Can Azure AD Connect Sync an On-Prem Group with Users from Two Domains?

Alex South 10 Reputation points
2024-04-05T15:08:01.39+00:00

Intro

We have two domains (Domain1 and Domain2) that have a trust in both directions, and our AzureAD sync tool syncs various OUs from each domain. Including the Groups OU and Users OU for each.

There is an Enterprise App which uses a synced group (GroupA, synced from Domain1 - Security and has a Domain Local scope) to control SSO access.

Problem

GroupA contains users from both Domain1 and Domain2.

The Sync tool syncs GroupA to AzureAD, but only with members from Domain1, and not the members from Domain2.

Troubleshooting

I have checked the AAD Sync tool and the users from Domain1 and Domain2 are being synced, so they are known to AzureAD. So to me, should be added to GroupA, but aren't.

I have struggled to find anything like this online. The only other thing I can think of is GroupA's scope is set to Domain Local, rather than Universal.

Potential Solution

Create a second group in Domain2 with the Domain2 users in and let that Sync.

Any ideas?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,772 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Andy David - MVP 147.9K Reputation points MVP
    2024-04-05T15:24:49.84+00:00

    All groups should sync unless they are the following:

    https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/concept-azure-ad-connect-sync-user-and-contacts#groups

    User's image

    Why not create an Azure security group instead and add the required members from each domain then assign that to the Enterprise App?


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.