0

I have an on-prem active directory domain called xyzcorp.com. I also have an Azure AD domain called xyzcorp.com. The two are not synchronized at the moment. What I want to be able to do is enable directory synchronization between on-prem and Azure AD. This brings me to the issue at hand.

I have a user called admin@xyzcorp.com that's present in both directories. That same user is a Global admin/Azure Owner. What will happen if I attempt to synchronize my on-prem directory over to Azure? Will I lose access to Azure AD? In general what's the best practice for dealing with two disjointed domains how can I combine them making the on-prem as the authoritative source?

Many thanks.

Eugene S.
  • 1

1 Answers1

0

Azure AD Connect won't synchronize an on premises user account to an Azure AD user account that is a Global Admin.

Azure AD Connect will not synchronize an on premises user account to Azure AD where the isCriticalSystemObject attribute of the on premises user account is set to True.

When you synchronize your on premises objects to Azure AD the on premises objects become the source of authority for the synchronized objects in Azure AD.

If you've got everything configured correctly, Azure AD Connect will match your on premises objects to your existing Azure AD objects.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171