AAD sync to local AD

Dmitry Malchikov 21 Reputation points
2020-04-04T08:23:07.033+00:00

Hello!
Could not find our case..
We have Azure AD with active users and subscriptions (DevOps, O365) with domain "company.com"
Just created new local AD DC with domain name "ad.company.com"

We would like to sync users from AAD to local AD to allow them SSO (cloud and local servers/laptop)

Would it work for us with option SSO with writeback?

Thanks for any help!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,359 questions
0 comments No comments
{count} votes

Accepted answer
  1. jLight 201 Reputation points
    2020-04-04T19:03:39.883+00:00

    We've done this when AAD Connect was newer... we used to set immutable ID, but from what michev suggested and the article below, it seems easier and less complicated now. PowerShell will definitely help, especially if you have a lot of users already in AAD/O365..

    https://www.slashadmin.co.uk/how-to-sync-an-existing-office365-tenant-into-a-new-active-directory-domain/

    0 comments No comments

5 additional answers

Sort by: Most helpful
  1. Vasil Michev 99,356 Reputation points MVP
    2020-04-04T15:25:28.23+00:00

    To add some more context on what was mentioned above - synchronization is one-way, from AD to Azure AD/Office 365. There are only few attributes that can be written back, and that's mostly for Hybrid configurations, and passwords if you have the corresponding feature (and licenses) enabled.

    There is no built-in functionality that syncs users from Azure AD to on-premises AD. If that's what you are after, you can simply export the list of users via PowerShell (Get-MsolUser/Get-AzureADUser) or the Graph API, along with any relevant attributes, then use the exported data to recreate them in AD (again, PowerShell helps). You cannot export passwords. Once the export/import is done, you can "match" the on-premises users with the cloud ones and give them the SSO experience. The process is known as soft-match: https://support.microsoft.com/en-us/help/2641663/use-smtp-matching-to-match-on-premises-user-accounts-to-office-365

    2 people found this answer helpful.
    0 comments No comments

  2. Konrad 'Sagus' Sagala 81 Reputation points MVP
    2020-04-04T08:40:49.013+00:00

    Azure AD Connect can only replicate groups and password back to local AD. But you can use full version of this product - Microsoft Identity Manager 2016. It has more flexible configuration.

    0 comments No comments

  3. Dmitry Malchikov 21 Reputation points
    2020-04-07T16:07:33.71+00:00

    Thanks! Seems to be working for me!

    0 comments No comments

  4. PGoldman 1 Reputation point
    2020-06-16T19:20:39.113+00:00

    Hi there,

    Any idea if there is a way to write-back passwords for already matched accounts from azure AD to local AD?

    I have a client with an existing Azure AD and we just installed a fresh local AD server. Created the users manually and now want to match the accounts. Because the local accounts are not yet in use, but the Azure AD accounts are in use, I am looking for a way to match and sync the accounts without the password being overwritten on Azure AD.

    Clients has the Azure P1 license.

    Thanks in advance.

    0 comments No comments