On Prem AD groups v Azure AD groups in Hybrid

we are running Active directory hybrid with Azure
im trying to find out the pros and cons of using AD on prem groups v AD azure groups
what is the main differences?
How can end users manage each group etc
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

timgreen7077Exchange EngineerCommented:
Depending on your setup, if you are using Azure ADConnect for your hybrid setup, the on-prem groups are managed exclusively on-prem and synced to Azure AD or O365. groups created in Azure are only in Azure and are not Synced back on-prem unless you have write back enabled which i don't recommend. So any changes to groups created in Azure will stay only in Azure, but your synced users can be added to Auzre created groups also with no problem, but it will have be added and managed in Azure.

We create all groups on-prem and allow it to sync in Azure that way we still have central management for our groups.

I do have groups created in Azure, but I created these group in Azure because the users I have added to those groups are O365 users only and they have no on-prem account.

Its easier to create groups on-prem and manage on-prem an just allow ADConnect to sync those group to Azure AD. Thats my opinion anyway.
dougdogAuthor Commented:
how can i allow end users to manage group membership for both on prem and azure
is one method easier than the other?
timgreen7077Exchange EngineerCommented:
I would suggest create the group on-prem and let it sync with Azure and any changes to the group should be done on-prem. That's the easiest method to me. Who ever you give permissions to modify those group will make changes to the group on-prem.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

dougdogAuthor Commented:
do they need the Ad snapin?
if cloud group is it easier to give a user permission to update groups
timgreen7077Exchange EngineerCommented:
I told you what I think is easier so its your choice now. No snapin required. just permissions. good luck.
dougdogAuthor Commented:
but im asking how i can give an end user rights to add / remove members from the group using both on prem or azure?
do i need to give the access to AD to modify group member ship?
and do i need to give them access to azure to modify groups
timgreen7077Exchange EngineerCommented:
Yes you are correct. If the group is created on-prem you will need to give them access to modify on-prem
If the group is created in Azure then you will need to give them permissions in Azure to modify those Azure group.
Hope this answers your question.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Office 365

From novice to tech pro — start learning today.