Active Roles

Activeroles Hybrid AD Management


Is there any good documentation on this around?

How are you supposed to manage groups, those cloud-only groups?

The ones synced from AD should be fine, but what about those only created in cloud/o365?


Have read something about Sync and writeback, but wouldn't that create the groups in ad, and then ad-connect would make them synced again?


How about enabling of remote mailboxes, is this expected to be supported soon?


  • With Office 365, Microsoft introduced a new object type: SecurityGroup objects. Note that these are different than on-prem Security Groups, which are Group Objects. SecurityGroup objects are extremely difficult to manage from an Active Roles perspective because they have no unique identifier which crosses systems - they have a unique objectID, but that's it. Unless Active Roles creates the object and sets the objectID during creation, we cannot programmatically distinguish one Group from another, because the objectID doesn't really have value other than being unique.

    If you want to be able to programmatically link and then manage Groups in Azure, I suggest mail-enabling them. This will allow for a cross-system unique attribute which can be used to link Groups across different systems. Then, the Active Roles back-sync can populate an objectID and it is possible to manage Azure Groups from the on-prem Active Roles Web Interface.

    The Back Sync doesn't create Groups if it is configured as recommended, it just updates existing Groups with the Azure objectID and advises Active Roles that they are enabled.

    Managing existing remote mailboxes is currently supported, but creating/enabling is not yet available. Enhancement TF00699961 was created for this feature. It does not yet have a target version.