My problem is that we have 2 On-Premises Active Directory domains:
mycompany.com
mycompany-dev.com
Some people are present in both of these AD-s. I want to sync them with Azure Active Directory so that they are all represented once, and all have the #mycompany.com suffix (instead of #mycompany.onmicrosoft.com). I also don't want some users to have #mycompany-dev.com in their azure AD account login name, so I want to do some sort of mapping I guess.
Is this possible with Azure AD Connect, or do I have to implement a synchronization method manually?
You can sync multiple on-premises domain to Azure AD. Kindly check the link and you will get a detailed information about different topologies supported
Related
I'm trying to setup a user lifecycle flow that will allow me to create an Azure Active Directory user (Member, not Guest) when an employee is created in our HRIS tool (HiBob). There is a pre-existing integration which is enabled and allows us to get basic information (name, location, etc.).
In the HRIS system we also store some more unique data that I would like to be added to the users AAD profile (maybe an emergency contact for example) that we can then use to provision other applications (like Slack).
My issue is trying to create these custom property fields. I have read about Azure B2C as well as directory schema, custom security extensions and using MS Graph. None of these seem to be totally relevant to my situation.
FYI we are fully cloud, so Azure AD Connect is also not an option.
To store custom data in Azure AD objects such as users you can leverage Azure AD Directory Extensions in tandem with Azure AD Provisioning trough SCIM.
If users once synced with Azure AD Connect Cloud Provisioning can be moved to synchronization via Forest trust without having to remove and re-add the users?
Cloud provisioning can be used to sync from multiple Active Directory forests. In the multi-forest environment, all the references (example, manager) need to be within the domain. Users and groups must be represented only once across all forests.
Kindly check the document for Azure AD connect cloud provisioning supported topologies to get detailed information about this
Imagine that a large company that has a number of subsidiaries. A shared IT company manages the Active Directory (and almost all other IT services) centrally for all subsidiaries. There also currently exists an Azure tenant which is connected to the On Premises Active Directory, however for issues surrounding who controls/owns which resources employees cannot use this Azure tenant.
One of the subsidiaries decides it wants to create it's own Azure tenant so it can progress it's development work. However that company is told that "Only a single federation to an Azure tenant is currently supported per Active Directory Domain".
I found this document. Would it be reasonable to presume that if the company consisted of the Contoso implementation that it would still be possible to federate 2 azure tenants to that single On Premises Active Directory. Are there any reasons why one implementation of On Premises Active Directory would be capable of this functionality and another not.
Yes, you can do this but you can only have one AD Connect instance per tenant as there is a 1:1 relationship between an Azure AD Connect Sync server and an Azure AD tenant. So you need to register three separate UPN suffixes for each tenant with the on-premises Active Directory and use three separate sync servers (one for each tenant). You need to apply filtering while syncing AD users for each tenant.
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-single-adfs-multitenant-federation
I found it's possible to sync users/groups from Azure AD to local App though SCIM. But it seems not available in local AD, and seems not available in ADFS.
How I can sync from local AD, or is there any tools I can use?
You would need a SCIM Product which you can create yourself or Purchase from several vendors.
Assuming you wish to take entries out of your local Microsoft Active Directory and "SCIM Them" into something else, you would probably want a SCIM Client and then put them into your SCIM Service Provider.
You would need to use something to get the entries out of Microsoft Active Directory and then use SCIM to put them into ???.
You could also use the Microsoft DirSync Control using LDAP
There are many IDM vendors that create product with this functionality.
When RBAC was introduced in Azure Active directory, roles can be granted to users or collection of users (groups).We followed this blog post and added that functionality for our apps when it first got introduced. But now, we have to go for active directory premium to assign roles to groups and get roles in bearer token.Going with Azure Active directory is not a feasible solution for us as premium is gonna cost us $6 user/ month and we have lot of groups and each group has lot of users. Looking at the costs our IT team is not willing to go for this package. I was just wondering if there an alternative approach for mapping roles to groups. Or this is only doable using premium.
Using Azure Active Directory (Azure AD) with an Azure AD Premium or Azure AD Basic license, you can use groups to assign access to a SaaS application that's integrated with Azure AD( refer here about detail).
So if you want to manage the roles using the group, we need at least the Azure AD Basic license. If you were using the free edition, we can only assign the roles to the users one by one.
Instead using the role manage the access for the application, we can also use the group which also supports for the Azure AD free edition. You can check the code sample about authorization in a web app using Azure AD groups & group claims from here.