简体繁体 English

使用Azure AD Connect工具

[英]Using the Azure AD Connect Tool

原文 2016-12-08 14:19:41 6 3 azure/ azure-active-directory

I am using the Azure AD Sync tool to get users from local AD to Azure AD. 我正在使用Azure AD同步工具将用户从本地AD迁移到Azure AD。 It is syncing all the users that I choose from a group and creating them in Azure AD. 它将同步我从组中选择的所有用户，并在Azure AD中创建它们。

The issue I have is I need the group to be created in Azure AD and the users that are getting synced should be placed in that group. 我遇到的问题是，我需要在Azure AD中创建组，并且要同步的用户应该放在该组中。 I could not find any option which does that..can some one please tell me if it's possible using this tool or maybe some other tool. 我找不到能做到这一点的任何选择..能不能请一个人告诉我是否可以使用此工具或其他工具。

Thanks 谢谢

3 个解决方案

I don't think you can achieve that with AADConnect, but you could create a group in Azure AD when the users are synchronized, and add those users to the group, with PowerShell\\Cli\\whatever. 我认为您不能使用AADConnect来实现这一点，但是可以在用户同步后在Azure AD中创建一个组，然后使用PowerShell \\ Cli \\ whatever将这些用户添加到该组中。 I might be wrong thou, I'm not a big user of AADConnect. 我可能是错的，我不是AADConnect的大用户。 You might be able to write a custom sync rule inside FIM\\MIM for that (the backbone of Azure AD Connect), but I've never tried that. 您也许可以在FIM \\ MIM（Azure AD Connect的骨干）中编写自定义同步规则，但是我从未尝试过。 I'm pretty sure not out of the box thou, so you would need to create a custom agent or implement FIM Service (might be mistaken on this thou). 我很确定您不是开箱即用的，所以您将需要创建一个自定义代理或实现FIM服务（这可能会误您）。

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-aadconnectsync-configure-filtering https://docs.microsoft.com/zh-cn/azure/active-directory/active-directory-aadconnectsync-configure-filtering

If you configure "Filter Users and devices" for just sync memberships in this group, it will synchronize only the members of that group to AAD. 如果将“筛选器用户和设备”配置为仅同步此组中的成员身份，它将仅将该组的成员同步到AAD。

Here is a way for you: create another group G2 and add your group G1 into this group. 这是您的一种方式：创建另一个组G2并将您的组G1添加到该组中。 Then in AADConnect, configure it to filter on G2 , after synchronization, your G1 will be synchronize to AAD as well as all members in it. 然后在AADConnect中，将其配置为在G2上进行过滤，同步后，您的G1将同步到AAD以及其中的所有成员。 You may need to perform a Full Sync . 您可能需要执行完全同步。

The suggestion by @Bifeng Dong - MSFT would work. @Bifeng Dong的建议-MSFT将起作用。 Also, you could try setting up Dynamic membership for a group in Azure AD - Where members are automatically added to that group based on a condition check (Attribute). 另外，您可以尝试在Azure AD中为组设置动态成员资格-根据条件检查（属性）将成员自动添加到该组中。 While syncing, you could sync the users with some specific logic to differentiate the user groups between synced and in-cloud users. 同步时，您可以使用一些特定的逻辑来同步用户，以区分同步用户和云用户之间的用户组。

Here are the references: 这里是参考：

Managing groups in Azure Active Directory: (Ctrl+F and search for term "dynamic" to find about dynamic group) https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-manage-groups 在Azure Active Directory中管理组：（Ctrl + F并搜索“动态”一词以查找有关动态组的信息） https://docs.microsoft.com/zh-cn/azure/active-directory/active-directory-accessmanagement-管理小组

Using attributes to create advanced rules: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-groups-with-advanced-rules 使用属性创建高级规则： https : //docs.microsoft.com/zh-cn/azure/active-directory/active-directory-accessmanagement-groups-with-advanced-rules

FYI - Dynamic Group is a part of Azure AD Premium License (P1) https://azure.microsoft.com/en-in/pricing/details/active-directory/ 仅供参考-动态组是Azure AD高级许可证（P1）的一部分https://azure.microsoft.com/zh-cn/pricing/details/active-directory/