• Status: Solved
  • Priority: High
  • Security: Public
  • Views: 39
  • Last Modified:

On Prem AD groups v Azure AD groups in Hybrid

we are running Active directory hybrid with Azure
im trying to find out the pros and cons of using AD on prem groups v AD azure groups
what is the main differences?
How can end users manage each group etc
0
dougdog
Asked:
dougdog
  • 4
  • 3
1 Solution
 
timgreen7077Exchange EngineerCommented:
Depending on your setup, if you are using Azure ADConnect for your hybrid setup, the on-prem groups are managed exclusively on-prem and synced to Azure AD or O365. groups created in Azure are only in Azure and are not Synced back on-prem unless you have write back enabled which i don't recommend. So any changes to groups created in Azure will stay only in Azure, but your synced users can be added to Auzre created groups also with no problem, but it will have be added and managed in Azure.

We create all groups on-prem and allow it to sync in Azure that way we still have central management for our groups.

I do have groups created in Azure, but I created these group in Azure because the users I have added to those groups are O365 users only and they have no on-prem account.

Its easier to create groups on-prem and manage on-prem an just allow ADConnect to sync those group to Azure AD. Thats my opinion anyway.
0
 
dougdogAuthor Commented:
how can i allow end users to manage group membership for both on prem and azure
is one method easier than the other?
0
 
timgreen7077Exchange EngineerCommented:
I would suggest create the group on-prem and let it sync with Azure and any changes to the group should be done on-prem. That's the easiest method to me. Who ever you give permissions to modify those group will make changes to the group on-prem.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
dougdogAuthor Commented:
do they need the Ad snapin?
if cloud group is it easier to give a user permission to update groups
0
 
timgreen7077Exchange EngineerCommented:
I told you what I think is easier so its your choice now. No snapin required. just permissions. good luck.
0
 
dougdogAuthor Commented:
but im asking how i can give an end user rights to add / remove members from the group using both on prem or azure?
do i need to give the access to AD to modify group member ship?
and do i need to give them access to azure to modify groups
0
 
timgreen7077Exchange EngineerCommented:
Yes you are correct. If the group is created on-prem you will need to give them access to modify on-prem
If the group is created in Azure then you will need to give them permissions in Azure to modify those Azure group.
Hope this answers your question.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now