In the last week of 2016 I was working on some issues that some users in certain groups were not synchronized to Azure AD. The users itself were in Azure AD but the group membership did not sync. The problem here was that the users were in another forest than the group.

At this customer, we have multiple forests with users from the different countries and they start to work together more and now we had some complaints that the users where not able to access resources while they placed them in the correct groups. The issue that we had was that the synchronization removed the users from the other forests from the group membership during the synchronization.

After a lot of digging and not knowing where to search and what was happening I finally figured out what the issue was. My knowledge of AD and trusts is not that large and therefore it took some time for me to find the solution. The solution is straight forward and that is to make sure that you synchronize the OU ‘ForeignSecurityPrincipals’.

To understand this a bit more, you need to have some understanding of the working of Active Directory. When you add a user from another forest to the group, there is and anchor created in the Active Directory where the groups exists. This anchor is a Foreign security principal and is stored in the OU ‘ForeignSecurityPrincipals’. Because we did not synchronize this OU the users where removed from the group. This also happens to users in the local domain that are not available in Azure AD.

This was also on the documentation page from Microsoft, but I did not see that when we started with this journey.

5 Responses

  • Johnny

    Hi Arjan,

    Nice info.

    Just wondering, when you set up the AAD Connect to sync multiple Forest which located different country, do you perform forest trust?

    Or just straight forward VPN connection will resolved the forest when setting up the AAD Connect.

    Thank you.

    • Hello Johnny,

      At this customer we have a few forest with Forest trust and a few with domain trust.

      For Azure AD Connect you do not need to have trust between the forests, but when you want to use ADFS you need it. When using ADFS you should use forest trusts because then you have routable UPN suffix.

      When you do not have a trust between the domains, AAD needs to be able to find the other domains, so DNS needs to be in place to discover them.

  • Thanks for this, solved my problem 🙂

    • Great to hear it was of help for you.

  • san

    You are the best!!! thankssssssss


Leave a Reply to davidsampson10 Cancel reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.