AzureCP/EntraCP both require an AD to disabled on the server. Why?

[uday30980]

Hello,

We have noticed that we will need to hide the Active Directory (AD) at the SharePoint farm level in order to not get a duplicate user under the People Picker when using either AZURECP or ENTRACP.

The command to hide the active directory at SP Farm level. $cpm = Get-SPClaimProviderManager $cp = Get-SPClaimProvider -Identity "AD" $cp.IsVisible = $false $cpm.Update()

The question is due to this setting we will not be able to create any new NTLM web application at the SP FARM level. Is there any solution or thoughts on it?

Thank You Uday Patel

[Yvand]

Hi @uday30980, it is not EntraCP that requires it, it is SharePoint that asks entities to both (EntraCP and Windows) claims providers. You should not do what you did because of side effects. The best way to hide Windows accounts is not ideal, sadly: You can set property SPPeoplePickerSettings.ActiveDirectoryCustomFilter at web application level with a fake filter, for example:

$wa = Get-SPWebApplication "http://sp16/"
# Some users like super user / super reader / crawl account should have this value in AD, so they can be resolved when SharePoint uses them
$wa.PeoplePickerSettings.ActiveDirectoryCustomFilter = "(&(telephoneNumber=00110011))"
$wa.Update() 

However, note that this LDAP filter must allow to resolve some Windows accounts (crawl account, super user, super reader, application pool accounts, service accounts, accounts running scripts).