Making accounts AAD only

asked 2021-04-14T15:05:07.537+00:00
Roel 21 Reputation points

A few years ago we started using Azure AD, as the situation is now, new users are created in the AD and synchronized with the AAD. However, we also employ a large group of volunteers, only provided with an E1 license, who in the current situation are also created in the AD and synchronized with the AAD, this causes a problem with renewing their passwords, they only logon online on devices of their own or devices for general use, these devices are not on the domain. Due to this AD-AAD construction, they cannot renew their password unless a writeback license is purchased. We believe that this is not necessary and it would unnecessarily expensive.

The volunteers have an E1 account and are not in certain rights groups. If they were in the AAD only then the problem would be solved.

The question is how do we get these accounts out from the AD into the AAD. According to our softwareadministrator, everything must first be removed from the AD and then re-created in the AAD, can anyone say if this is correct?

Kind regards,

Roel Staarink

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
953 questions
No comments
{count} votes

Accepted answer
  1. answered 2021-04-14T23:34:21.327+00:00
    Marilee Turscak-MSFT 20,431 Reputation points Microsoft Employee

    The licensing requirement depends on how you want to do the renewal. For SSPR password writeback you do need the Premium P1 license. But if the users just change their passwords rather than reset them (not using SSPR but via Office 365 portal, My Apps, or the Windows 10 sign in page), you can just enable the password writeback option in Azure AD Connect.

    If you want to have cloud-only Azure AD accounts then yes, you will need to remove the on-prem accounts re-create them in Azure. There are some limitations though to the cloud-only approach since it's not a full replacement for an on-premises Active Directory.

    https://learn.microsoft.com/en-us/microsoft-365/enterprise/cloud-only-identities?view=o365-worldwide

    https://learn.microsoft.com/en-us/azure/active-directory-domain-services/scenarios

    No comments

0 additional answers

Sort by: Most helpful