Migrating Security Groups from on prem AD to Azure AD - Best Practices

ahmed mohammed 1 Reputation point
2022-01-06T02:22:30.317+00:00

I'm looking to understand how we can identify then manage migrating on prem AD security groups to Azure AD. There are 2 particular processes that I'm trying to understand the how tos - 1) How do I remediate this migration process for users i.e. is it as simple as deleting old groups created on prem and sync'd to the cloud and then creating a new cloud only group on Azure? this process needs to minimize disruption to users of resources. 2) What is the best way to identify the attributes that AD connect uses to determine if an on prem AD security group should be synced to the cloud or not.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,715 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,932 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,664 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. risolis 8,701 Reputation points
    2022-01-06T05:03:20.11+00:00
  2. Limitless Technology 39,391 Reputation points
    2022-01-10T08:53:17.49+00:00

    Hello Ahmedmohammed,

    Thank you for your question and reaching out.

    I can understand you are having some queries regarding Azure AD.

    Ans1 : Groups - Important points to be aware of when synchronizing groups from Active Directory to Azure AD:

    Azure AD Connect excludes built-in security groups from directory synchronization.
    Azure AD Connect does not support synchronizing Primary Group memberships to Azure AD.
    Azure AD Connect does not support synchronizing Dynamic Distribution Group memberships to Azure AD.

    Ans2 : Best way to identify the attributes

    The default and recommended approach is to keep the default attributes so a full GAL (Global Address List) can be constructed in the cloud and to get all features in Microsoft 365 workloads. In some cases, there are some attributes that your organization does not want synchronized to the cloud since these attributes contain sensitive personal data, like in this example: Smart Card or PIN numbers

    You can use the cloud sync feature of Azure Active Directory (Azure AD) Connect to map attributes between your on-premises user or group objects and the objects in Azure AD. This capability has been added to the cloud sync configuration.

    https://learn.microsoft.com/en-us/azure/active-directory/cloud-sync/how-to-attribute-mapping

    https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized

    https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes

    --------------------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments