Users sync from Azure Ad to onpremise ad

Question

Users sync from Azure Ad to onpremise ad

HASSAN BIN NASIR DAR 391

Hi

I have 200 users which are created in Azure AD. I want to sync them to onpremise active directory.

Anybody can send me the steps how can we syned users from AZURE AD to On-premise AD?

Second question:

If users are synced from Onpremise to Azure Ad. After 2 days if onpremise AD goes to crashed. What will be in this case? Synced users which are already synced from onpremise to azure ad are still be available and active on Azure AD?

Harpreet Singh Matharoo 8,396 Reputation points Microsoft Employee Moderator

2022-10-12T03:44:27.817+00:00

Hello @HASSAN BIN NASIR DAR

Thank you for reaching out. I am having this reviewed and would get back to you with a detailed explanation on each of your asks on the question above.
Limitless Technology 44,766 Reputation points

2022-10-12T09:46:36.42+00:00

Hello there,

You can use the Azure Active Directory Connect tool which will provide one-way synchronization from on-premise AD to Azure AD.

You can run the Azure AD Connect sync service on a VM or a computer hosted on-premises. Depending on the volatility of the information in your Active Directory directory, the load on the Azure AD Connect sync service is unlikely to be high after the initial synchronization with Azure AD.

More info here, Integrate on-premises Active Directory domains with Azure Active Directory https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/identity/azure-ad

---------------------------------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept it as an answer–
Amit Singh 5,306 Reputation points

2022-10-13T02:55:20.66+00:00

Hi, so the process of Azure AD connect works only from on-premises to the cloud. So while it is capable of things like password writeback and device writeback, you cannot create users in Azure AD and sync them back to on-premises AD.

What you will need to do is as follows;

1). Ideally, install an Exchange on-premises management server to manage attributes as the authority source will be on-premises AD. In addition, you can get a free Exchange 2016 hybrid license key if your users have Office 365 Enterprise licenses.

2). Setup your on-premises AD objects with the same UPN and SMTP addresses that are set in Azure AD

3). Set up Azure AD connect to use SMTP matching and synchronize your AD to Azure AD.

You can find further information on the process below;

https://support.microsoft.com/en-gb/help/2641663/use-smtp-matching-to-match-on-premises-user-account...

https://gallery.technet.microsoft.com/office/Immutableid-Hard-Match-in-d3518b08

https://learn.microsoft.com/en-gb/azure/active-directory/hybrid/how-to-connect-install-existing-tenan...

I hope this helps.
Harpreet Singh Matharoo 8,396 Reputation points Microsoft Employee Moderator

2022-10-14T13:07:48.23+00:00

Hello @HASSAN BIN NASIR DAR

I just wanted to follow up and validate if below answer helped you. I would request you to please "Accept the answer" if it helped you, this would help others in the community as well.
Amr Kasrawy 0 Reputation points

2025-01-14T16:00:34.62+00:00

Hi All, just to be sure of above Q&A, my users on when trying to disable any user from AAD, the user remain enabled in AD (On-Prim) and with the sync cycle the user back to be enabled on AAD.

Any suggestions or workaround solution to solve this issue ?

2 answers

Your answer

Harpreet Singh Matharoo 8,396 Reputation points Microsoft Employee Moderator

2022-10-12T03:44:27.817+00:00

Hello @HASSAN BIN NASIR DAR

Thank you for reaching out. I am having this reviewed and would get back to you with a detailed explanation on each of your asks on the question above.
Limitless Technology 44,766 Reputation points

2022-10-12T09:46:36.42+00:00

Hello there,

You can use the Azure Active Directory Connect tool which will provide one-way synchronization from on-premise AD to Azure AD.

You can run the Azure AD Connect sync service on a VM or a computer hosted on-premises. Depending on the volatility of the information in your Active Directory directory, the load on the Azure AD Connect sync service is unlikely to be high after the initial synchronization with Azure AD.

More info here, Integrate on-premises Active Directory domains with Azure Active Directory https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/identity/azure-ad

---------------------------------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept it as an answer–
Amit Singh 5,306 Reputation points

2022-10-13T02:55:20.66+00:00

Hi, so the process of Azure AD connect works only from on-premises to the cloud. So while it is capable of things like password writeback and device writeback, you cannot create users in Azure AD and sync them back to on-premises AD.

What you will need to do is as follows;

1). Ideally, install an Exchange on-premises management server to manage attributes as the authority source will be on-premises AD. In addition, you can get a free Exchange 2016 hybrid license key if your users have Office 365 Enterprise licenses.

2). Setup your on-premises AD objects with the same UPN and SMTP addresses that are set in Azure AD

3). Set up Azure AD connect to use SMTP matching and synchronize your AD to Azure AD.

You can find further information on the process below;

https://support.microsoft.com/en-gb/help/2641663/use-smtp-matching-to-match-on-premises-user-account...

https://gallery.technet.microsoft.com/office/Immutableid-Hard-Match-in-d3518b08

https://learn.microsoft.com/en-gb/azure/active-directory/hybrid/how-to-connect-install-existing-tenan...

I hope this helps.
Harpreet Singh Matharoo 8,396 Reputation points Microsoft Employee Moderator

2022-10-14T13:07:48.23+00:00

Hello @HASSAN BIN NASIR DAR

I just wanted to follow up and validate if below answer helped you. I would request you to please "Accept the answer" if it helped you, this would help others in the community as well.
Amr Kasrawy 0 Reputation points

2025-01-14T16:00:34.62+00:00

Hi All, just to be sure of above Q&A, my users on when trying to disable any user from AAD, the user remain enabled in AD (On-Prim) and with the sync cycle the user back to be enabled on AAD.

Any suggestions or workaround solution to solve this issue ?

Answer 1

Hello @HASSAN BIN NASIR DAR

I would like confirm below details with you:

Question 1: How to Sync Azure AD users to Onpremises?

Unforunately as of today we do not support reverse Sync for users or Sync from Azure AD to On-Prem AD for user Objects.
If you have exisiting user objects on Azure AD and you would like to have them mapped to On-Prem AD then you can try to create similar user object over On-Prem AD and then perform a Soft match as mentioned on following documentation: Azure AD Connect: When you have an existing tenant

Question 2: If users are synced from Onpremise to Azure Ad. After 2 days if onpremise AD goes to crashed. What will be in this case? Synced users which are already synced from onpremise to azure ad are still be available and active on Azure AD?

If you Sync users from On-Prem AD to Azure AD and if On-Prem AD for some reason goes down then, users on Azure AD would still be available. Once you're On-Prem AD is restored any changes made to user accounts would be sync'd to Azure AD normally. If you are unable to recover On-Prem AD you can Turn off directory synchronization for Microsoft 365/Azure AD and convert all user accounts to cloud only so that they do not lose access to cloud resources like Exchange other cloud applications hosted on Azure AD.
Authentication flow for those users can be impacted depending on what "User Sign-in" method you choose when setting up AD Connect.
If you setup AD Connect with Password Hash Sync, even when AD is down users would be able to sign-in and access all cloud resources.
If you had setup AD Connect with Pass Through Authentication or Federation then users would not be able to sign-in to access any resources as in these methods' user credentials are validated over On-Prem AD.

I hope this helped to resolve your query.

----------

Please "Accept the answer" if it helped you. This will help us and others in the community as well.

Sree dev 0 Reputation points

2023-09-18T10:17:07.57+00:00

Hello @Harpreet Singh Matharoo ,

I have teams' online resource accounts created in Azure AD. I want to sync them to the on-premises active directory. Is it possible?

How can we get the online created resource account email ID in the Outlook address book?
Dillon Silzer 57,831 Reputation points Volunteer Moderator

2023-10-18T04:37:01.18+00:00

Hi Sree,

As Harpreet stated, you cannot sync anything backwards from Azure AD (Entra) to on-prem. It only works to sync objects from on-prem to the Cloud.

If you are in hybrid, I suggest deleted that resource in the Cloud, and re-creating it on-prem so it is synced between the two.

Answer 2

Umesh Pandit 21

You cannot create users in Azure AD and sync them back to on-premises AD.

Share via

Users sync from Azure Ad to onpremise ad

2 answers

Your answer