Hybrid scenario: AD or AAD for security group creation?


Hi all,

so we have a hybrid situation (AAD) and i'm trying to test out Conditional Access policies.

What i've done so far is create a security group in our on-prem AD called CA-testpolicy and added various users to it.

However, we have some O365 (cloud) created user accounts that are obviously NOT in our on-prem AD which i need to add to this policy too.

But if i go into AAD and add them to the CA-testpolicy, then the next time directory synchronisation occurs they disappear because (i'm assuming) AD is the master and these cloud users aren't in AD so they get deleted.

With me so far?

So.....is it best practice to create this CA-testpolicy group from scratch in AAD (and delete it from AD) so that i can add users from either Office365 (cloud) or on-prem AD? I'm not bothered if this group doesn't "write-back" onto AD

I'm still learning about Conditional Access and the learning curve is steep.......so please be gentle! :)


All advice greatly appreciated.

1 Reply
The "best" thing you can do is create an AAD group. You can add both synced and cloud users to that group.

Hope that helps.