Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Sync from Azure AD to local AD

Steel Contributor

Hi all

 

Hope everyone is well. Please can someone assist me with the following question. We are in the process of creating a new staff on-boarding solution in AAD. This solution will create the user account in AAD as well. Is there anyway to sync this user information back down to local AD? Is there perhaps a third party app we can look at??

 

Appreciate any advice...

10 Replies
Hi

There isn't any way to sync users back to AD from AAD natively.

I don't know of any third party products.
You could try to script this.

But why are you creating the users in AAD in the first place?

@Thijs Lecomte 

 

Because AAD is the way forward and leading identity management platform in all our current projects. Furthermore is it super easy to build a PowerApp for the customers so that HR can create new staff and have them land in the right teams with access to the right resources. #Its2019 :)

Sure, I am a big advocate of AAD. But if you are going that route, you should really go full-cloud and don't add your users to a local AD anymore.

Just do a full AAD join and publish all your apps through App Proxies.

@Thijs Lecomte 

 

We are on the same page. That is what we are trying to do. But we still struggle with getting that scenario seamless AND passwordless. See my other post on getting SSO with on premises apps:

 

https://techcommunity.microsoft.com/t5/Azure-Active-Directory/Azure-AD-Azure-Active-Directory-Domain...

 

So simple concept, apparently so hard to do...

Perfectly said..

@Thijs Lecomte 

 

Hi Thijs and thank you replying. Problem is we still have some legacy applications on-prem that requires a local AD account.

Hi @Emanuel van der Aalst 

 

Thanks the replies. Will take a look at that link you posted.

 

I believe UnitySync can do this - https://www.dirwiz.com/unitysync/

 

Tool looks great, be aware that this tool will not be able to sync passwords.

Can you configure the legacy applications with Azure AD applications?

@Thijs Lecomte if you still need on-AD then you need to author all your accounts in AD, you should not have a JML creating some users in AD and some in AAD...

Hi there,

 

Until there's native account write-back in AAD I would strongly recommend following AD>AAD.

 

I have some scripts to backport AAD accounts to AD if you would like them. I have them in a blog post on www.wave16.com, however you cannot fix the password issue and there's also the fact this isn't an ideal scenario.