Forum Discussion
Authenticating onpremise users in Azure ADDS
Hi, we want onpremises users to authenticate to Azure ADDS with their onpremises domain credentials to maintain the default password and GPO. It is possible? Thanks.
Just to add to what Seshadrr said already:
- objects (users and groups) in AAD DS directory have different SIDs (it's a different domain/forest than the on-premises one), but the original SIDs (source objects) are saved to SIDHistory
- users will be using different UPN suffix (the one you choose when you enable AAD DS in your environment), but the prefix will be the same as in the original ADDS domain.
- passwords: the idea with AADDS is to be able to use the same credentials, but it requires Password-Hash-Sync enabled in AAD Connect configuration as described here.
- OU structure and GPOs are not replicated to AADDS, but you can still create custom OUs and GPOs in the managed AADDS directory. You just need to export/import or re-create them manually
In a hybrid environment, objects and credentials from an on-premises AD DS domain can be synchronized to Azure AD using Azure AD Connect. Once those objects are successfully synchronized to Azure AD, the automatic background sync then makes those objects and credentials available to applications using the managed domain.
What's not synchronize from an on-premises AD DS environment to Azure AD or Azure AD DS:
OU's , Group policy, excluded attribute, sysvol, computer objects, SidHistory attributes for users and groups
What's not synchronize from an on-premises AD DS environment to Azure AD or Azure AD DS:
OU's , Group policy, excluded attribute, sysvol, computer objects, SidHistory attributes for users and groups
Just to add to what Seshadrr said already:
- objects (users and groups) in AAD DS directory have different SIDs (it's a different domain/forest than the on-premises one), but the original SIDs (source objects) are saved to SIDHistory
- users will be using different UPN suffix (the one you choose when you enable AAD DS in your environment), but the prefix will be the same as in the original ADDS domain.
- passwords: the idea with AADDS is to be able to use the same credentials, but it requires Password-Hash-Sync enabled in AAD Connect configuration as described here.
- OU structure and GPOs are not replicated to AADDS, but you can still create custom OUs and GPOs in the managed AADDS directory. You just need to export/import or re-create them manually
