Share via

Sync Users from Entra to AD

Luke 75 Reputation points
2026-05-05T23:25:59.7933333+00:00

Hi there, currently I'm working on sync users from Entra to AD. (AD is on a Domain Controller Azure VM)

We are using Entra as the single source of truth now, and due to some reasons, we need to sync users from Entra to AD for some legacy applications.

We've tried Microsoft Cloud Sync (https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/how-to-configure-entra-to-active-directory ), but looks like it only supports Group, not Users. Users will be skipped as they need to exist first in AD.

Could I please get any thoughts how to make it happen properly. Thanks!

Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcin Policht 88,075 Reputation points MVP Volunteer Moderator
    2026-05-05T23:30:13.1433333+00:00

    You’ve run into a limitation rather than a misconfiguration. Entra Connect is based on AD being the authoritative source for user objects, not Entra ID. There isn’t a native Microsoft-supported, production-ready tool today that fully creates and manages AD user objects purely from Entra ID as the source of truth. The platform direction has been to move away from AD, not rebuild it from Entra.

    So what you’re trying to do is possible, but only with a custom approach. You can script the creation of AD users on your domain controller. This can be done with Microsoft Graph to read users from Entra and PowerShell against AD to create and maintain them.

    A simple pattern looks like this: query Entra users via Graph, check if they exist in AD (for example by UPN or a mapped attribute), and create them if not. You’d run this on a scheduled job or automation account that has line of sight to your domain controller.

    For example, retrieving users from Entra:

    Connect-MgGraph -Scopes "User.Read.All"
$users = Get-MgUser -All

    Then for each user, check and create in AD:

    Import-Module ActiveDirectory

foreach ($u in $users) {
    $existing = Get-ADUser -Filter "UserPrincipalName -eq '$($u.UserPrincipalName)'" -ErrorAction SilentlyContinue

    if (-not $existing) {
        New-ADUser `
            -Name $u.DisplayName `
            -GivenName $u.GivenName `
            -Surname $u.Surname `
            -UserPrincipalName $u.UserPrincipalName `
            -SamAccountName ($u.UserPrincipalName.Split("@")[0]) `
            -EmailAddress $u.Mail `
            -Enabled $true `
            -AccountPassword (ConvertTo-SecureString "TempP@ss123!" -AsPlainText -Force)
    }
}

    You’d then extend this to handle updates, disables, and possibly group membership if your legacy apps depend on that. You also need to think about attribute mapping carefully, especially samAccountName length limits and uniqueness, since Entra doesn’t enforce the same constraints.

    An alternative approach is described at https://www.alitajran.com/sync-microsoft-entra-id-user/ - this actually allows you to maintain the relationship between AD users and Entra ID users - so even though a bit more complex, it's worth considering.

    Finally, if you want a commercial product that allows you to implement it, there are identity governance or provisioning tools like Microsoft Identity Manager, One Identity, or SailPoint that can do Entra-to-AD provisioning, but those add cost and complexity.

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.