Azure Sync

Question

Question!

Today, in my environment, our Active Directories are synchronized with Azure. Therefore, what we change in Active Directory is reflected in Azure, but what is changed in Azure is not reflected in Active Directory.

I would like to know if it is possible to enable this reverse synchronization and if there is any risk or problem in doing so.

Answer 1

Yes, it is possible to enable reverse synchronization for certain changes made in Azure Active Directory (Azure AD) to be reflected back in on-premises Active Directory (AD). This functionality can be achieved using specific features and configurations provided by Azure AD Connect. However, there are some considerations and potential risks to be aware of.

Enabling Reverse Synchronization

1. Password Writeback: This feature allows password changes made in Azure AD to be written back to your on-premises AD. Azure AD Premium P1 allows password writeback. To enable password writeback: Open Azure AD Connect on your server. Navigate to the "optional features" section. Enable "Password writeback" and follow the prompts to complete the configuration.
2. Azure AD Connect Sync Rules: You can configure custom synchronization rules to manage specific attributes that need to be synced back to on-premises AD. However, this can be complex and is generally limited to certain attributes.
3. Third-Party Tools: Some third-party solutions offer more comprehensive two-way synchronization capabilities, allowing broader attribute changes in Azure AD to be reflected in on-premises AD.

Risks and Considerations

1. Complexity and Management: Configuring reverse synchronization adds complexity to your environment. It requires careful planning and ongoing management to ensure there are no conflicts or data integrity issues.
2. Attribute Limitations: Not all attributes can be synchronized back to on-premises AD. You will need to review the capabilities and limitations of Azure AD Connect and any third-party tools you consider.
3. Security: Enabling writeback features introduces potential security risks. Ensure that these features are thoroughly tested and comply with your organization's security policies. Properly secure the synchronization process to prevent unauthorized changes and potential attack vectors.
4. Performance and Reliability: Two-way synchronization can impact the performance and reliability of your directory services. It's important to monitor and optimize the synchronization process to avoid potential disruptions.

By understanding and addressing these considerations, you can make an informed decision about enabling reverse synchronization in your environment. Remember that synchronization affects user accounts, groups, and other directory objects.

Answer 2

Only do Password Writeback, other features may affect your environment if not monitored.

One of the configuration options in Microsoft Entra Connect is for password writeback. When this option is enabled, password change events cause Microsoft Entra Connect to synchronize the updated credentials back to the on-premises AD DS environment.

To enable SSPR writeback, first enable the writeback option in Microsoft Entra Connect. From your Microsoft Entra Connect server, complete the following steps:

1. Sign in to your Microsoft Entra Connect server and start the Microsoft Entra Connect configuration wizard.
2. On the Welcome page, select Configure.
3. On the Additional tasks page, select Customize synchronization options, and then select Next.
4. On the Connect to Microsoft Entra ID page, enter a Global Administrator credential for your Azure tenant, and then select Next.
5. On the Connect directories and Domain/OU filtering pages, select Next.
6. On the Optional features page, select the box next to Password writeback and select Next.
7. On the Directory extensions page, select Next.
8. On the Ready to configure page, select Configure and wait for the process to finish.
9. When you see the configuration finish, select Exit.

Answer 3

@Infra Rafael

Thank you for posting this in Microsoft Q&A.

AD connect is always one way sync for objects (users, groups, contacts and devices). AD connect syncs objects from on-prem to Azure AD.

AD connect doesn't writeback user from Azure AD to on-premises AD. The user writeback preview feature was removed in the August 2015 update to Azure AD Connect.

This is also documented in our public document https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-preview#user-writeback

There is however writeback capabilities for Office 365 groups: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-group-writeback

and attributes /passwords depending on what options are configured:

https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized#exchange-hybrid-writeback

If you are still looking for feature to writeback objects from Azure AD to on-premise AD then you can raise feedback in Azure feedback portal,

https://feedback.azure.com/d365community/idea/2f830ecc-ba25-ec11-b6e6-000d3a4f0789

This feedback is directly monitored by out product managers and they will be able to share any update on this if they have.

Let me know if you have any further questions on this.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.