Forum Discussion

mahipundir's avatar
mahipundir
Copper Contributor
Aug 12, 2022

Merge AD admin to AAD global admin

Dear people from cloud, 

 

I'm doing a hybrid deployment, bringing AD & AAD together 

Have few questions and hoping if someone can share some knowledge.  

 

Merging AD to AAD using UPN which is working prefect for users, I can then use either ad@local.domain or email address removed for privacy reasons to login to devices. 

 

Problem I'm having is whenever I'm merging AD admin accounts to AAD changing UPN in AD and then forcing sync to happen using powershell or even without force syn it creates new account in AAD for the AD admins or users in AD admin groups. 

What is the best way.? or are there any standard practices I can follow.?

Thanks in advance. 

 

  • Lesson number 1, never sync administrator accounts from AD to AAD. That could allow cyber attackers to hop from one on-premise to the cloud. (And believe me, it happens often)


    1. Create new Cloud-only admin accounts for every administrator
    2. Stop synching the OU where the admins are located
    3. Limit the privileges for admins and use Privileged Identity management (think about your Identity Governance)
    4. Create two break-the-glass accounts for emergency purposes
    5. Enable MFA for ALL admins except the break-the-glass accounts
    6. Create a policy that blocks sign-in on the two break-the-glass accounts except from trusted locations.

    Good luck, and I hope this answers your question.
  • BilalelHadd's avatar
    BilalelHadd
    Iron Contributor
    Lesson number 1, never sync administrator accounts from AD to AAD. That could allow cyber attackers to hop from one on-premise to the cloud. (And believe me, it happens often)


    1. Create new Cloud-only admin accounts for every administrator
    2. Stop synching the OU where the admins are located
    3. Limit the privileges for admins and use Privileged Identity management (think about your Identity Governance)
    4. Create two break-the-glass accounts for emergency purposes
    5. Enable MFA for ALL admins except the break-the-glass accounts
    6. Create a policy that blocks sign-in on the two break-the-glass accounts except from trusted locations.

    Good luck, and I hope this answers your question.

Share