Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

On-prem AD account creation in a Hybrid Enivornment

Copper Contributor

We are having Hybrid environment our AD server will be sync using Azure connector to Azure AD, and we have OUs for each branch,

Is their any way we can Connect on-prem AD server to create a user so that it can directly added to On-prem then after sync it should appear in Azure AD

5 Replies
Not sure what the question is here?

You can specify filter settings with AAD Connect. Every user will be sync'ed to AAD.
You need to create the user in AD first before it syncs to AAD

@Thijs Lecomte  is there any connector for AD server like SQL we have in powerapps?

actually i am using powerapp for creating new user accounts, when creating users it directly added in to my Azure, instead i wanted the account to be create in on-prem AD server, then the  dir sync will propagate the user in the Azure. hope this is clear for you. or API is a must..

@Syed Rabbani I am not sure about PowerApps. However, you can use PowerShell script to create user on premises and then sync to Azure AD. Look at below examples for more info

https://gallery.technet.microsoft.com/office/Onboarding-New-Users-in-an-706f5efd#content

https://www.itpromentor.com/bulk-hybrid-user/

 

@Syed Rabbani 

I think for your case, you need to look into Azure Automation and Hybrid Workers

https://docs.microsoft.com/en-us/azure/automation/automation-hybrid-runbook-worker

Hi @Syed Rabbani ,

 

I assume you are aware that the synchronization between on-prem AD (source) and Azure AD (target) using AAD Connect is (predominantly) a one-way sync. You still have a possibility to create identities directly in AAD (Portal, PowerShell, API), but these are "cloud-only", and they won't show up in your on-prem AD.

 

Most enterprises have some 'Identity and Access Management' system on-prem, where typically an HR system is a source of user information and the IAM system is creating respective user accounts (and groups) in AD, which in turn is synced to AAD (should you choose to configure it this way).

 

If your question was about creating those "source" identities in AD, then apart from some integration with another source system (as I mentioned above) you have traditional options like MMC console, and Active Directory PowerShell.

 

You could use Azure Automation with Hybrid Runbook Worker and have a runbook in place that would (pending it has appropriate rights in your AD) create new accounts in AD (and AADC would sync it afterwards to AAD), but the remaining question is: what would be the data source for such automation? The runbook would need some input about user properties that you would need to provide. 

How are you planning to handle this part?