cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Merge AD admin to AAD global admin

mahipundir
Copper Contributor

‎Aug 12 2022 05:22 AM

‎Aug 12 2022 05:22 AM

Merge AD admin to AAD global admin

Dear people from cloud, 

 

I'm doing a hybrid deployment, bringing AD & AAD together 

Have few questions and hoping if someone can share some knowledge.  

 

Merging AD to AAD using UPN which is working prefect for users, I can then use either ad@local.domain or email address removed for privacy reasons to login to devices. 

 

Problem I'm having is whenever I'm merging AD admin accounts to AAD changing UPN in AD and then forcing sync to happen using powershell or even without force syn it creates new account in AAD for the AD admins or users in AD admin groups. 

What is the best way.? or are there any standard practices I can follow.?

Thanks in advance. 

 

722 Views
0 Likes
1 Reply
Reply
1 Reply
best response confirmed by mahipundir (Copper Contributor)
BilalelHadd

‎Aug 24 2022 01:30 AM

‎Aug 24 2022 01:30 AM

Solution

Re: Merge AD admin to AAD global admin

Lesson number 1, never sync administrator accounts from AD to AAD. That could allow cyber attackers to hop from one on-premise to the cloud. (And believe me, it happens often)


1. Create new Cloud-only admin accounts for every administrator
2. Stop synching the OU where the admins are located
3. Limit the privileges for admins and use Privileged Identity management (think about your Identity Governance)
4. Create two break-the-glass accounts for emergency purposes
5. Enable MFA for ALL admins except the break-the-glass accounts
6. Create a policy that blocks sign-in on the two break-the-glass accounts except from trusted locations.

Good luck, and I hope this answers your question.
1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by mahipundir (Copper Contributor)
BilalelHadd

‎Aug 24 2022 01:30 AM

‎Aug 24 2022 01:30 AM

Solution

Re: Merge AD admin to AAD global admin

Lesson number 1, never sync administrator accounts from AD to AAD. That could allow cyber attackers to hop from one on-premise to the cloud. (And believe me, it happens often)


1. Create new Cloud-only admin accounts for every administrator
2. Stop synching the OU where the admins are located
3. Limit the privileges for admins and use Privileged Identity management (think about your Identity Governance)
4. Create two break-the-glass accounts for emergency purposes
5. Enable MFA for ALL admins except the break-the-glass accounts
6. Create a policy that blocks sign-in on the two break-the-glass accounts except from trusted locations.

Good luck, and I hope this answers your question.

View solution in original post

1 Like
Reply