THIS ARTICLE IS PART OF THE SERIES: Entra Cloud Sync – Lightweight Agent – Cloud Managed – Christoffer Klarskov Jakobsen – Microsoft Architect
Table of Contents
Since you can actually not have users created in Entra ID and then synced to local Active Directory, I will show what would happen if you have an automatic provisioning of users Entra ID, and want to convert them to synced users.
Before we jump into this, note that if you have setup sync from AD to Entra ID, and create a user in local AD, this user will be synced to Entra ID:
Now for the approach to see what would happen if you were to create users in Entra ID first.
Diagram
Guide (without automation – with Entra ID and Active Directory)
Start by creating the user in Entra ID. I just run a quick creation for demo purpose:
Fill out basics
Note here that I set title of the user in Entra ID:
I assign the user to groups in Entra ID:
This will have the user created in Entra ID, but not synced back to Active Directory.
I want the user to be synced from Active Directory (because I need to support legacy applications that use Kerberos authentication in this local Active Directory). So I have to create the user in Active Directory – but do I delete the user in Entra ID and start over = NO.
We can leveage a method called soft-match that is built in to both Entra Connect Sync and Entra Cloud Sync.
I now switch over to Active Directory Users & Computers.
I create a user (in an OU that is within scope of filter in the Cloud Sync)
Note that the password I type in here, will be the password that the user must receive – the password in Entra ID is overwritten with this local password upon soft-match. Only later password changes from Entra ID will use password writeback)
For the sake of this demo, I do not fill out title of the users in Active Directory (I want to show that happens)
Now I can either wait or use the on-demand provisioning feature to quickly sync the user to Entra ID:
Source Anchor is useful if soft-match fails and you need to do manual hard-match (not discussed in this article series)
My user is now synced (shown in Entra ID):
Also, then I look at the user now in Entra ID, title is gone?! – this is because allmost any attribute of a synced user, must be filled out in Active Directory and cannot be updated in Entra ID.
Note all fields are greyed out in Entra ID:
Initial, the user is not member of the cloud synced group, in Active Directory, but after next sync for the Entra ID to AD connector, the user in Active Directory is updated with the membership of the cloud synced group.
Remember NOT to add user to groups in Active Directory, if they are cloud synced groups, this must be done in Entra ID.
Comments