none
Simple Azure Active Directory (Connect) Question: Synchronization

    Question

  • Hello Community,

    I am looking to synchronize my users from AAD to my local domain.  I have been reading over Connect.  It seems clear that I can sync from on-premise to AAD, but what I do not know is if I can do the inverse.  Can I sync users from AAD to my on-premise?

    Additionally, I have users in my AAD that are Microsoft Accounts.  I would like to sync those accounts.  Ideally speaking, I would like to be able to sign onto my on-premise resources with these Microsoft Accounts, that are active and valid resources in my AAD.

    Thank you for any assistance/information you can provide!

    Tuesday, May 2, 2017 6:15 AM

Answers

  • ALL THE DISAPPOINT!!!

    That really seems like a very obvious scenario, but not surprising that it would be overlooked.

    (But thank you for taking the time to relay the disappointing news)
    • Marked as answer by DragonSpark Wednesday, May 3, 2017 7:18 AM
    • Edited by DragonSpark Wednesday, May 3, 2017 7:19 AM
    Wednesday, May 3, 2017 7:17 AM

All replies

  • Azure AD Connect supports sync from local AD to Azure AD no matter for Office 365, Intune or Azure RMS. The current Azure AD Connect do not support two-way sync.

    However, you can follow the instructions given here - https://blogs.technet.microsoft.com/herbchung/2015/04/14/how-to-exportimport-the-identity-from-azure-ad-to-local-ad/ to export Azure AD users to On premise AD.

    I have users in my AAD that are Microsoft Accounts.  I would like to sync those accounts.  Ideally speaking, I would like to be able to sign onto my on-premise resources with these Microsoft Accounts, that are active and valid resources in my AAD.

    No straight forward way to accomplish this.

    Wednesday, May 3, 2017 4:40 AM
    Moderator
  • ALL THE DISAPPOINT!!!

    That really seems like a very obvious scenario, but not surprising that it would be overlooked.

    (But thank you for taking the time to relay the disappointing news)
    • Marked as answer by DragonSpark Wednesday, May 3, 2017 7:18 AM
    • Edited by DragonSpark Wednesday, May 3, 2017 7:19 AM
    Wednesday, May 3, 2017 7:17 AM
  • On second thought:

    No straight forward way to accomplish this.

    https://www.youtube.com/watch?v=wGdhc9k07Ms

    :)

    What's the not-so-straight-forward way?  The idea is to have a central, authoritative authentication (password) source so that users are not having to manage/store/remember multiple passwords.  Obviously, importing accounts invalidates this as there are now two accounts, and even with the accounts using the same password, it only takes one system to impose a credential expiration/limit to disrupt that approach.

    Wednesday, May 3, 2017 8:27 AM