• State Suggested Answer
  • Replies 3 replies
  • Answers 2 answers
  • Subscribers 95 subscribers
  • Views 290 views
  • Users 0 members are here
Options
Related

How to sync a single object which is only available in Target system

NewDev_OneIM
2 months ago

Hi All,

I am trying to design the below:

OneIM creates on-prem AD and clients internal AAD connect creates AzureAD.

For assigning licenses in OneIM, we need to sync that single AzureAD account.

Running full sync every time is not an ideal solution from performance point of view.

I think their will be definitely some OOTB process on how we can run a sync by specifying which account we are looking for and if available in AzureAD then sync it to OneIM.

Is their any OOTB solution or any custom process which i can build?

Thanks you

  • 0 2 months ago

    Hi,

    You don't say which version you are running but I'm going to assume it's V9 or above.

    If you look at a user account in Manager, you will see a task 'Synchronize this object'.

    This will generate the process 'AAD_User_Read' ..... which will do exactly that ..... read/synchronise that user from AAD.

    HTH, Barry.

  • 0 2 months ago in reply to Barry Jackson

    Thanks  

    But my query is little bit different.

    What if the Azure AD record or object doesn't exists in OneIdentity DB ?

    How to sync/import only one account created in the target system ?

  • 0 1 month ago

    Hi.

    I hade the same problem as you have and here's how we solved it.

    In short:
    Create the Entra account from IAM.
    Let the AAD Connect sync take ownership of the account

    More detailed:
    1. An ADSAccount must be created first, so some kind of wait on the AAD_User_Insert must be implemented.
    2. The template for AADUser.OnPremImmutableId should look like this:

    Dim f As ISqlFormatter = Session.SqlFormatter
Dim Where As String = f.UidComparison("UID_Person", $UID_Person$)
Dim MSDsConsistencyGuid As String = ""

If Session.Source.TryGetSingleValue(Of String)("ADSAccount", "MSDsConsistencyGuid", Where, MSDsConsistencyGuid) Then
    Value = MSDsConsistencyGuid
Else
    Throw New ViException
End If


    3. You have to make sure that OnPremImmutableId is the unique identifier in your Azure tenant.
    4. Make sure the process AAD_User_Update/(De)Activate is not able to update the accounts that you create this way.
    5. We've setup so that the process AAD_User_Delete only deletes the AADUser object in IAM, and not in Entra. We leave that to the AAD Connect sync.

    SOMETIMES the AAD Connect sync runs after the AD account has been created but before the Entra ID has been created and then you end up with an account in IAM that has an empty AADUser.Id and then you can to do anything with the account until you've updated it. We do it manually through Powershell (outside of IAM). Not ideal but I am happy to recieve any suggestion on how to do it through IAM.

    As always, test this in an development environment before production!