Microsoft Entra Connect excludes a user's primary group from its group membership
Original product version: Microsoft Entra ID
Original KB number: 4014115
Summary
Microsoft Entra Connect doesn't support primary group functionality. Therefore, it does not query the PrimaryGroupID attribute to build the group membership of a user. This may cause problems for users who are still using the primary group feature.
When you set the primary group for a user, that user is excluded from the corresponding group membership in Active Directory. Instead, the PrimaryGroupID attribute is set with that group.
For example:
- User1 belongs to Group1, which means that Group1 has User1 as a member.
- The primary group is changed on User1 from Domain Users to Group1:
- User1 is excluded from Group1 Members.
- User1 is added as a member of Domain Admins (because it's no longer the primary group).
- The User1 PrimaryGroupID attribute is set with the Group1 reference.
Programs that need to query groups to give users access that is based on group membership should also query for the PrimaryGroupID attribute. However, Microsoft Entra Connect does not support PrimaryGroupID because of the complexity of group membership synchronization.
Contact us for help
If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure feedback community.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for