Azure AD connect group sync

Question

Hello,

In context of Azure-AD connect, we can sync "security groups" to Azure-AD
Now these groups could be mail-enabled or not.

Unlike users, in the MS-graph schema I can not find onPremImmutableId attribute for groups.
So I believe AAD sync service in the cloud can not do hard-match for groups.
The only option is to match the group based on the SMTP address of the group

If my on-prem group is mail-enabled then it will have mail-address and hence it can be compared with any existing group in Azure-AD during sync-time.
but
how would non mail-enabled on-prem groups be synced to Azure-AD ?

Am I correct in my understanding ?

Thanks.

Answer 1

Groups with a mail attribute value present or if the proxyAddress attribute contains at least one SMTP proxy address (EG: {"X500:/0=contoso.com/ou=users/cn=testgroup"} ) will be synchronized as mail enabled groups. Other groups will be synchronized using the sourceAnchor attribute.

Answer 2

Thanks @alfredo-revilla-msft
Just one point..

You said that "Other groups will be synchronized using the sourceAnchor attribute."
I believe the sourceAnchor is "object GUID" in on-prem-ad for groups.

What is the mapping attribute in Azure-AD side ?
When I am looking MS-Graph group schema I do not find any relevant attribute where this on-prem object GUID can settle down.

Thanks

Answer 3

It's immutableId, but you cannot see it in GUI or PowerShell.
In on-prem AD, it used to be objectGUID, but from 1.5.18.0, it's ms-DS-ConsistencyGUID.
This blog entry may be useful: https://learn.microsoft.com/en-us/archive/blogs/markrenoden/choosing-a-sourceanchor-for-groups-in-multi-forest-sync-with-aad-connect