Comparison between on-premises accounts and accounts synchronized to AAD

Hi All,

I would like to pull the reports for On-Premise accounts and accounts are synchronized in Azure AD, Is there any script or PowerShell to export the output.

1)      Comparison between on-premises accounts and accounts synchronized to AAD?
2)     Is there any impact if we don't covert security/Distribution mail enabled groups from Global to Universal?
3)     How can we write back groups created in office 365 to On-Premise?
4)     Can we synchronized Dynamic distribution group to Azure AD?
 

Thanks,
Ali-Raza111Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MaheshArchitectCommented:
If you use the Office 365 Groups feature, then you can have these groups represented (group write back) in your on-premises Active Directory. This option is only available if you have Exchange present in your on-premises Active Directory
Exchange OnPrem version must be exchange 2013 cu8 and above or exch 2016

u cannot sync dynamic DL to O365, its not supported

what comparison you want to do, export list of all mail enabled and mailbox with on premise with Get-Recipient exchange cmdlet which will tell you recipient type as MEU or mailbox user
then export same list from O365 and then do vlookup on UPN or any common attribute such as mail

what version of exchange do you have onpremise?
with exchange 2007 and some sp Microsoft has stopped new global DLs and mail enable existing global groups as  only universal groups and their members are replicated across the organization to all GC’s.  This is the reason only Universal Groups are recommended and supported for mail flow.
if you are carry forwarded existing global DLs, still AD connect should be able to sync those to O365 though those are not supported by Exchange
Universal group increases replication traffic with onpremise as its data getting replicated to all GCs, however with link value replication (as long as you have 2003 native AD functional level and group members are added after functional level raise) this should not be an issue and there won't be any load on AD replication unless you have DLs quantity very large (say 5K plus) with thousands of members and rapidly changing there memberships.
https://technet.microsoft.com/en-in/library/exchange-online-limits.aspx#DistributionGroupLimits
I have not came across to sync global DLs to o365 yet, but you can try
1
Senior IT System EngineerIT ProfessionalCommented:
So if we create or manipulate the AD objects from the Azure or Office 365 console, would the change be replicated on premise ?
0
Aaron GuilmetteTechnology Solutions ProfessionalCommented:
1.  What type of comparison are you looking for?  The objects are the same, for the attributes synced: https://support.microsoft.com/en-us/help/2256198/list-of-attributes-that-are-synced-by-the-azure-active-directory-sync.  The only core difference is on-prem mailboxes are synced as mail-enabled users to Office 365.

2.  The groups won't be available.  For groups to sync, they need to be mail-enabled universal.

3.  Not unless they are modern groups. Only "modern groups" (Office 365 groups) created in-cloud can be replicated back on-premises (since they don't have a pre-existing on-premises counterpart).  Your environment can have a single source of truth--either on-prem or in-cloud.  If you're using AAD Connect, objects source of authority will be on-prem, and changes made their will sync to Office 365.  Changes dealing with the AD account will be made on-prem, changes dealing specifically with the mailbox (such as delegates) will be made in-cloud, and, if you have AAD Connect configured with write-back permissions, mailbox permission updates will be imported into the on-premises user object (so you end up with a synchronous object).

4.  No, on-premises dynamic distribution lists cannot be synchronized to Office 365, as some of the attributes used to create them (such as OU membership) don't have corollaries in Office 365 (relational/flat vs hierarchical).
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Aaron GuilmetteTechnology Solutions ProfessionalCommented:
No response from OP. Information provided.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.