Sync Azure Active Directory Down to On-Premises AD
It would be great to be able to sync Azure AD down to On-premise AD. I want to centrally manage my users, passwords, and groups from Azure AD. That way the on-premise server just acts as a medium for the local environment.
It says "coming soon" for cloud to on premise sync. It was last updated on September 5th 2014. I cant find any new information on if this is out.
Michael Apelt commented
Please enable User-Writeback!
Any update on this? If a user changes their phone number in Delve / SharePoint in O365, it currently doesn't get replicated back to on premises AD which is useless!
Petros Sympragos commented
So as today 7/4/2019 is there a workaround on how to sync using some sort of automation ?
Wouter van Rij commented
Indeed would be good to read why this was declined, and what the alternative will be. We're a startup that started with Office365, and then to on-premise AD. Would prefer to keep the Azure AD leading.
It appears this feature has been declined, can we please have some indication from MS why this is?
Especially since an AAD->AD sync tool must already exist since it's exactly how Azure AD Domain Services works (https://azure.microsoft.com/en-us/services/active-directory-ds/). AAD DS works for those that can afford the costs of Azure and have a reliable internet connection for a site-to-site VPN, but not so well for those that don't.
In our case (a K-12 school), we've attempted some degree of cloud-first-ness and built most of our infrastructure using Office 365 tools, and integrated in some other web tools using SAML/OAuth. However we still need to provide services like printer services (which connect over SMB and therefore need Kerberos/NTLMv2) and RADIUS for our wireless (which also need Kerberos/NTLMv2/LDAP). I appreciate that setting up AD and AAD Connect is not difficult in itself, but I've seen enough issues and had enough headaches having to deal with e.g. the ProxyAddresses attribute etc. that I'd like to save my support staff from that as much as possible.
We basically just need an on-prem version of Azure AD Domain Services. Please and thank you?
This would be really useful. We also want our prem AD as secondary to Azure Online. A sync back tool would be ideal.
Adeel Aleem commented
When will this feature be available?
Need this now! When can we get it?
This would be a great if it was part of AAD/AADc AD integration... i would give us a lot more confidence...
Any updates on this?
Looking for an update on this as well as would really streamline onboarding. Moderators please gives us an update.
When will this feature be available?
it's been months / years we're promised that.
In your Azure documentation, this is possible in Premium 1. How to do it when we bought the Preminum 1 just for the UserWriteBack?
Device objects two-way synchronization between on-premises directories and Azure AD (Device write-back)
any information will be welcome
Eric Campbell commented
It's been three months! The suspense is killing me. ...seriously though, it would be great to have this available. Any news (even if it's news of a setback) would be welcome.
Hassan Almanasrah commented
Can we know this could be available?
Surprised this isn’t possible yet!
It's been a couple of months, @RobDeJong. Is there anything in the pipeline? We're still having to provision Users on-premise, would be great to be able to at least have a service in Azure that enables a basic user creation form that then has the rights to create a user in AD, and then continues the provisioning tasks once that user has been pushed up the AAD. Anything!
Rob de Jong (Azure AD IAM) commented
Hi folks - we're currently designing a new service that will write back users and groups from AAD to various different targets - AAD, other directories, applications - and we're not planning on implementing this in the AADConnect sync stack. We hope to be able to tell you more about this in a couple of months. Any specific input you may have on this topic is welcome!
Jeremy Bradshaw commented
I've noticed the AAD Connect AdPrep PowerShell module still includes the Initialize-UserWriteback, but other pieces that used to be present seem to be missing from other places.
PS C:\Users\Administrator> Import-Module 'C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1'
PS C:\Users\Administrator> Get-Command -Module AdSyncPrep -Verb Initialize
CommandType Name Version Source
----------- ---- ------- ------
Function Initialize-ADSyncDeviceWriteBack 0.0 AdSyncPrep
Function Initialize-ADSyncDomainJoinedComputerSync 0.0 AdSyncPrep
Function Initialize-ADSyncGroupWriteBack 0.0 AdSyncPrep
Function Initialize-ADSyncNGCKeysWriteBack 0.0 AdSyncPrep
Function Initialize-ADSyncUserWriteBack 0.0 AdSyncPrep
Since Microsoft isn't responding I'll put my two cents in. It appears that this already is working, however it's part of the premium Azure AD service.
One of the bullet points down the list - Self-Service Password Reset/Change/Unlock with on-premises writeback.
It's available in Premium P1 or Premium P2.