We have synced our on prem active directory to our Azure instance active directory using Azure AD connect (Express install). We can see the users in Azure from our on prem AD. The sync shows as successful.
Now we would like to use the domain name that we have synced to azure for user authentication in to the azure portal. The documentation that we have read says this is possible, but we can get it to work.
When we try to use an existing AD user we get the message that “We don’t recognize this users ID or password” but if we create a new user in Azure and assign it to our synced AD we can use it to login to the azure portal.
We have searched for a detailed document on prem AD synced to Azure AD to use for portal login and found some documents that we followed but did not help.
Can we use our on prem AD user name and password to allow users to login to the Azure portal?
Thanks for your help
John
yes, you can use users in Azure AD with tag "Sourced from: Local Active Direcotry" to login to azure portal.
The custom domain should be verified.
Password Synchronization should be enabled.
Also, assign coadmin right for at least one subscription to login to Management Portal.
Related
Users in azure active directory has source of authority option. It contains either azure active directory or Windows Server AD. So users which has source of authority Windows Server AD they are not updating their fields. Please clear my doubt.
No, you cannot update attributes for on premise users synced using azure ad connect in azure ad. You need to edit attributes in the local ad.
I have a setup where I have installed the Azure AD on-prem cloud provisioning agent on a Domain joined server. The setup was successful. I followed the documentation here:
https://learn.microsoft.com/en-us/azure/active-directory/cloud-provisioning/how-to-prerequisites
After configuring the agent in Azure AD, Users can only be synced as Member.
Is there a way to sync users as Guest using the provisioning agent?
Also, is there a Microsoft Graph API to validate the agent and do the configuration?
On-prem AD isn't synced to Azure AD as Guest and those synced users cannot be a Guest user and it's as per design.
You can invite guest users to the directory, to a group, or to an application. After you invite a user through any of these methods, the invited user's account is added to Azure Active Directory (Azure AD), with a user type of Guest. The guest user must then redeem their invitation to access resources. Any user sync via AD connect will not be a guest user.
Can one use ADFS/pass-through authentication to authenticate to Azure service (Portal) by on-premise AD without synchronizing user accounts? Can one assign RBAC for an on-premise user with Azure services?
For example, grant a VM contributor role to an on-premise user without sync all user information between on-premise AD and AAD.
You need to sync users to Azure AD. Password hashes do not need to be synced, you can use ADFS for login. But you do need to sync users so Azure AD knows what users exist.
According to the Azure AD B2C FAQ:
Can I use Azure AD Connect to migrate consumer identities that are stored on my on-premises Active Directory to Azure AD B2C?
Azure AD Connect is not designed to work with Azure AD B2C...
Then why is it displayed here? And what can you do with Azure AD Connect and B2C then?
The displaying of that link implies there's a relationship between the two of them (to me at least).
The FAQ is correct in stating that Azure AD Connect is not supported with Azure AD B2C along with several other features of regular Azure AD.
These features show up in the Users and Groups blade because that blade was built primarily for regular Azure AD. There is work underway so that this blade understands it's running in the Azure AD B2C context and only shows applicable features.
Then why is it displayed here?
This is because that when you want to manager users and groups in Azure AD B2C, you must use Azure AD to manage it. Azure AD B2C cannot leave Azure AD. When you are using Azure AD B2C, you would have used Azure AD to authenticate Identity. As #Saca said, that blade was for Azure AD.
And what can you do with Azure ADConnect and B2C then?
That FAQ is right, but you can still use Azure Connect to sync on-premise users to Azure AD. You can also use the synced users accounts to login Azure AD B2C. But after syncing , the user name would changed to .onmicrosoft.com.
If you still want use your local account email address for the synced username, you can refer to this document and this official support article.
As the title says,
Can I use Azure AD Connect to connect an Azure AD and a local AD with the same domain name?
Azure AD domain: example.com
Local AD domain: example.com
Will it allow me to do it or will it end up in an error?
Or maybe it will only allow me to do specific setups? ie: Can do Password sync but not federate it.
Cheers!
Can I use Azure AD Connect to connect an Azure AD and a local AD with the same domain name?
Yes, that's how Azure AD works. And to ensure Azure AD connect to work successfully, we need to verify the domain for Azure AD first. More detail about this topic you can refer the links below:
Getting started with Azure AD Connect using express settings
Add a custom domain name to Azure Active Directory