question

seekor avatar image
0 Votes"
seekor asked seekor answered

Why are some on-prem groups not showing up in Azure AD?

So I am having an issue that is driving me crazy. We sync all of on-prem AD to Azure and we are not filtering out any OUs or anything like that. Only about a third of all on-prem groups show in Azure, this includes mail enabled, distribution and security. So why are 2/3 of our groups not in Azure? I have created multiple test groups of different types in different OUs, I have compared the attributes of groups I see in Azure with those I don't and there are no glaring issues. I have manually run Azure AD Connect to sync with Azure. There are no sync errors, I see the test groups I create being picked up in the Delta Import. I have run IdFix and none of the missing groups are listed.

So for the life of me I cannot figure out why it appears that all the groups are syncing but only 1/3 of them show up in Azure. We have both Azure AD Connect and Azure AD Cloud Sync running. We are only seeing 1046 out of 3018 groups.

Any help would be greatly appreciated.

azure-active-directoryazure-ad-connectazure-ad-group-management
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

"We have both Azure AD Connect and Azure AD Cloud Sync running"

Running where? In the same AD forest? Are you piloting AD Cloud Sync?

0 Votes 0 ·

We have a single forest single domain. Azure AD Connect and the agent for Azure Cloud Sync are installed on a server on-prem. Both show healthy and no issues. We were told that there was no issue with running both. We are in the beginning stages of rolling out M365 and then will be moving to Exchange Online once we have everything tested and working the way we want it., We are not at this point using Azure for anything production wise we are just trying to get on-prem and online in sync. We also have all the write backs off and are configured for ADFS which has been tested and is working fine.

0 Votes 0 ·
seekor avatar image
0 Votes"
seekor answered

So after some digging around I found my issue. When Azure AD Connect was setup the Azure AD app and attribute filtering was set for only Office 365 ProPlus. This limits the attributes that are synced between on-prem and Azure AD. Office 365 ProPlus does not require the groups or membership to be synced to Azure so while it is pulled into the metaverse in Azure AD Connect it is not synced to Azure. So once I reconfigured it to include Lync (Teams) it pulled all the information that I was missing. Later we will add additional apps we intend to use or remove the filtering completely. I also disable Azure AD Cloud Sync at the same time because as @AndyDavid pointed out you have to make sure you are scoped properly to use both mechanisms in the same forest. The reason some of my groups were synced is because Azure AD Cloud Sync did not have any filtering so it pulled in some groups but then had issues because the scoping was not properly done.

The list of attributes that are synced by application can be found at the following url.
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
2 Votes"
AndyDavid answered
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.