We are having on premise employee directory and now planning to move to Azure AD. How we can sync the details of all employees to Azure using graph API, and provide them access to hardware and network. We basically want to sync Entries, Computer, user, Group, InetOrgPerson, OU present in local AD to Azure AD.

Hi @Arpna • Thank you for reaching out. Graph API can NOT be used to sync the identities from On-premises AD to Azure AD. Using Graph API, you can create/read/update/delete objects in Azure AD, but you cannot sync the objects using Graph. To sync objects from On-premises AD to Azure AD, the recommended tool is Azure AD Connect. You can use it to sync Users, Groups and Computer objects but not OUs as Azure AD doesn't support the concept of OUs. Read more: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-express ----------------------------------------------------------------------------------------------------------- Please " Accept the answer " if the information helped you. This will help us and others in the community as well.

How we can sync on premise active directory data with Azure AD via graph API

Accepted answer

AmanpreetSingh-MSFT 56,306 Reputation points

2021-09-20T07:31:16.113+00:00

Hi @Arpna • Thank you for reaching out.

Graph API can NOT be used to sync the identities from On-premises AD to Azure AD. Using Graph API, you can create/read/update/delete objects in Azure AD, but you cannot sync the objects using Graph.

To sync objects from On-premises AD to Azure AD, the recommended tool is Azure AD Connect. You can use it to sync Users, Groups and Computer objects but not OUs as Azure AD doesn't support the concept of OUs.

Read more: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-express

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.
Arpna 131 Reputation points

2021-09-20T08:39:31.193+00:00

thanks a lot @Amanpreet

Using Graph API, you can create/read/update/delete objects in Azure AD

I think this should be good enough for us to start with. We basically want to move all our infra related resource to Azure as first step. We have lot of resources like:

Employess -> I believe this could be mapped to User object in graph - https://learn.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-beta

Computers -> I believe this could be mapped to Device object in graph - https://learn.microsoft.com/en-us/graph/api/resources/device?view=graph-rest-beta

OU are not supported in Azure AD so I need to revisit this.

Groups - Could be mapped with groups object in graph - https://learn.microsoft.com/en-us/graph/office365-groups-concept-overview

We also have concept of InetOrgPerson. Is there anything else I should consider for exploring the APIs?

thanks again for your help.

Devaraj G 2,091 Reputation points

2021-09-20T12:01:52.197+00:00

Hi Arpna,

Moving the Infra services to Azure needs a good planning and strategy to avoid any potential issues or limitations. Graph APIs are not solely meant for migration purpose,

IAre you currently running domain controllers and looking to get replaced with Azure AD in future state. ? what are the types of resources you planning to migrate. Please provide more details.

Arpna 131 Reputation points

2021-09-21T05:38:54.94+00:00

@Devaraj G thanks a lot for the reply.

We are planning to move our infra (employees, groups, laptops, servers info) to Azure as first step and then we can plan on moving policies and other stuff.

why we have chosen graph API, is that we want to see if we can finer control on data that we are moving to Azure and make periodic updates to Azure AD.

AmanpreetSingh-MSFT 56,306 Reputation points

2021-09-22T13:14:50.633+00:00

Hi @Arpna • For InetOrgPerson, you may consider Guest Users in Azure AD. You may consider using invitation manager via graph as per https://learn.microsoft.com/en-us/graph/api/invitation-post?view=graph-rest-1.0&tabs=http.

I am not sure what you mean by mapping here, but graph doesn't provide a way to map on-prem users to Azure AD. Also, how are you going to keep track of changes on-prem and make corresponding changes in Azure?

Again, better choice would be to go with AD Connect as syncing identities from on-premises AD to Azure AD via AD Connect is recommended by Microsoft and it makes mapping, management and administration much simpler & less time consuming.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Sign in to comment

How we can sync on premise active directory data with Azure AD via graph API

0 additional answers