question

ND-8869 avatar image
0 Votes"
ND-8869 asked ·

In hybrid architecture is it possible to manage from azure?

Hi,
I have an azure active directory where all my objects had been created, I want to deploy an on prem AD/DS and connect the two in a way that the sync will be from cloud to on prem so that all the management will happen in the cloud and not from on prem.

I managed to find azure ad connect and articles describing how to connect the two and make the on prem AD/DS the management unit and this is not what I want.

is there a way to accomplish my desires?

Thanks! :]

azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

soumi-MSFT avatar image
1 Vote"
soumi-MSFT answered ·

@ND-8869

No, you cannot sync down objects from Azure AD to On-Prem AD using the AD Connect tool. This feature is not available yet.

As a workaround, we can use powershell to export Azure AD users' information to local file, then use that file to create users in on premise AD.

You can refer to the details mentioned here.



Hope this helps.



Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ND-8869 avatar image
0 Votes"
ND-8869 answered ·

Yes it helps, thanks.
following on that maybe I can get another pointer. my situation and goal is:

  • my users, objects, etc are in azure


  • I want for these users and objects in azure to have permissions over resources in my on prem


  • I do not want to maintain split identities with a different AD on prem


  • I do not want to concolidate identities if the management unit AD is on prem

any best practices for this?







·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SamCogan avatar image
0 Votes"
SamCogan answered ·

The only option you have for AAD being the source of truth, rather than AD, is to use Azure AD Domain Services, which provides domain controllers as a PaaS service. However, AAD DS has some fairly significant limitations, so may not work for you.

Other than that, AD will always be the source of truth.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.