Active Directory (on-prem)
For hybrid and on-prem environments. A PowerShell runbook on a hybrid worker applies the group changes in AD, which sync back to Entra through your existing Entra Connect.
The problem
You run hybrid: some of your groups still live in on-prem Active Directory, mastered by Entra Connect. So you fall back to managing groups in AD by hand, separate from what happens in the cloud, with two places to keep in sync and double work on every joiner, mover or leaver. Cloud-only tooling will not touch those on-prem objects, so that part stays manual.
What you get
Your on-prem AD groups move automatically with your attributes, from the same model as the cloud, with no double management.
Hybrid without double work
One model drives both your Entra ID and your on-prem AD. You no longer manage access in two places.
On-prem groups that move with you
A PowerShell runbook on a hybrid worker applies the group changes in your AD automatically.
Fits your existing sync
Changes sync back to Entra through your existing Entra Connect. No separate LDAP sync, no new infrastructure.
In your own control
The runbook runs in your own environment, close to your domain controllers, so you keep control.
How it works
1. Runbook on a hybrid worker
Runs in your own environment, close to your domain controllers.
2. Apply and sync back
Changes land in AD and sync back to Entra.
Frequently asked questions
Do I need a hybrid worker?
Yes. A small PowerShell runbook runs on a hybrid worker in your own environment, close to your domain controllers.
How do changes get back into Entra?
Through your existing Entra Connect. Changes land in AD and sync back to Entra, with no separate LDAP sync.
Does this work alongside my cloud-only groups?
Yes. Cloud and on-prem work from the same attribute model, so hybrid identity stays one whole.
Related
Hybrid environment? Let us show how we drive on-prem.