AD group not fully synching Online

Copper Contributor

We have been setting up SharePoint Online for a few months now, and typically what we have been doing for ease of supporting going forward is setting up local AD Groups and giving those AD groups permissions within the SharePoint sites.

 

However with a recent AD group; looking on the Admin side of things it appears the AD group that is synched from on-prem to online, is only getting some of the members synched over.  Ideas on what might be keeping everyone from moving over?  I wasn't involved in the synch setup; but if there is anything I can look at, or point out to the AD admins it would be helpful.  

5 Replies
are all the members of that groups are also synced to Azure AD ?
Yes, those members are, and I can add them to the SharePoint site directly. It is just within the AD groups they are in, they seem to be dropped or not synched over.

your issue is with the primary group of the users because Azure AD Connect doesn't support synchronizing Primary Group memberships to Azure AD. refer to the below article to change the primary

group of the users that are not synchronizing as members with the group 

 

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/concept-azure-ad-connect-sync-user-a...

 

it's recommended to change the primary group to Domain Users.

 

Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily.

I'm not sure that's the issue.  I compared a user that was working, with one that was not.  They both have the same Primary Group of 'Domain Users'.  

 

@SpiShane let me share with you the consideration of Azure AD connect when its comes to group syncing 

 

Important points to be aware of when synchronizing groups from Active Directory to Azure AD:

  • Azure AD Connect excludes built-in security groups from directory synchronization.

  • Azure AD Connect doesn't support synchronizing Primary Group memberships to Azure AD.

  • Azure AD Connect doesn't support synchronizing Dynamic Distribution Group memberships to Azure AD.

  • To synchronize an Active Directory group to Azure AD as a mail-enabled group:

    • If the group's proxyAddress attribute is empty, its mail attribute must have a value

    • If the group's proxyAddress attribute is non-empty, it must contain at least one SMTP proxy address value. Here are some examples:

      • An Active Directory group whose proxyAddress attribute has value {"X500:/0=contoso.com/ou=users/cn=testgroup"} won't be mail-enabled in Azure AD. It doesn't have an SMTP address.

      • An Active Directory group whose proxyAddress attribute has values {"X500:/0=contoso.com/ou=users/cn=testgroup","SMTP:email address removed for privacy reasons"} will be mail-enabled in Azure AD.

      • An Active Directory group whose proxyAddress attribute has values {"X500:/0=contoso.com/ou=users/cn=testgroup", "smtp:email address removed for privacy reasons"} will also be mail-enabled in Azure AD.