Sync between Azure and local Active Directory / Delete User - azure

we installed azure ad connect on our on-premise ad. its synced now our whole ad into the azureAD.
Because we just starting the project we only have 5 people which got licence for office 365 and we want now only these 5 user in the Azure AD.
In Azure admin panel I cannot delete the user, because it says u can only delete on on-premise ad.
On the Azure ad connect client on the on-premise server I now configured it that it only sync the OU with the 5 User we want. But the other user are still in Azure AD.
I hope this is understandable, first stackoverflow article.
Thanks

It is not possible to delete the synced users in Azure Active Directory.
If you do not want to see those unwanted users in Azure Active Directory, you can stop synchronizing those users in Azure AD connect Server by filtering the objects.
If you want to remove the users completely then you need to go to your On-Premises Active Directory and you can delete those unwanted users except this 5 users.
See the document for reference

Related

Best Azure AD Solution to automatically Sync Users/Groups from one Azure AD Tenant to another

Looking for ideal solution in Azure AD to automatically sync users between two Azure AD Tenants
The scenario i'm looking for is as follows
Corporate and our business project has separate Azure AD Tenants
Want to leverage Corp Azure AD to sync internal users directly to my projects Azure AD to avoid onboarding all new ppl into the company
When some internal employee leaves, sync off-boarding as well so that if Corp removes someone from Azure AD, it gets removed from my Projects AD as well
What are the best options for me ?
Azure B2B sync using external identities
Azure Lighthouse
Others ?
Can users be automatically synced without them requiring to click some activation/invitation link in emails ? Can this be fully automated without "invite link emails " etc ?
Looking for some assistance
AADConnect(AzureAD connect) can synchronize the same users, groups, and contacts from a single Active Directory to multiple Azure AD tenants.
These tenants can be in different Azure environments.
You will need to deploy an AADConnect server for every Azure AD tenant you want to synchronize to.
Note: One AADConnect server can synchronize to not more than one Azure AD tenant.
Reference:sync ad objects to multiple azure ad tenants
Also see use-scim-to-provision-users-and-groups

Azure DevOps and Azure Active Directory

I have the Azure DevOps organization called "Pay4it", which i want to connect to Azure Active Directory - I have treid to click "Connect directory", and a new window open and a error comes op:
We cannot find your account(jt#rc-pay4it.dk) in any Azure Active Directory. Please talk to the administrator of your company's Azure Active Directory to get your user account(jt#rc-pay4it.dk) added to that directory.
If i try to login into portal.azure.com with the username jt#rc-pay4it.dk it works fine, but still i have no Azure Active Directories in the dropdown.
I can't figure out what i'm missing, hopefully someone knows what i'm doing wrong.
I have attached a picture that shows the setup, the user created in Azure AD and that the user is owner of the organization in DevOps
The user who makes the connection must confirm the following statements are true.
User exists in Azure AD as a member. If the user is an Azure AD
guest, rather than member
User is a project collection administrator or owner of the
organization
User isn't using the Microsoft account identity that matches the
Azure AD identity. For example, if the Microsoft account that users
are currently using is jamalhartnett#fabrikam.com, the Azure AD
identity they'll use after connecting is also
jamalhartnett#fabrikam.com. Use a single identity that spans both
applications, rather than two separate identities using the same
email.
https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/connect-organization-to-azure-ad?view=azure-devops#prerequisites

Syncing users between two azure AD

Is there any way to sync users from one azure active directory to another azure active directory. When searching for this I found a lot of options (using AAD connect for example) to sync on premises AD to azure active directory is there a way to do this between 2 actual AAD's.
What I want to achieve is that the users and groups from an office365(what means it has an AAD) gets synced to another azure active directory (moving the second active directory into the 365 AAD is not an option). And so when a user gets added to the 365 it gets added to the other AAD but also when it gets removed (the second active directory has no need for backwards syncing).
AFAIK, there is no such settings/tool we can sync the users between different Azure AD.
To achieve the goal, you need to write the code yourself. For example, you can write a service which pull the users from the two Azure AD and compare them. Then sync the users using the Azure AD Graph as you wanted.

Change Identity Source for Azure Accounts and Groups

Background: Local/On-Premise Active Directory (2012) synced to Microsoft Azure Active Directory using Azure AD Connect.
Was setup for Office 365 to use existing On-Premise identity.
Office 365 Enterprise E3 is the O365 Business Plan we have, which includes Microsoft Azure AD as a IDaaS platform.
Microsoft Azure AD was not setup to be a management console for the O365 tenant, it has since been connected and now to manage the identity, the O365 console can obviously still manage the identity as well.
Right now we have a local domain controller which vast majority of computers authenticate with. If a computer (Windows 10) is removed from the domain and performs a "Join Azure AD" they can then login with their O365 credentials and no longer authenticates with local domain controller. Once this process is performed on users no one will authenticate with the local DC.
The AD/DC is still being synced with AAD/O365 for identity but it cannot be fully managed from AAD/O365 there are limitations such as contact information and username cannot be changed from the web consoles, they have to changed from the local/On-Premise AD Users and Computers. If one of the synced users/groups is viewed from the web consoles some of the attributes are greyed out and state, "This user is synchronized with your local Active Directory. Some details can be edited only through your local Active Directory." as it should.
Question:
I would like to know if it is possible to convert a locally synced user account to become Microsoft Azure Active Directory user Account? Meaning it would no longer sync to the local AD and could be deleted from the local AD is now fully managed from web consoles.
Food for thought, if the sync was broken between the local AD and AAD/O365 would the identity still be seen as a local active directory identity? As shown below, this image is from the users section of the Azure portal for AAD.
AAD Sourced From
If you would like to convert a synced account to cloud account,
NO RISK - TAKES TIME - AFFECTS ALL USERS:
-De-activating the sync between the On-Premise AD and Azure AD (Office 365) should make ALL THE SYNCED ACCOUNTS as Cloud Users. (You can activate sync back again to join again with AD. It would take maximum 72 hours to deactivate/activate the SYNC)
https://support.office.com/en-us/article/Turn-off-directory-synchronization-for-Office-365-ee5f861e-bd48-4267-83d1-a4ead4b4a00d
(or)
RISKY - SINGLE USER - QUICK
-If you want to test with SINGLE USER, you could remove the user to a Non-Synced OU in AD, which after the sync process would delete the user in cloud after which you could restore back - then it would show that user as Cloud User.
(Sometimes we would not be able to restore due to backend inconsistency for that user and please ensure litigation hold in mailbox is enabled/mailbox is backed up before moving the user to non-synced OU)
https://support.office.com/en-us/article/Restore-a-user-in-Office-365-2c261e42-5dd1-48b0-845f-2a016d29cfc1?ui=en-US&rs=en-US&ad=US

Azure AD, Synchronisation services

After deleting some users from my Azure AD (via the Windows Azure Active Directory-module for Windows PowerShell)
I have a problem that those users won't re-synchronise with the Azure AD.
Any new users that I add in the on-premises Active Directoy will be added to the Azure AD without any problems.
But any users that already were in the Azure AD before the delete command, won't re-import.
I can't recover the users in Azure AD, because I've already deleted the recycling bin.
Does someone know any solution, that may work?
After contact with the support of Office365.
The solution was quite easy:
1) The users entry was still present in metaverse and hence they were not able to get synced
2) I deleted the connectors and connector space of AD and WAAD connector.
3) Once that was done, I ran the configuration wizard again, however I made sure I didn't ran the sync cycle after completion of configuration wizard
4) Once OU filtering was done , I ran the sync cycle

Resources