Disable automatic Azure AD object creation
By default, in hybrid environments, when an on-premises AD object is created in Adaxes within the scope of a Microsoft 365 tenant, Adaxes will create the corresponding object in Azure AD. If an on-premises object is deleted, Adaxes will delete the linked object in Azure AD if it was created by Adaxes.
This makes it possible to perform certain actions in business rules that trigger immediately after creating a user, for example, adding the new on-premises user to Azure-only groups or setting an Azure-only user as a manager of the new on-premises user. If you disable automatic Azure AD object creation, such workflows will not be possible. However, you might want to disable it in case this feature causes Azure AD Connect synchronization issues or creates unwanted objects in your Azure AD domain.
Change settings
You can change the default behavior and configure Adaxes to either never create objects in Azure AD, or always create them regardless of Azure AD Connect existence in your environment. To do this, execute the below script. In the script:
-
$serviceHost – the host name of the computer where Adaxes service is installed.
-
$tenantDN – the distinguished name of the Microsoft 365 tenant to change settings for.
How to get the tenant distinguished name
-
Launch Adaxes Administration console.
-
In the Console Tree, expand the Adaxes service node (the
icon represents service nodes). -
Navigate to Configuration \ Cloud Services and select Microsoft 365.
-
In the Managed Microsoft 365 tenants section on the right, right-click a tenant and then click Properties in the context menu.
-
In the dialog that opens, click Advanced.
-
Tenant distinguished name will be displayed next to the Object DN label.
-
-
$preCreateAzureObjects – the desired behavior for automatic Azure AD object creation and deletion.
$null(default behavior) – objects will be created and deleted by Adaxes only if Azure AD Connect is enabled for the Azure AD domain.$true– objects will be created and deleted by Adaxes even if Azure AD Connect is disabled.$false– objects will never be created or deleted by Adaxes.
[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")
$serviceHost = "localhost"
$tenantDN = <TENANT DN>
$preCreateAzureObjects = $False
# Connect to the Adaxes service.
$ns = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$service = $ns.GetServiceDirectly($serviceHost)
# Prompt for credentials.
$credential = Get-Credential
# Bind to the Microsoft 365 tenant.
$tenant = $service.OpenObject("Adaxes://$tenantDN", `
$credential.UserName, $credential.GetNetworkCredential().Password, 0)
# Update the settings.
$tenant.PreCreateSyncedObjectEnabled = $preCreateAzureObjects
$tenant.SetInfo()
View current settings
To view automatic object creation settings for all registered Microsoft 365 tenants, use the below script. In the script:
- $serviceHost – the host name of the computer where Adaxes service is installed.
[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")
$serviceHost = "localhost"
# Connect to the Adaxes service.
$ns = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$service = $ns.GetServiceDirectly($serviceHost)
# Prompt for credentials.
$credential = Get-Credential
# Bind to the Microsoft 365 configuration container.
$containerPath =
$service.Backend.GetConfigurationContainerPath("CloudServicesO365")
$container = $service.OpenObject($containerPath, `
$credential.UserName, $credential.GetNetworkCredential().Password, 0)
$container.Filter = @("adm-O365Tenant")
# Get Azure AD object creation settings.
Write-Host "Azure AD automatic object creation/deletion for tenant:`n"
foreach ($tenant in $container)
{
switch ($tenant.PreCreateSyncedObjectEnabled)
{
$true
{
$settings = "If on-premises object is created/deleted within tenant scope"
}
$False
{
$settings = "Never"
}
default
{
$settings = "If on-premises object is created/deleted within tenant scope " `
+ "and Azure AD Connect is enabled"
}
}
Write-Host "`t$($tenant.TenantName): $settings"
}