Mar 23 2023 12:58 PM
We have been setting up SharePoint Online for a few months now, and typically what we have been doing for ease of supporting going forward is setting up local AD Groups and giving those AD groups permissions within the SharePoint sites.
However with a recent AD group; looking on the Admin side of things it appears the AD group that is synched from on-prem to online, is only getting some of the members synched over. Ideas on what might be keeping everyone from moving over? I wasn't involved in the synch setup; but if there is anything I can look at, or point out to the AD admins it would be helpful.
Mar 23 2023 01:03 PM
Mar 23 2023 01:07 PM
Mar 23 2023 01:34 PM
your issue is with the primary group of the users because Azure AD Connect doesn't support synchronizing Primary Group memberships to Azure AD. refer to the below article to change the primary
group of the users that are not synchronizing as members with the group
it's recommended to change the primary group to Domain Users.
Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily.
Mar 23 2023 01:46 PM
I'm not sure that's the issue. I compared a user that was working, with one that was not. They both have the same Primary Group of 'Domain Users'.
Mar 23 2023 01:49 PM
@SpiShane let me share with you the consideration of Azure AD connect when its comes to group syncing
Important points to be aware of when synchronizing groups from Active Directory to Azure AD:
Azure AD Connect excludes built-in security groups from directory synchronization.
Azure AD Connect doesn't support synchronizing Primary Group memberships to Azure AD.
Azure AD Connect doesn't support synchronizing Dynamic Distribution Group memberships to Azure AD.
To synchronize an Active Directory group to Azure AD as a mail-enabled group:
If the group's proxyAddress attribute is empty, its mail attribute must have a value
If the group's proxyAddress attribute is non-empty, it must contain at least one SMTP proxy address value. Here are some examples:
An Active Directory group whose proxyAddress attribute has value {"X500:/0=contoso.com/ou=users/cn=testgroup"} won't be mail-enabled in Azure AD. It doesn't have an SMTP address.
An Active Directory group whose proxyAddress attribute has values {"X500:/0=contoso.com/ou=users/cn=testgroup","SMTP:email address removed for privacy reasons"} will be mail-enabled in Azure AD.
An Active Directory group whose proxyAddress attribute has values {"X500:/0=contoso.com/ou=users/cn=testgroup", "smtp:email address removed for privacy reasons"} will also be mail-enabled in Azure AD.