• Replies 8 replies
  • Subscribers 94 subscribers
  • Views 5550 views
  • Users 0 members are here
Options
Related

Interoperability Microsoft AAD Connect and Identity Manager Azure AD Connector

prueegg
over 4 years ago

I'm not yet sure what is the best setup for integration Azure AD as target system.

We need hybrid users (with SSO), so AAD Connect is required anyway.
It is required as well for other purpose like device management.

Now I see the following two options:

1. Provision Accounts only to on-prem AD

In this scenario, we provision AD Accounts and the accounts will be synchronized to Azure AD with the Microsoft AAD connect.
The Sync Project to Azure AD reads that users and connect that Users to the Person. The AAD User Object has to be unmanged, since we do not want to do any changes directly on an Azure AD User. That has to go alway over on-prem ID and AAD Connect.
Groups and it's memberships could be managed directly in the IdentityManager and provisioned directly over the sync project to Azure AD.

So we use standard Microsoft functionality and we are fully supported by Microsoft for that hybrid identities.

2. Provision Accounts directly to Azure AD and user the ImmutableID

In this scenario we provision the AAD User directly from Identity Manager to Azure AD. We make sure that we set the ImmutableID for that AAD User (and of course set the same one to the msDS-ConsistencyGUID on the on-prem AD Account).
The AAD Connect will still work and do all the stuff needed to have a hybrid identity with full SSO support.

Of course groups and it's memberships are handled the same way as in scenario one.

This scenario would make the lifecycle management in identity manager easier and it is the standard behavior from identity manager point of view.
But, is it really working with SSO, ...? Is that scenario also supported by Microsoft?

At the moment I'm tending to go with scenario 1, since it seems to be safe way. It is fully Microsoft supported and it keeps up to date with the fast changing Azure Cloud environment.

Does anyone have experience with one of this scenarios?

Do you have any hints, what I should take into account, when making the decision to go with one or the other scenario?

Patrick

PS:

There was already a discussion about the ImmutableID in the past https://www.oneidentity.com/community/identity-manager/f/forum/21463/azure-ad-immutableid

Parents
  • over 4 years ago

    Hi Patrick,

    I would go with option 2 as you can keep the ILM processes as you want (especially if you want to add more liceneses like for a mailbox or for MS teams etc. and do not have the break of waiting for AADConnect to work. If you create an AAD account with the correct settings of immutableID, ms-DS-ConsistencyGUID and UPN correctly, AADConnect seamlessly will take over the user account at its next run.

    As mentioned in the thread you a re referring to: We are using the MS Graph API for our connector which is the MS supported way of making changes to AAD objects.

  • over 4 years ago in reply to Matthias.Bauer

    Hi Matthias 

    Thanks for that reply. I'll check now the option 2 in a PoC.
    Is there a standard procedure to generate in valid value for the ms-DS-ConsistencyGUID?

     

    Patrick

Reply Children
No Data