Forum Discussion
AADconnect synced security groups vs. teams mess
Hello everybody, we are using office365 in combination with our local on-premise AD for some months now. In this setup, our staff is (historically) grouped into several on-premise security groups...
Hi!
Office 365 groups is more than a security group! It creates a lot of resources and groups are created when you add some of these resources! Like when you create a Team, it creates a group! This group is used for membership management etc! Please read more here:
https://docs.microsoft.com/en-us/microsoftteams/office-365-groups
Synced security groups can only be used as a one time import of members in Teams! It won’t use the group or add the group as member!
Most things in office 365 today is about office 365 groups today and I would read up on them, plan for governance and so on!
https://support.office.com/en-us/article/learn-about-office-365-groups-b565caa1-5c40-40ef-9915-60fdb2d97fa2
https://blog.syskit.com/office-365-groups-governance-rules-keep-your-groups-in-order?hs_amp=true
Adam
Office 365 groups is more than a security group! It creates a lot of resources and groups are created when you add some of these resources! Like when you create a Team, it creates a group! This group is used for membership management etc! Please read more here:
https://docs.microsoft.com/en-us/microsoftteams/office-365-groups
Synced security groups can only be used as a one time import of members in Teams! It won’t use the group or add the group as member!
Most things in office 365 today is about office 365 groups today and I would read up on them, plan for governance and so on!
https://support.office.com/en-us/article/learn-about-office-365-groups-b565caa1-5c40-40ef-9915-60fdb2d97fa2
https://blog.syskit.com/office-365-groups-governance-rules-keep-your-groups-in-order?hs_amp=true
Adam
Thank you very much for your quick response. One (more question) ...
... I am working at a school with round about 120 teachers and 1200 pupils (grouped into approximately 50 classes) ... all this people are grouped into a huge amount of on-premise security groups, to manage corresponding permissions and services in our local (windows 2016) AD.
By start using AADconnect, als these users and groups are synced into Azure AD. As you mentioned before, on-premise (and mail-manged) security groups are not synced into corresponding office365 groups in Azure AD. At this point, the reasonable use of AADconnect gets questionable to me. Basically I would like to manage all my users and groups in our on-premise AD (which gets synced). For example all teachers are grouped into an on-premise group „Teachers“. If I correctly understand your advice, one should create a seperate office365 group (lets call it) „Teachers-Office365“, but in this setup, all later on-premise variations to the security group „Teachers“ do not get synced to „Teachers-Office365“ by AADconnect.
This design seems to be contradictory to the basic value of tools like AADconnect ... ?
Thanks for your advice,
Michael
- You are correct in your statements!
You can have a look at dynamic office 365 group membership! You can then have dynamic membership based on attributes in AAD, possibly also synced from AD
https://docs.microsoft.com/en-us/microsoftteams/dynamic-membershipsThank you for your (clarifying) elucidations! The point is, that this construct/design seems not very elegant to me (as a former student of computer science) ... so i would not have believed that a tech giant like microsoft does not offer a more carefully thougt-out design to its customers for linking on-premise ADs to Azure (and Office 365).
So clearly I can (must) create office365 groups by dynamic membership to synced Azure AD attributes, but my original comprehension of AADconnect was to manage for example the creation (and membership) of (possible) hundreds of on-premise groups (classes, courses, ...) in our local AD and sync them afterwards to Azure AD. If you are right (and I think so), this leads to a double-entry accounting in some sense.
For example if one needs/creates a new set of on-premise security groups, all these groups have to be created a second time as office365 groups (or teams) in our Azure AD (e.g. by the use of powershell-scripts?). In addition to that, one has to administrate a corresponding set of Azure group membership rules to guarantee the desired (dynamic) membership between synced on-premise groups and corresponding office365 groups ... what seems curious to me.
Would it be a better approach to use features like „Group writeback“, that means, create and manage all groups as office365 groups in the cloud (once) and use this accounting in our on-premise AD?
But as I see here ...
... the group writeback feature only creates distribution lists (on-premise)?!?
Thanks a lot,
Michael
