AAD Connect and Domain Admin accounts – is it safe to sync them

active-directoryazure-active-directory

I've just installed Active Directory and want to sync the users with already existing Azure AD we have. From technical point of view it looks pretty easy. I've created domain ad.company.com and added UPN of our verified domain company.com. Than I created 3 accounts accounts:

  1. first.user@company.com (domain admin)
  2. second.user@company.com (domain admin)
  3. third.user@company.com (regular user)

The UPN for (1) already exists in Azure AD (regular user), The (2) and (3) do not exist in the Azure AD at the moment. I'm aware that password and other attributes for (1) will be overwritten by on-premise values in Azure AD.

I do not have any doubts regarding (3) but have some questions regarding (1) and (2):

  1. Should I just synchronise the (1) and (2) and do not worry
  2. Should I maybe create separate first.user@ad.company.com and second.user@ad.company.com accounts to manage AD locally and do not sync them at all; additionally create first.user@company.com and second.user@company.com so we have regular accounts to work with our services

I was trying to find the answer for this but in the Azure AD Connect documentation I've found only that

"Microsoft strongly recommends against synchronizing on-premises
accounts with pre-existing administrative accounts in Azure Active
Directory.

Which is totally opposite to my case.

Any advice appreciated.

Best Answer

Syncing accounts 1 and 2 to Azure AD doesn't proffer any special abilities, privileges, or rights to the synced accounts in Azure AD or Office 365. Additionally, their membership in any protected groups in your on premises AD is not synced to the account in Azure AD.

Related Topic