SCCM AAD group sync, loses on prem AD user group membership

T16 1 Reputation point
2021-08-17T12:55:40.817+00:00

Got a strange issue here.
We currently sync our on-prem users with AAD, and have setup Configmgr to sync users for a certain group in AAD so we can prune out a lot of service accounts etc.
What I find is that this can mess up the on-prem group membership for my own user object in SCCM.
For instance, say I am Domain\User1, I look at properties and see I am a member of "Admins", fine.
I do a full AAD sync, and the User Group Name attribute for the user object in SCCM loses all the on-prem AD groups of which I am a member of, and only then lists the AAD groups.
This badly messes up deployments going out based around on-prem user group membership.
The only workaround I have at the moment, is to schedule the weekly AAD full sync to be BEFORE the weekly AD-Onprem sync, as doing a FULL on-prem group/user discovery re-populates the User Group Name for the user objects in SCCM.

Is this a bug, or is something dodgy going on with our SCCM!?

Microsoft Configuration Manager
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. AllenLiu-MSFT 45,531 Reputation points Microsoft Vendor
    2021-08-18T03:08:45.947+00:00

    Hi, @T16
    Thank you for posting in Microsoft Q&A forum.

    I think the User Group Name attribute is used to determine whether the user has synchronized members to Azure AD groups, this might be by design.
    But I agree it's really messes up the on-prem user group membership, glad to hear you got a workaround to fix this.
    If you think this is a bug, you may try to send a bug report through the Configuration Manager Console, to do this, press the "Smile face" button in the top right corner and choose "Send a Frown".

    For more details, see https://learn.microsoft.com/en-us/sccm/core/understand/find-help


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. T16 1 Reputation point
    2021-08-19T16:23:50.62+00:00

    I looked at this some more.
    SCCM totally wipes all the groups apart from ONE.
    We have an AAD group which is used to sync the AAD side of things into SCCM, and it is the group which this AAD group which appears alone in the users group settings.
    All on-prem groups aside from this are wiped.
    This RUINS all our existing user based deployments, which naturally use groups.
    Can anyone from MS comment on this, or do we need to raise a premier support case?


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.