Published in


Azure AD identity governance — Part 6 — Reach back to on-premises

The blog series

Let’s find out how to use Access Reviews and Entitlement Management for on-premises groups.

Current situation

Solution architecture

Our on-premises groups are divided into two categories

  • On-premises mastered, synchronized via AADC
  • Cloud mastered, synchronized via MIM

Joining / matching



  • I have not yet implemented this approach in a customer scenario and therefore have no experience with the performance of the Graph Connector.
  • If the solution is used for already synchronized on-premises groups, these groups will be deleted in Azure AD and created as cloud groups, all permissions set on Azure AD / cloud services side will be lost and it has to be planned how the group membership of the cloud groups will be initialized (migration)
  • I have no information if or when this functionality will be available out-of-the-box, although I am working for Microsoft but not for the product group.
  • I cannot say to what extent this approach is officially supported.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store