Sync Azure active directory group to On-premises Active Directory

/ September 6, 2023

I have previously shared a post about Syncing AD group to Azure AD cloud group.

PowerShell – AD Group to Azure AD Cloud Only Group Sync | Tech Wizard

This time we have got the reverse requirement, where We must sync the Azure AD security group to On-Premises Active directory group.

We have reverse engineered the above script and changed it to work for this scenario.

Solution is portable and can work with any environment, you just need to update the variables.

Functionality of Sync, ADD and Remove has been added.

Sync
à It will make the on-premises group membership same as AzureAD group membership.

ADDà It will only ADD the members to on-premises group without removing the members that are already present and are non-existent in AzureAD group.

Remove
à It will only Remove the members that are present in AzureAD group from on-premises AD group.

Prerequisites for this Solution:

Download the script from Git or PowerShell gallery from below links:

Git:

https://github.com/VikasSukhija/Downloads

aad2adgroup.ps1

PowerShell Gallery:

https://www.powershellgallery.com/packages/aad2adgroup

Install-Script -Name aad2adgroup


Note: Script will auto generate encrypted password first time it is run and save it in the same folder.

Here is how you can run it:

Option1

  • ADD users to AD group from Azure AD group membership.

.\aad2adgroup.ps1 -AzureADGroupID “d00d967e-5bd5-1001-8gf5-2gh8654f2e8e” -ADgroup “LAB-Group-TEST” -Operation ADD -countofchange 20 -smtpserver labtestsmtp -from DoNotRespond@labtest.com -erroremail Reports@labtest.com

Option2

  • Remove users from AD group referring Azure AD group membersship.

.\aad2adgroup.ps1 -AzureADGroupID “d00d967e-5bd5-1001-8gf5-2gh8654f2e8e” -ADgroup “LAB-Group-TEST” -Operation Remove -countofchange 20 -smtpserver labtestsmtp -from DoNotRespond@labtest.com -erroremail Reports@labtest.com

Option3

  • Synchronize users from Azure AD group to AD group.

.\aad2adgroup.ps1 -AzureADGroupID “d00d967e-5bd5-1001-8gf5-2gh8654f2e8e” -ADgroup “LAB-Group-TEST” -Operation Sync -countofchange 20 -smtpserver labtestsmtp -from DoNotRespond@labtest.com -erroremail Reports@labtest.com

After running it for first time interactively you can schedule it to run via task scheduler as password has been stored as encrypted credentials inside the script folder.

Logs will be stored under logs folder, count of changes has been used as a safety measure which I use in many of my scripts to avoid large changes which we are not expecting.

Smtp settings have been added extra to this script to send logs and alerts to designated email address.

I hope this solution will assist you in your journey of automation of system administration tasks.

 

 

Thanks for reading and downloading….

Tech Wizard

 

https://techwizard.cloud

https://syscloudpro.com/

PowerShell Fast Track

Related posts

Leave a comment