor@keyman .com If you need to show the user as John.Doe@keyman .com, you need to make sure to change the UPN of the user to John.Doe@keyman .com

Also, the group if deleted from on-prem should be successfully deleted from AAD portal as well. if that is not the case, may be the deletion would not have been properly propagated to AAD. You need to verify in your AAD connect about the deletion of the group like this :

Once you confirm that is the correct group, you would be able to see if the delete happened successfully in Export Run cycle for your Cloud Connector. if that is there, then the group should have been deleted.

If you still see the group, may be there is some error in AAD connect which did not propagate the deletion.

-----------------------------------------------------------------------------------------------------------------

If the suggested response helped you resolve your issue, do click on "Mark as Answer" and "Up-Vote" for the answer that helped you for benefit of the community.

Answer 2

The OU selected must contain both the user and the group and the user has to be a direct member of that group. Is this the case here?

You can also look at these troubleshooting steps:

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-object-not-syncing

Answer 3

@Sunith Thanks for reaching out. Please verify https://learn.microsoft.com/en-us/azure/active-directory/hybrid/concept-azure-ad-connect-sync-user-and-contacts#groups and let us know if your scenarios matches one of them.

Do you see any error being thrown during the synchronization for that security group. I am sure you would have selected the correct group and OU for filtering if any.
You will find many errors on this article which might help you troubleshoot further : https://learn.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-sync-errors.

If you do not see any errors and still the user object does not synchronize. Drop an email to azcommunity[at]microsoft[dot]com with subject "Atten- Vipul" and in body do mention your tenant ID and Name and subscription and I will connect with you offline to take it forward.

Answer 4

Hi Vipul, Thank you for your detailed response. Much appreciated.

1. Yes it worked when I edited the UPN under "Attribute Editor"
2. I was able to delete the group finally. Thank you.

Now for your advise on our production environment.

We have about 120 AD Users, out of which we need 25 users need to by sync to Azure AD to access an APP that is registered in MS Azure.

Currently all users have 2 different passwords for their computers (On-Premise AD) and for M365. We prefer to keep it like that. Ones we setup B2C and register the App on Azure, the users can login to the APP using their M365 account and password.

1. Is it possible to sync only the identities and not the password? If we use Password Hash Sync or Pass Through Authentication? their AD password will sync to M365 & Azure and user will need to use this one password for login to the APP. Can we just sync the identities like John.Doe@domian,com and use their M365 password to login to the Azure APP? if so, how do we set this up while configuring AD Connect?
2. We plan on using a Security Group and adding all the 25 users into this group for the AD Connect Sync, is this an ideal way to go forward? We have a structured OU and like to keep it dont want to disturb the OU structuring.

Though I have mentioned what we think is best way forward, you being the expert may always suggest if there are better ways (best practise) to change our approach.

Answer 5

@Sunith The scenario that you described shows that you are using two different identities for the same account. One for On-prem where the authenticating Entity is your local Domain Controlled, second for Azure AD/ M365 cloud where Azure AD is authenticating the users.

In a parallel world, you can surely do this, but when there is a scenario where you need to sync your identity (users) you cannot have two different password for two different scenarios.
As we match the identity , we make sure to have only 1 identity provider for any particular user, either On-prem (Via Pass though Authentication , ADFS) or AAD (password Sync)

So ideally it would not be possible for those 25 users to get synced via Azure AD connect and still use the Cloud/M365 password.
You can either create the users separately and use them instead (created directly in AAD) but this will be totally different users and not same.

For your second point, if you do not want to alter the OU structure, you can surely create those users within the same OU. If you plan to use the security group for some App targeting and policy targeting, you can surely have those 25 users as a member of this. Thus, once synced you can actually use the group for bulk targeting for apps or other policies. This would pretty much work.

---

If the suggested response helped you resolve your issue, do click on "Mark as Answer" and "Up-Vote" for the answer that helped you for benefit of the community.