Computer Group Membership Not Syncing to Azure?

SteveW 1 Reputation point

We are running the latest version of Azure AD Connect (upgraded this week from a version from 2019). I have created a group of workstations in our AD (global, security group, with email address to try to help it sync). That group is now visible in Azure, and the computer associated with that group is visible in Azure, but the group is empty. There was a similar group with more workstations in it, and it also appears in Azure but is empty. We did have a few sync issues listed with users that have now been resolved, but this problem persists.

Has anyone seen this particular issue before?

I'm trying to get Intune to work based on computer group membership, but I need to solve this first.



Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,611 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. VipulSparsh-MSFT 16,256 Reputation points Microsoft Employee

    @SteveW Thanks for reaching out.
    Can you confirm if the Computer accounts were syncing before and is this something you are facing for new computer objects only ?
    There are filtering in connector space to add computer object, so make sure they are checked.

    One important thing about syncing a computer object is that unless the device has got a user certificate generated it wont be considered for syncing, this is a automated process and is usually done without any manual intervention unless the device is not able to find the Service Connection point in your local AD and if you have not enabled Hybrid Azure AD join from AAD connect tool.

    Here is the process it follows :

    • The device queries AD to find the SCP, in order to obtain AAD tenant details.
    • The AAD tenant details are returned.
    • The device creates a self-signed certificate and updates the userCertificate property on its own computer object with that info.
    • AAD Connect after the userCertificate has been populated, up to 30 minutes later) syncs the AD computer object into Azure AD.
    • The device (repeatedly) tries to register with AAD.
    • When AAD can find a matching device (synced by AAD Connect), the registration will succeed and AAD will provide a device certificate back to the device.

  2. Tracy Briscoe (StP) 1 Reputation point

    I’ve just had a similar problem.

    The computer accounts and groups were showing up in the Azure AD portal, however the computers weren’t in the groups.

    It turned out that the AD OU that the computers are in had been filtered out in Azure AD Connect.
    Once that the filtering in Azure AD connect had been corrected, the computers were added to the group.
    It seams that the computers had added themselves into Azure AD via a different process.

    0 comments No comments