Disable automatic Microsoft Entra object creation

By default, in hybrid environments, when an Active Directory object is created in Adaxes within the scope of a Microsoft 365 tenant, Adaxes will create the corresponding object in Microsoft Entra ID. If an Active Directory object is deleted, Adaxes will delete the linked object in Microsoft Entra ID if it was created by Adaxes.

This makes it possible to perform certain actions in business rules that trigger immediately after creating a user, for example, adding the new Active Directory user to Entra-only groups or setting an Entra-only user as a manager of the new Active Directory user. If you disable automatic Microsoft Entra object creation, such workflows will not be possible. However, you might want to disable it in case this feature causes Microsoft Entra Connect synchronization issues or creates unwanted objects in your Microsoft Entra domain.

Change settings

You can change the default behavior and configure Adaxes to either never create objects in Microsoft Entra ID, or always create them regardless of Microsoft Entra Connect existence in your environment. To do this, execute the below script in Windows PowerShell. In the script:

  • $serviceHost – the host name of the computer where Adaxes service is installed.

  • $tenantDN – the distinguished name of the Microsoft 365 tenant to change settings for.

     How to get the tenant distinguished name

    1. Launch Adaxes Administration console.

    2. In the Console Tree, expand the Adaxes service node (the icon represents service nodes).

    3. Navigate to Configuration \ Cloud Services.

    4. Click Microsoft 365.

    5. In the Managed Microsoft 365 tenants section on the right, right-click a tenant and then click Properties in the context menu.

    6. In the dialog that opens, click Advanced.

    7. Tenant distinguished name will be displayed next to the Object DN label.

  • $preCreateAzureObjects – the desired behavior for automatic Microsoft Entra object creation and deletion.

    • $null (default behavior) – objects will be created and deleted by Adaxes only if Microsoft Entra Connect is enabled for the Microsoft Entra domain.
    • $true – objects will be created and deleted by Adaxes even if Microsoft Entra Connect is disabled.
    • $false – objects will never be created or deleted by Adaxes.
[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$serviceHost = "localhost"
$tenantDN = <TENANT DN>
$preCreateAzureObjects = $false

# Connect to the Adaxes service.
$ns = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$service = $ns.GetServiceDirectly($serviceHost)

# Prompt for credentials.
$credential = Get-Credential

# Bind to the Microsoft 365 tenant.
$tenant = $service.OpenObject("Adaxes://$tenantDN", `
    $credential.UserName, $credential.GetNetworkCredential().Password, 0)

# Update the settings.
$tenant.PreCreateSyncedObjectEnabled = $preCreateAzureObjects
$tenant.SetInfo()

View current settings

To view automatic object creation settings for all registered Microsoft 365 tenants, execute the below script in Windows PowerShell. In the script:

  • $serviceHost – the host name of the computer where Adaxes service is installed.
[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$serviceHost = "localhost"

# Connect to the Adaxes service.
$ns = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$service = $ns.GetServiceDirectly($serviceHost)

# Prompt for credentials.
$credential = Get-Credential

# Bind to the Microsoft 365 configuration container.
$containerPath = 
        $service.Backend.GetConfigurationContainerPath("CloudServicesO365")
$container = $service.OpenObject($containerPath, `
    $credential.UserName, $credential.GetNetworkCredential().Password, 0)
$container.Filter = @("adm-O365Tenant")

# Get Microsoft Entra object creation settings.
Write-Host "Microsoft Entra ID automatic object creation/deletion for tenant:`n"
foreach ($tenant in $container)
{    
    switch ($tenant.PreCreateSyncedObjectEnabled)
    {
        $true
        {
            $settings = "If an Active Directory object is created/deleted within tenant scope"
        }
        $false
        {
            $settings = "Never"
        }
        default
        {
            $settings = "If an Active Directory object is created/deleted within tenant scope " `
                + "and Microsoft Entra Connect is enabled"
        }
    }
    Write-Host "`t$($tenant.TenantName): $settings"
}
© Softerra 2022. All rights reserved.
Contact us