Hello!
Could not find our case..
We have Azure AD with active users and subscriptions (DevOps, O365) with domain "company.com"
Just created new local AD DC with domain name "ad.company.com"
We would like to sync users from AAD to local AD to allow them SSO (cloud and local servers/laptop)
Would it work for us with option SSO with writeback?
Thanks for any help!
We've done this when AAD Connect was newer... we used to set immutable ID, but from what michev suggested and the article below, it seems easier and less complicated now. PowerShell will definitely help, especially if you have a lot of users already in AAD/O365..
Azure AD Connect can only replicate groups and password back to local AD. But you can use full version of this product - Microsoft Identity Manager 2016. It has more flexible configuration.
To add some more context on what was mentioned above - synchronization is one-way, from AD to Azure AD/Office 365. There are only few attributes that can be written back, and that's mostly for Hybrid configurations, and passwords if you have the corresponding feature (and licenses) enabled.
There is no built-in functionality that syncs users from Azure AD to on-premises AD. If that's what you are after, you can simply export the list of users via PowerShell (Get-MsolUser/Get-AzureADUser) or the Graph API, along with any relevant attributes, then use the exported data to recreate them in AD (again, PowerShell helps). You cannot export passwords. Once the export/import is done, you can "match" the on-premises users with the cloud ones and give them the SSO experience. The process is known as soft-match: https://support.microsoft.com/en-us/help/2641663/use-smtp-matching-to-match-on-premises-user-accounts-to-office-365
Thanks! Seems to be working for me!
Hi there,
Any idea if there is a way to write-back passwords for already matched accounts from azure AD to local AD?
I have a client with an existing Azure AD and we just installed a fresh local AD server. Created the users manually and now want to match the accounts. Because the local accounts are not yet in use, but the Azure AD accounts are in use, I am looking for a way to match and sync the accounts without the password being overwritten on Azure AD.
Clients has the Azure P1 license.
Thanks in advance.
However you build around it with a topology like this if you need to provision user in azure for hybrid env
Azure AD -> Azure AD Domain Services -> forest trust -> On prem ADDS -> Azure AD connect -> Azure AD
That would solve your problem if I understand you correct
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/adds-forest https://docs.microsoft.com/en-us/azure/active-directory-domain-services/synchronization
15 people are following this question.
