Reputation: 31
Users from on-prem AD aren't synced to Azure AD as Guest
I have a setup where I have installed the Azure AD on-prem cloud provisioning agent on a Domain joined server. The setup was successful. I followed the documentation here:
https://learn.microsoft.com/en-us/azure/active-directory/cloud-provisioning/how-to-prerequisites
After configuring the agent in Azure AD, Users can only be synced as Member. Is there a way to sync users as Guest using the provisioning agent?
Also, is there a Microsoft Graph API to validate the agent and do the configuration?
Upvotes: 3
Views: 2375
Answers (2)
Reputation: 129
You may want to follow these directions: https://learn.microsoft.com/en-us/azure/active-directory/external-identities/hybrid-on-premises-to-cloud
You first has to enable the synchronization of the UserType attribute within the Synchronization Rules Editor. Since there is no UserType attribute in AD DS, you derive the value from some other attribute. So, you could use an ExtensionAttribute value for this (you can make these multi-value by using a delimiter, such as a semi-colon) or you could look at the UPNs of the users and device the UserType based on the domain part of the UPN. Using the domain part can be rather tedious, especially if you have many UPN suffixes in your own domain. I personally would use a ExtensionAttribute and by default sync users as a "Member" (which is a default, normal user synced to Azure AD), and then watch for a value of "userType=Guest" in the ExtensionAttribute of choice; this will save you from having to edit your Synchronization Rules in the future if you're monitoring for UPN suffixes that aren't your own and you add a new one. Here is more details on that process: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/connect/how-to-connect-sync-change-the-configuration#enable-synchronization-of-usertype
Upvotes: 0
Reputation: 1602
On-prem AD isn't synced to Azure AD as Guest and those synced users cannot be a Guest user and it's as per design.
You can invite guest users to the directory, to a group, or to an application. After you invite a user through any of these methods, the invited user's account is added to Azure Active Directory (Azure AD), with a user type of Guest. The guest user must then redeem their invitation to access resources. Any user sync via AD connect will not be a guest user.
Upvotes: 1
Related Questions
- OU Information Not Available In Azure After Syncing User From On Prem Active Directory
- Cannot get signed in users of Azure AD tenant using Microsoft Graph
- Azure AD Graph API does not reliably tell me if a guest user already exists
- Microsoft Graph API getting error querying for guest accounts
- Inviting a User in Azure AD through Microsoft Graph API doesn't work
- List of guest users via microsoft graph
- Microsoft graph and Azure Ad user authentication
- MS Graph Guest user cannot read Azure AD data
- MSFT Graph API: Unable to filter GUEST users on my tenant
- Creating guest users in Azure AD with Microsoft Graph API