question

cthivierge avatar image
0 Votes"
cthivierge asked SimonBurbery-9608 commented

On-Prem AD Groups in Azure AD

Hi,

i would like to know if we can use the On-Prem Active Directory groups that are synchronized in Azure AD to set in Azure AD Role ?

If it's supported, is it a good idea to define On-Prem AD groups to manage Azure resources or we should use only AzureAD groups to manage Azure resources ?

Thanks!

azure-active-directoryazure-ad-group-management
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

vipulsparsh-MSFT avatar image
1 Vote"
vipulsparsh-MSFT answered SimonBurbery-9608 commented

@charlesthivierge-5859 Thanks for reaching out. Unfortunately, currently the on-prem groups can not be used for assigning Azure AD built in or custom roles.
The same has been called out here : https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-groups-concept
We will be extending this to On-prem groups as well in future (https://techcommunity.microsoft.com/t5/azure-active-directory-identity/assigning-groups-to-azure-ad-roles-is-now-in-public-preview/ba-p/1257372)

It has following limitations (not supported) :

Assign cloud groups to Azure AD custom roles
Assign cloud groups to Azure AD roles (built-in or custom) over an administrative unit or application scope.
Assign on-premises groups to Azure AD roles (built-in or custom)

Also have a look at known issues about this here : https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-groups-concept#known-issues


If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.


· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RoodenburgRico-9504 avatar image RoodenburgRico-9504 ·

When will this option available (assign synced on-premise groups to azure ad roles). Almost 2 years ago.

It’s not anymore a limitation, but a not supported statement.

It’s not efficiency for manage roles on two different places.

Hope to hear from you soon.

2 Votes 2 ·
SimonBurbery-9608 avatar image SimonBurbery-9608 RoodenburgRico-9504 ·

Yes it has been a while - arguably long enough for you to have migrated your infra to the cloud and decommissioned legacy AD, so that you no longer have this problem. LOL =)

Seriously though, if you're hooked on keeping AD just create an automation account and a powershell runbook using hybrid worker agent to enumerate the AD group membership and update membership of an Azure AD group for role assignment.

Or try this: https://techwizard.cloud/2021/07/09/powershell-ad-group-to-azure-ad-cloud-only-group-sync/


1 Vote 1 ·
cthivierge avatar image
0 Votes"
cthivierge answered

Thanks for your answer.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.