On-prem + Azure AD Cache question

Hey folks,
Hopefully one of you guys can answer my question here…

Our company has been pulling our on-prem AD info into the BigFix AD Cache for quite some time now, and I’ve used user group membership to successfully target and push fixlet actions to endpoints. As we start to live a hybrid Azure/On-prem AD environment, and with users also in a hybrid VPN environment, I’m looking to see if there is a way to pull Azure AD information (vs. on-prem AD info) to the BES Client.

Business Need:
My goal is to target specific endpoints using Azure AD security group membership as we are now living in a hybrid VPN environment (sometimes on, sometimes off). Is this possible in a hybrid Azure/on-prem AD environment with endpoints currently joined to the on-prem AD?

Let me know, thanks!

1 Like

I don’t have an answer to your question, but my situation is sort of related.

Around 30% of my devices do not connect to VPN. We do not have always on VPN. I’m noticing that the BigFix AD cache for these devices is blank. Thus, I can’t target actions based on it.

I think most people on this forum will suggest to use BigFix properties to manage a grouping. In essence, tag the BigFix device with the AD group. Then setup BigFix actions based on the property.

@dyamamoto I imagine your problem is more pronounced now because COVID-19 triggered a lot more Work From Home users who must connect over VPN.

Often it is a reboot from some patch installation that causes clients to loose their cache and suddenly not be relevant for content. I would like to see the AD Cache persist across reboots instead of be cleared out like it currently is. Wouldn’t be the first time someone asked for the AD cache to be preserved: Cached AD Information gets overwritten by AD Connection Error

Unfortunately, I don’t have much experience with Azure AD so am not so familiar with the issue described by @Discoboy. I’m surprised that Azure AD and on-prem AD would not be the same in this case. Where would one start to learn how these differ?

We struggled with similar issue also when started to implement bigfix about 3 years ago and we actually created policy action that runs every 4 hours and collects group membership User/Computers
we’re storing the info in the registry for both computer/user groups, we then do comparison with what’s already present and add/remove if necessary. If machine is not connected to our company via VPN/on-prem we then leave value’s as-is so we don’t remove anything.
Might not be the cleanest solution but does the trick for us.

For Azure AD we have ADConnect setup, so we can still query the on-prem groups, and have strict policy about group creations for time being so they need to be created on-prem and then AD Connect will sync with Azure AD. This might change in the future will cross that bridge then and will find similar solution for Azure groups.

1 Like