Is syncing identically named security groups from multiple on-prem ADs to Entra ID safe, and how is uniqueness managed?

Question

Is syncing identically named security groups from multiple on-prem ADs to Entra ID safe, and how is uniqueness managed?

We are currently using Entra Connect against Microsoft Entra ID to synchronize security groups from multiple on-premises Active Directory (AD) environments.

In this configuration, if a security group with the same name (e.g., group “Sales” in both) exists in different on-premises ADs (e.g., on-premises AD① and on-premises AD②), each is synchronized as a separate group on Entra ID and assigned a different unique key (e.g.: objectId) are assigned.

At this time, we are not experiencing any problems due to this situation, but we would like to confirm the following points:

Is it safe to assume that a configuration like this, where security groups with duplicate names are synchronized from multiple on-premises ADs, is not a problem in terms of Microsoft Entra ID operation?

What is used as the unique key to identify the synchronized groups, and how is uniqueness ensured?

We would like to know in advance if there is any possibility of problems in terms of directory synchronization in the future or any restrictions that should be taken into consideration when groups are freely created by each person in charge in each on-premise AD.

Translated with DeepL.com (free version)

1 answer

Your answer

Answer 1

Marcin Policht 49,640 MVP Volunteer Moderator

Yep - this is supported from the technical standpoint - but is bound to lead to some confusion down the road, so my suggestion would be to adopt a naming strategy that would ensure their uniqueness.

You can customize the displayName (or other attributes like mailNickname) of synchronized groups by modifying the synchronization rules in Entra Connect.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Iwasaki Hinato (岩崎日南人) 0 Reputation points

2025-06-09T00:26:18.95+00:00
Thank you for your response. I have 3 things I would like to ask you.

Does Entra ID always use objectId to uniquely identify synced groups, even across different ADs?

What problems can occur during application integration or script execution if a group with the same name exists?

In terms of “a naming strategy”, are there recommended naming rules to avoid confusion when syncing from multiple ADs?

Marcin Policht 49,640 MVP Volunteer Moderator

Does Entra ID always use objectId to uniquely identify synced groups, even across different ADs?

Yes. Microsoft Entra ID assigns a globally unique objectId (a GUID) to every object, including groups, regardless of source. This objectId is:

Unique across tenants, not just within a tenant.
The primary identifier used internally by Entra ID, Graph API, and applications.

Even if two groups with the same displayName are synced from different on-premises ADs, Entra ID treats them as distinct because:

Each has a different objectGUID (sourceAnchor) in AD.
Each is assigned a unique objectId in Entra ID.

What problems can occur during application integration or script execution if groups have the same name?

While technically no conflict occurs, duplicate group names can cause significant operational issues:

Scenario	Potential Issue
Admin Portals (UI)	Admins may see multiple “Sales” groups and assign the wrong one to apps, Conditional Access, or RBAC roles.
PowerShell / Graph API scripts	If scripts use `displayName` instead of `objectId`, they may operate on the wrong group—or fail if multiple matches are returned.
Access Reviews or Group-based Licensing	Reviewers may not distinguish which group is from which domain or AD.
Application Group Assignment	Apps using group-based access may misassign roles or deny access if the wrong group is referenced.

As the best practice, always reference groups by objectId or another unique, traceable attribute in code, not displayName.

Recommended naming strategy for synced groups

To avoid confusion and future-proof your hybrid identity environment, Microsoft and identity architects recommend applying clear, consistent naming conventions, especially when syncing from multiple forests.

Prefix or Suffix by Source AD or Region:
- Examples:
  - AD1_Sales, HR_EU, IT_NA
  - Sales_AD-Forest1, Finance_Tokyo
Include Purpose or Role:
- Examples:
  - App-Admins-Corp, Teams-NY-Marketing, M365-SecurityAdmins
Avoid Ambiguity in Shared Namespaces:
- Ensure that groups visible in Entra (e.g., for Teams or Outlook) are easily distinguishable.
Use extensionAttribute or custom attribute mapping:
- Leverage Entra Connect to dynamically build group names during sync.
Document and Enforce Naming Policies:
- Include naming rules in your AD group creation policies and delegate naming enforcement via automation or RBAC.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Deepthi R 25 Reputation points Microsoft External Staff Moderator

2025-06-11T15:13:14.8866667+00:00

Hi Iwasaki Hinato,

following up to see if the above provided details are helpful, if not kindly let us know more for further assistance

Share via

Is syncing identically named security groups from multiple on-prem ADs to Entra ID safe, and how is uniqueness managed?

1 answer

Your answer