• Replies 8 replies
  • Subscribers 94 subscribers
  • Views 5454 views
  • Users 0 members are here
Options
Related

Interoperability Microsoft AAD Connect and Identity Manager Azure AD Connector

prueegg
over 4 years ago

I'm not yet sure what is the best setup for integration Azure AD as target system.

We need hybrid users (with SSO), so AAD Connect is required anyway.
It is required as well for other purpose like device management.

Now I see the following two options:

1. Provision Accounts only to on-prem AD

In this scenario, we provision AD Accounts and the accounts will be synchronized to Azure AD with the Microsoft AAD connect.
The Sync Project to Azure AD reads that users and connect that Users to the Person. The AAD User Object has to be unmanged, since we do not want to do any changes directly on an Azure AD User. That has to go alway over on-prem ID and AAD Connect.
Groups and it's memberships could be managed directly in the IdentityManager and provisioned directly over the sync project to Azure AD.

So we use standard Microsoft functionality and we are fully supported by Microsoft for that hybrid identities.

2. Provision Accounts directly to Azure AD and user the ImmutableID

In this scenario we provision the AAD User directly from Identity Manager to Azure AD. We make sure that we set the ImmutableID for that AAD User (and of course set the same one to the msDS-ConsistencyGUID on the on-prem AD Account).
The AAD Connect will still work and do all the stuff needed to have a hybrid identity with full SSO support.

Of course groups and it's memberships are handled the same way as in scenario one.

This scenario would make the lifecycle management in identity manager easier and it is the standard behavior from identity manager point of view.
But, is it really working with SSO, ...? Is that scenario also supported by Microsoft?

At the moment I'm tending to go with scenario 1, since it seems to be safe way. It is fully Microsoft supported and it keeps up to date with the fast changing Azure Cloud environment.

Does anyone have experience with one of this scenarios?

Do you have any hints, what I should take into account, when making the decision to go with one or the other scenario?

Patrick

PS:

There was already a discussion about the ImmutableID in the past https://www.oneidentity.com/community/identity-manager/f/forum/21463/azure-ad-immutableid

Parents
  • over 3 years ago

    Any update on this?

    I'm thinking of going with alternative 2 but must be assured that it is supported by Microsoft.

  • over 3 years ago in reply to henrik a johansson

    We went with Option 1 for everything that has to be a hybrid object. The reason is to be full in sync with what Microsoft is supporting.

    Of course all the cloud only objects are managed directly on Azure AD. Creating team workspaces is some kind of special since we have a process creating a team with Powershell. It will create a new Group directly and there is a need for a sync, that Identity Manager has the corresponding objects in the DB.

    This may change as soon as we get the feature from One Identity to connect Teams directly.

Reply
  • over 3 years ago in reply to henrik a johansson

    We went with Option 1 for everything that has to be a hybrid object. The reason is to be full in sync with what Microsoft is supporting.

    Of course all the cloud only objects are managed directly on Azure AD. Creating team workspaces is some kind of special since we have a process creating a team with Powershell. It will create a new Group directly and there is a need for a sync, that Identity Manager has the corresponding objects in the DB.

    This may change as soon as we get the feature from One Identity to connect Teams directly.

Children