none
Cannot find Azure AD users on domain-joined VM RRS feed

  • Question

  • Good afternoon,

    I had set up an Azure Active Directory Domain, deployed a VM, joined the VM to the domain, and added domain users to the remote desktop users group.  Everything was working swimmingly, then I set about configuring my Azure environment to be PCI compliant, guided by the Azure Security Center....  now my Azure VM cannot get new/updated info from Azure AD :( 

    I tested further with VMs that were NOT in the scope of the GP I am using to deploy the PCI compliant settings, and it appears now that NONE of my VMs can see the AD users!  For example, I added a new user to Azure AD, but I am not able to find that user on my VM (cannot add permissions for the user, its as if user doesn't exist).  I have reverted everything I can think of, even dropped VM from domain and added it back, but still I cannot find any new/updated when I search from the VM.

    Can anyone provide some advice for troubleshooting Azure AD user sync with Azure AD joined VMs?  Let me know if any further info is needed.

    TIA,

    Phil

    Monday, April 8, 2019 9:11 PM

Answers

  • Greetings Marilee,

    Thank you for the reply.  In this case, there is no on-premises :)  this is a 100% cloud deployment in Azure.  

    Thankfully I did figure out the answer in my case, which boils down to this:  do not allow NSGs for AADDC Vnet Subnet to be shared by other resources.  This is a standard Microsoft recommendation which I deviated from inadvertently. 

    What had happened was: My NSG for AD was shared by one of my VMs (I was not aware of this misconfiguration).  Then I enabled JIT debugging on that VM, and it added some rules to the NSG which caused problems with the AADDC connectivity with VMs.  Once I reverted my AADDC VMs to standard NSG (tailored for AD), then all was well.

    Posting this in case it helps someone else.  Thanks again for your reply.

    • Marked as answer by pviii Tuesday, April 9, 2019 2:12 AM
    Tuesday, April 9, 2019 2:12 AM

All replies

  • This is expected behavior. User writeback is not a feature in Azure AD. You can sync the users from on-premises to the cloud but you cannot do the reverse. So a user added in the cloud will be a cloud-only user, and a user synced from on-premises via AD Connect will be a hybrid user (listed in Azure AD as a Windows Server user). You just cannot have a user that originated in Azure AD and is then synced to on-premises.
    Monday, April 8, 2019 11:41 PM
    Moderator
  • Greetings Marilee,

    Thank you for the reply.  In this case, there is no on-premises :)  this is a 100% cloud deployment in Azure.  

    Thankfully I did figure out the answer in my case, which boils down to this:  do not allow NSGs for AADDC Vnet Subnet to be shared by other resources.  This is a standard Microsoft recommendation which I deviated from inadvertently. 

    What had happened was: My NSG for AD was shared by one of my VMs (I was not aware of this misconfiguration).  Then I enabled JIT debugging on that VM, and it added some rules to the NSG which caused problems with the AADDC connectivity with VMs.  Once I reverted my AADDC VMs to standard NSG (tailored for AD), then all was well.

    Posting this in case it helps someone else.  Thanks again for your reply.

    • Marked as answer by pviii Tuesday, April 9, 2019 2:12 AM
    Tuesday, April 9, 2019 2:12 AM
  • Glad you were able to get this resolved. Thanks for sharing your solution.
    Tuesday, April 9, 2019 5:27 AM
    Moderator