This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 19%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDM%3C/text%3E%3C/svg%3E)
Hello!
Could not find our case..
We have Azure AD with active users and subscriptions (DevOps, O365) with domain "company.com"
Just created new local AD DC with domain name "ad.company.com"
We would like to sync users from AAD to local AD to allow them SSO (cloud and local servers/laptop)
Would it work for us with option SSO with writeback?
Thanks for any help!
We've done this when AAD Connect was newer... we used to set immutable ID, but from what michev suggested and the article below, it seems easier and less complicated now. PowerShell will definitely help, especially if you have a lot of users already in AAD/O365..
However you build around it with a topology like this if you need to provision user in azure for hybrid env
Azure AD -> Azure AD Domain Services -> forest trust -> On prem ADDS -> Azure AD connect -> Azure AD
That would solve your problem if I understand you correct
https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/identity/adds-forest https://learn.microsoft.com/en-us/azure/active-directory-domain-services/synchronization
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 88%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETS%3C/text%3E%3C/svg%3E)
Hi, Jimmy.
Sorry for necro-threading. I saw this answer and it seemed exactly what I needed, but after looking further it doesn't seem possible. If we want to authenticate locally with AAD DS accounts, we'd need the trust to be incoming on AAD DS side, which doesn't seem to be supported. AAD DS does support outgoing trust, but that is in reverse of what we're trying to achieve.