"Number four?" <spoken in the deli counter attendant's dead-pan voice>
For a loooong time, you and I have been waiting for the ability to sync ‘cloud-born-and-managed’ security groups (and their memberships) back into on-premises AD. This takes us further on our journey of moving "the management plane" from on-prem AD to the cloud - and provides you the ability to create/manage groups in the cloud to manage resource access in Active Directory.
BLINKING CAUTION LIGHT:
Okay, now that I've gotten your attention, here are some details:
NOTE: The security groups from the cloud are written back/created in AD as Universal Security Groups
NOTE: Cloud-only users who are members of the cloud group won't be back-sync'd into AD; this won't create new AD users
To Retrofit ... or not?
If you're like me, I bet you're asking/wondering if an existing on-prem group can be transitioned to cloud-managed. The answer (for now, at least) is "No."
So, you may need to do some work in the on-prem environment to use the 'new' back-sync'd groups instead of existing on-prem AD groups.
If you name the new cloud groups to align with your existing on-prem AD group naming standards, it will be easier to 'find' them in the various AD object picker/permissions UIs. Then, you could just add the new group to the ACL for the resource and at some point, remove the old one. This naming standardization effort could also aid you if you go down the route of scripting to replace groups.
Another idea I had - but have not tested yet - would be to simply 'nest' the new back-sync'd group into the existing AD group that provides access to a given on-prem resource. It probably would work but we all know group nesting can sometimes be "an adventure."
STILL-BLINKING CAUTION LIGHT: Re-read the cautions at the top of this post. I love to reminisce about IT horror stories but don't be 'the star' of a new one here. FYI, manual member adds from AD into the back-sync'd group will get wiped out upon 'next sync.' There is a non-default option that an ‘on-prem’ back-sync’d group in AD will be deleted if you disable the write-back option for the source group in the cloud (that may be something you want - but it may be a painful surprise).
For more information:
A series recap (so far):
Cheerio!
Hilde
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.