Tools for Entra ID to Active Directory user write-back?

Jump to latest Follow Reply
Tom Foolery

Tom Foolery

Ars Legatus Legionis
13,781
Subscriptor
  • #1
    Is anyone aware of a toolset that facilitates user write-back from MS Entra ID ----> Active Directory? I know that this is not supported through Microsoft, as a matter of fact they explicitly state in their documentation that it is not supported. But, I have a client who abandoned AD a couple of years back in favor of Azure Active Directory, and wants to go back. Pretty sure we are going to have to manually build back AD, but I am hoping there is a tool out there that might help.

    Thanks in advance for any advice/recommendations!
     
    W

    Wind

    Wise, Aged Ars Veteran
    143
    Subscriptor++
  • #2
    Do they want to go back to hybrid, or do they just need an on-prem directory? If they just need an ldap endpoint, there are several options (AADDS Secure LDAP, SCIM -> SCIM gateway -> LDAP/AD, or routing through a third party identity solution). If they need it to be a true hybrid AD and all of the Microsoft-y things that go with it, it gets trickier.

    If the accounts in Azure have all been Azure native from the start, you might be able to stand up AD, script an import of all user objects and setup to AAD connect and link the Azure account to on-prem. I believe you'll need to force a password reset for all users when you do this though. If there were accounts that were previously sourced from on-prem, they might not be able to sync because the ImmutableID MS uses to link accounts.
     
    Tom Foolery

    Tom Foolery

    Ars Legatus Legionis
    13,781
    Subscriptor
  • #3
    Wind said:
    Do they want to go back to hybrid, or do they just need an on-prem directory? If they just need an ldap endpoint, there are several options (AADDS Secure LDAP, SCIM -> SCIM gateway -> LDAP/AD, or routing through a third party identity solution). If they need it to be a true hybrid AD and all of the Microsoft-y things that go with it, it gets trickier.

    If the accounts in Azure have all been Azure native from the start, you might be able to stand up AD, script an import of all user objects and setup to AAD connect and link the Azure account to on-prem. I believe you'll need to force a password reset for all users when you do this though. If there were accounts that were previously sourced from on-prem, they might not be able to sync because the ImmutableID MS uses to link accounts.
    Click to expand...
    Not all AAD native, they went from hybrid to AAD only a couple of years ago, and now want to go back. I am looking at Entra ID DS Secure LDAP, but there is some funny business with the certificate and self-signed certs is not an option.
     
    I

    Incarnate

    Ars Tribunus Angusticlavius
    8,806
  • #5
    Tom Foolery said:
    Not all AAD native, they went from hybrid to AAD only a couple of years ago, and now want to go back. I am looking at Entra ID DS Secure LDAP, but there is some funny business with the certificate and self-signed certs is not an option.
    Click to expand...
    What is the reason that the want to go back to an on-prem AD? There may be another approach to solve the issue.
     
    Tom Foolery

    Tom Foolery

    Ars Legatus Legionis
    13,781
    Subscriptor
  • #6
    Incarnate said:
    What is the reason that the want to go back to an on-prem AD? There may be another approach to solve the issue.
    Click to expand...
    Very difficult to describe why without giving details that would make the situation identifiable. I made it clear that this would be a long, expensive process where we would have to rebuild all of the user objects in their new AD. They declined to move forward with the project.
     
    • Like
    Reactions: continuum
    You must log in or register to reply here.
    Jump to latest Follow Reply
    Jump to latest Follow Reply