May 26 2024 11:17 AM
Question!
Today, in my environment, our Active Directories are synchronized with Azure. Therefore, what we change in Active Directory is reflected in Azure, but what is changed in Azure is not reflected in Active Directory.
I would like to know if it is possible to enable this reverse synchronization and if there is any risk or problem in doing so.
May 26 2024 06:03 PM
May 26 2024 09:53 PM
Hi, @Rafa0312.
If you are currently using Azure AD Connect to perform the synchronisation from Active Directory to Azure Active Directory, then the answer to your question is no, you cannot synchronise changes from Azure Active Directory to Active Directory (for managed attributes, and excluding the handful of by-design write-back attributes).
Azure AD Connect is exclusively designed to support only a unidirectional sync from on-premise Active Directory (it can support multiple source directories) to a single Azure AD tenant.
Generally, where an account has been synchronised in this manner, you cannot make changes on the Azure AD copy of the account to any managed attributes. There are some arcane exceptions called "shadow attributes", such as "mobile" (the Active Directory attribute for storing a person's mobile phone number).
For unmanaged attributes, you can set up inbound synchronisation, but doing so requires an understanding of how to responsibly work with the underlying Microsoft Identity Manager engine (specifically, extending the object type schema in the metaverse and then constructing the inbound attribute flows). This is not something you should attempt as an experiment.
Even if you do get a handful of unmanaged attributes to work using this approach, you're still stuck with not being able to touch the managed attributes, and those are the overwhelming majority.
To get a full, two-way sync going between Active Directory and Azure Active Directory for all attributes, you'd have to implement something bespoke using a fully-blown IDM platform like Microsoft Identity Manager, SailPoint, etc. You'd also have to no longer be running Azure AD Connect.
Cheers,
Lain