How to connect Cloud AAD group to VMs?

pgaddam 151 Reputation points
2022-05-19T15:16:09.003+00:00

Hello

This question is regarding Azure AD Groups,
Whenever I deploy a Virtual Machine (VM) through pipeline, I am also creating a group in Azure AD through a PowerShell script with "vmName-Admin". Now after the creation of VM and AAD group, when I try to add this newly created group to the VM's local admin section through Puppet, the machine says that a group with that name doesn't exist.
Apart from the above group, I am also adding one more group which is residing on on-prem. The on-prem group could be assigned to the VM without any difficulty.
Upon digging a little bit, I found out that the "vmName-Admin" group source is "Cloud" whereas "on-prem" group source is "Windows Azure AD" respectively.

Is there a work around on how I can create a AAD group with source "Windows Azure AD" or is there a different approach to get this dynamic group get alocated to the VM as a local admin group.

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,085 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,355 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,389 questions
0 comments
Accepted answer
  1. AmanpreetSingh-MSFT 56,301 Reputation points
    2022-05-20T08:26:05.107+00:00

    Hi @Pranith-3606 • Thank you for reaching out.

    The source attribute specifies where the group was originally created. When the group is directly created in Azure AD, the source is set to "Cloud" and if it is created in local AD and then synced to Azure AD, the source is set to "Windows Server AD". The value of this attribute cannot be set/changed manually. If you want to use the group "vmName-Admin" with "Windows Server AD" as the source, it has to be created in the on-premises AD and synced to Azure AD. However, in that case, the group members will also be required to sync from on-prem AD. Synced groups cannot contain Cloud-only users.

    Also, as of now, only Azure AD users can be added to the local groups of the "Azure AD/hybrid Joined VM" by using the below command. Adding cloud-only groups to local groups is not yet supported.

    net localgroup "Administrators" /add "AzureAD\the-UPN-attribute-of-your-user"

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest