none
Azure AD - can you flip from a Cloud-Identity Model to Federated Identity Model

    Question

  • Hi Everyone,

    I'm investigating a scenario where we have the following:

    - We currently have our on-premise domain configured with Azure AD Connect, and federated with ADFS (i.e. utilising a Federated Identity Model).

    - We may have a need for provisioning some users directly into Azure AD for now (costs for AD Object Management for a particular toolset being used, which is causing a complication for a particular project (inflating costs).)

    My question is, if we already have Federated Identity Model configured with our Azure AD Tenancy, are we able to sync a previously configured Azure AD User account with an OnPrem Active Directory Account that is configured after Azure AD identity has been configured?

    We have instances in the business where some of our employees don't utilise a computer for their day to day work, but need access to one certain applciation (e.g. HR Services or Payroll for example). In some instances these employees do move into "corporate" roles where they then need an OnPrem Active Directory account.

    Just want to confirm my options.

    Any further info required, please let me know.

    Thanks in advance.

    Simon

    Tuesday, December 6, 2016 11:44 PM

All replies

  • Hello Simon,

    If an account is created in Azure AD previously, for example, the user name is 'test@contoso.com', the account property for source from should be  Microsoft Azure Active Directory, and then, the on-premise domain is federated with Azure AD using AD Connect. 

    After the federation, if you create an account with name 'test@contoso.com' in the on-premise AD,  this account will be synced to Azure AD, replace the previously created Azure AD Account, and the account property for source from will be changed to  Local Active Directory.

    Besides, after the domain federation, you won't be able to directly create the account with the federated domain in Azure AD , you have to create it on the on-premise domain controller.

    Best Regards,
    Andy Liu 

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, December 7, 2016 5:26 AM
  • Hi Andy,

    Thanks for your response. I was aware that creating an account in OnPrem AD would create the identiy in Azure AD. What I was wanting to know was whether or not their would be a sync error/issue that the user would experience?

    Things I'm assuming that could happen would be password for thw Azure AD account wouldn't be the same anymore if password sync/writeback is enabled? Right?

    Thursday, December 8, 2016 4:58 AM
  • Hello Simon,

     

    By default, the newly created accounts will be synced to Azure AD every 30 minutes.

     

    However,  the password synchronization is more frequently, it runs every 2 minutes. If synchronization attempts failed, the password synchronization automatically retries every 2 minutes, and the errors are logged in your event viewer.

     

    It's rare that the sync error happens, and will be recovered in the next sync cycle.

     

    Best regards,

    Andy Liu



    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, December 9, 2016 2:59 AM