0

we have a screen in our application that is used to update Azure AD users through Graph API. If users are created using Azure Portal or Graph API, I'm able to updated user profile using this screen.

But if the user is Created/Sync using AD Connect(e.g in case of O365 Users) while updating these Users Microsoft Graph returns following error:

Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration

I have following queries:

  1. Is it possible to update a user through Graph API that is created from on-premises to Azure AD?
  2. Is there any settings on azure portal or Ad connect that allow user to be updated through Graph API?
  3. Also How to tell the difference between if a user is created on-premises or on Azure AD through Microsoft Graph API. Any attribute in Microsoft.Graph.User Class?
Improve this question

2 Answers 2

Reset to default
1

To answer your questions:

  1. No this isn't possible because of the way they are synced. If Microsoft would allow changes on both sides, it would have to implement some kind of duplicate change resolution system. So they just blocked changing properties except for some cloud only properties like licenses.
  2. No there isn't because of the above reason
  3. Yes there is, but it's kinda hacky.

To see if a Graph user is created through the sync you should request the User.Read.All scope for your application and then do a request to the Get user endpoint with the select all properties querystring ?$select=*.

The synced users should have the OnPremisesSamAccountName property amongh others that don't appear on a non-synced user.

Once you found out the user is an on-premise user, your application could do an update straight to your AD with the System.DirectoryServices.AccountManagement api.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

thanks for reply. Currently i'm using onPremisesDomainName to check if user is on-premise or not. Can u explain last paragraph of your answer. How can my application update on-premise user using System.DirectoryServices.AccountManagement api its a web application.
Does it run on your own server? You can also create your own "proxy" web application that runs in-house so it can reach your AD. Or save the changes to some database/queue and create a sync command line app that you run on-premise with a special account with domain write access
No no application is registered on azure as PAAS and window Server AD is maintained by another company/vendor. Currently my team decided not to update on-premises user because it seems impossible at this time in our scenario.
0

It's now possible to update on-premises synced users via the Microsoft Graph API using with the 'bulkUpload' API, which is part of Entra API-driven inbound provisioning:

https://learn.microsoft.com/en-us/entra/identity/app-provisioning/inbound-provisioning-api-concepts

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.