Syncing users between two azure AD - azure

Is there any way to sync users from one azure active directory to another azure active directory. When searching for this I found a lot of options (using AAD connect for example) to sync on premises AD to azure active directory is there a way to do this between 2 actual AAD's.
What I want to achieve is that the users and groups from an office365(what means it has an AAD) gets synced to another azure active directory (moving the second active directory into the 365 AAD is not an option). And so when a user gets added to the 365 it gets added to the other AAD but also when it gets removed (the second active directory has no need for backwards syncing).

AFAIK, there is no such settings/tool we can sync the users between different Azure AD.
To achieve the goal, you need to write the code yourself. For example, you can write a service which pull the users from the two Azure AD and compare them. Then sync the users using the Azure AD Graph as you wanted.

Related

Dynamically create Azure Active Directory

Is it possible to dynamically create an Azure Active Directory over the Azure shell or from C#?
The only documentation I was able to find is this https://learn.microsoft.com/en-us/cli/azure/ad?view=azure-cli-latest describing some commands but it does not explain how to create a new tenant or Azure AD B2C.
We are builing an application for a lot of client organization. Each organization would need an own active directory and database to seperate them from each other logically and securly. That's why we want to dynamically create active directories. We don't want the client to wait and we don't want to manually create everything for each one.
Thank you for your help!
It is not possible to create a Azure Active Directory using Azure Shell or C#. A tenant represents an organization in Azure Active Directory.
Azure AD service instance that an organization receives and owns when it signs up for a Microsoft cloud service such as Azure, Microsoft Intune, or Microsoft 365

Using existing Office365 Active Directory with existing Azure account

We have a Office365 account that uses Azure Active Directory for our company e-mail accounts. We have a totally separate (different login) Microsoft Azure account that we have been using without touching Azure Active Directory within.
We are looking to implement Azure Active Directory within our apps, and would like to use our existing O365 Active Directory since it already has all the users created. Is there any way for us to somehow link our Azure account to the O365 account so we can use that active directory in our Azure account?
I have found some examples, but they all seem to use the premise that you are logging into both Azure and O365 with the same credentials. That is not how ours is setup unfortunately.
If you are interested in combining the two (usually keeping O365 identities and making that AAD the default for your Azure subscription), you can contact Microsoft directly and they will be able to manually pair the two. As of 6 months ago (last time I did this) there was no way to do this yourself without assistance from MS.
You can open tickets through the Azure portal or the Office 365 web site.
Found a article that got me pointed pointed in the right direction and I was able to get this done:
How to associate or add an Azure subscription to Azure Active Directory
Ultimately I needed to have one Microsoft account that had sufficient permissions on both Active Directory tenants. It was tricky because both accounts were different Microsoft accounts using the same e-mail address, and either directory would not let me add another account with a duplicate e-mail address. I used a separate Microsoft account and added it as a AD guest on both directories. Once that was done, I was able to login with the new account with access to both directories and pick which directory I wanted to use within my Azure account.

Change Identity Source for Azure Accounts and Groups

Background: Local/On-Premise Active Directory (2012) synced to Microsoft Azure Active Directory using Azure AD Connect.
Was setup for Office 365 to use existing On-Premise identity.
Office 365 Enterprise E3 is the O365 Business Plan we have, which includes Microsoft Azure AD as a IDaaS platform.
Microsoft Azure AD was not setup to be a management console for the O365 tenant, it has since been connected and now to manage the identity, the O365 console can obviously still manage the identity as well.
Right now we have a local domain controller which vast majority of computers authenticate with. If a computer (Windows 10) is removed from the domain and performs a "Join Azure AD" they can then login with their O365 credentials and no longer authenticates with local domain controller. Once this process is performed on users no one will authenticate with the local DC.
The AD/DC is still being synced with AAD/O365 for identity but it cannot be fully managed from AAD/O365 there are limitations such as contact information and username cannot be changed from the web consoles, they have to changed from the local/On-Premise AD Users and Computers. If one of the synced users/groups is viewed from the web consoles some of the attributes are greyed out and state, "This user is synchronized with your local Active Directory. Some details can be edited only through your local Active Directory." as it should.
Question:
I would like to know if it is possible to convert a locally synced user account to become Microsoft Azure Active Directory user Account? Meaning it would no longer sync to the local AD and could be deleted from the local AD is now fully managed from web consoles.
Food for thought, if the sync was broken between the local AD and AAD/O365 would the identity still be seen as a local active directory identity? As shown below, this image is from the users section of the Azure portal for AAD.
AAD Sourced From
If you would like to convert a synced account to cloud account,
NO RISK - TAKES TIME - AFFECTS ALL USERS:
-De-activating the sync between the On-Premise AD and Azure AD (Office 365) should make ALL THE SYNCED ACCOUNTS as Cloud Users. (You can activate sync back again to join again with AD. It would take maximum 72 hours to deactivate/activate the SYNC)
https://support.office.com/en-us/article/Turn-off-directory-synchronization-for-Office-365-ee5f861e-bd48-4267-83d1-a4ead4b4a00d
(or)
RISKY - SINGLE USER - QUICK
-If you want to test with SINGLE USER, you could remove the user to a Non-Synced OU in AD, which after the sync process would delete the user in cloud after which you could restore back - then it would show that user as Cloud User.
(Sometimes we would not be able to restore due to backend inconsistency for that user and please ensure litigation hold in mailbox is enabled/mailbox is backed up before moving the user to non-synced OU)
https://support.office.com/en-us/article/Restore-a-user-in-Office-365-2c261e42-5dd1-48b0-845f-2a016d29cfc1?ui=en-US&rs=en-US&ad=US

Check if user exists in specific On Prem AD Security Group in Azure

My organization has On Premises Active Directory and many AD Security groups and also has Azure presence (AD Sync up). Is it possible for me to write a code and run in Azure that can check if a specific user/logged in user is part of AD Security Group (On Prem)?
Thanks
It can be achieved by setting up Azure AD connect service. Once this is successfully done the synchronization component makes sure that the identity information for your on-premises users and groups is matching the cloud.
Once the sync is done you can query and get the user information one of which is the user's group information.
https://azure.microsoft.com/en-in/documentation/articles/active-directory-aadconnect/

How to remove Azure Active Directory from Subscription

I can't seem to figure out how I can delete the tenant which I have created from my Azure Subscription. Can anyone help me figure out how to do this? It sounds like it should be easy to do, but maybe I'm missing something.
Currently you cannot remove AAD tenant from the Azure Portal. You also cannot rename it. The good thing is that you are not being charged for it if you are not using any special features (i.e. even if you use for just authenticating without the Two-Factor-Authentication it is still free!). And I don't recall to have seen an API via which you would be able to remove an AAD tenant.
UPDATE
As of November 2013 you are able to rename Azure AD, Add new Azure AD, change default AD for a subscription, delete Azure AD(as long as there is not subscription attached, and no user/groups/apps objects in it).
We were eventually able to delete an Azure Active Directory instance after we deleted all mapped users (except for the administrator who was logged in) and groups.
Make sure you go through the following list of possible causes for not being able to delete your Azure AD:
You are signed in as a user for whom <Your Company Name> is the home directory
Directory contains users besides yourself
Directory has one or more subscriptions to Microsoft Online Services.
Directory has one or more Azure subscriptions.
Directory has one or more applications.
Directory has one or more Multi-Factor Authentication providers.
Directory is a "Partner" directory.
Directory contains one or more applications that were added by a user or administrator.

Resources