locked
Azure AD Connect Implementation RRS feed

  • Question

  • AD Connect replaces AD Azure Distribution Groups and Distribution Group Members on AD Azure without any warning or Errors. [Case #:21617630]

    When the UPN of the Distribution Group in AD on-premise matches the UPN of the Distribution Group of AD on Azure, AD Connect is replacing this Distribution Group and all of the Group Members without reporting any warning or errors.

    If the client added additional Distribution Group members in AD Azure, this results in inadvertent deletion of group members without any warning or errors.

    Additional Information  and background : 

    1. IDFix only validates domain suffixes ( contoso.com ). IDFix does not validate if the user or distribution group(s) already exists in AD Azure/O365.

    2. If a User with the same UPN already exists in AD Azure, the error is reported and ImmutableId of the user has to change in order for the user synchronization to proceed - i.e. for the user to get included in AD Connect process.

    3. If the Distribution Group on-premise UPN matches the Distribution Group UPN on AD Azure, the distribution group and all of the members of the Distribution Group on AD Azure are replaced without warning or error message. If any additional group members were added to a Distribution Group on AD Azure, but have not been added to a Distribution Group with the same UPN on-premise, these members are removed from the Distribution Group on AD Azure since the entire group is replaced.

    4. Why is there a difference in how Users and Distribution Groups are processed and documented?

    Why is there an inconsistency in the logic of AD Connect implementation between how Users and Distribution Groups are processed?

    Is this an enhancement of product defect?

    Thank you.

    • Edited by BorisVis Monday, August 31, 2020 2:18 PM
    Monday, August 31, 2020 1:57 PM