locked
Does AD connector synch security groups? RRS feed

  • Question

  • Trying to determine which objects sync from on premise AD to azure AD(AAD).

    My understanding is that user and groups are sync to AAD.   Are Security groups considered as a "group" that sync to AAD.  

    My understanding is that distro groups are to sync to AAD.

    In hybrid O365, distro groups have to be created on

    You can't make changes to user attributes, user passwords, or group memberships within an Azure AD.


    dsk

    Monday, April 13, 2020 2:18 AM

All replies

  • Yes - by default security groups are synchronized to Azure AD (as long as they are in the scope of synchronization). 

    There are some exceptions though -

    • Azure AD Connect excludes built-in security groups from directory synchronization.

    • Azure AD Connect does not support synchronizing Primary Group memberships to Azure AD.

    • Azure AD Connect does not support synchronizing Dynamic Distribution Group memberships to Azure AD.

    • To synchronize an Active Directory group to Azure AD as a mail-enabled group:

      • If the group's proxyAddress attribute is empty, its mail attribute must have a value

      • If the group's proxyAddress attribute is non-empty, it must contain at least one SMTP proxy address value. Here are some examples:

        • An Active Directory group whose proxyAddress attribute has value {"X500:/0=contoso.com/ou=users/cn=testgroup"} will not be mail-enabled in Azure AD. It does not have an SMTP address.

        • An Active Directory group whose proxyAddress attribute has values {"X500:/0=contoso.com/ou=users/cn=testgroup","SMTP:johndoe@contoso.com"} will be mail-enabled in Azure AD.

        • An Active Directory group whose proxyAddress attribute has values {"X500:/0=contoso.com/ou=users/cn=testgroup", "smtp:johndoe@contoso.com"} will also be mail-enabled in Azure AD.

    more at https://docs.microsoft.com/en-us/azure/active-directory/hybrid/concept-azure-ad-connect-sync-user-and-contacts

    hth
    Marcin

    Monday, April 13, 2020 3:03 AM
  • Is it correct that changes in the membership of a distro group must be done on-premise in an O365 hybrid?

    Must all memberships of security groups also have to be done on premise for O365 hybrid? (ie. adding / removing users from O365 hybrid.)


    dsk

    Tuesday, April 14, 2020 3:58 AM