AAD Sync management is performed using two different interfaces, the Synchronization Service option and Synchronization Rules Editor, as shown in the following screenshot:
Now, we will see how to manage some aspects of AAD Sync using the previously mentioned administrative tools. The outline of our lab deployment is shown in the following image:
- We have discussed the metaverse in the previous section. The way information flows inside and outside the metaverse is dictated by the synchronization rules. As we can see in the following screenshot, inside the Synchronization Rules Editor, we have a "direction" for every rule (Inbound and Outbound to the metaverse).
- The default configuration includes inbound rules from all our domains (the resource forest,
wonderland.lab, the user forest ForestB.lab, and the Azure Active Directoryabsoluteuc.net) while the outbound rules are only for the Azure Directory. It's important to understand that during the configuration of AAD Sync, the setup determines whether we have a Lync or Exchange deployment, and creates dedicated rules for them, as shown in the following screenshot:
In our scenario, Lync and Exchange rules are outbound from the resource forest that hosts the previously mentioned services, and inbound to Azure, for Lync Online and Exchange Online.
- The rules are made up from four separate pieces: Description, Scoping Filter, Join rules, and Transformations. We will see the parameters for the In from AD - User Lync inbound rule for the resource domain.
- The Description option includes the system that will use the rule, the kind of object we apply the rule on, and the metaverse object type (this one is always a "person"). We also have to select the kind of link (Join, StickyJoin, or Provision). The screen for the previously mentioned rule is shown in the following screenshot:
- The Scoping Filter and Join Rules options are empty in our rule. The former dictates when the rule has to be activated (for example, only enabled users) while the latter is used to tie an attribute to another one in the metaverse.
- The Transformations option is a list of attributes that will flow (and eventually be modified) when transmitted over a connector. While the rule we are talking about has only direct transformations, with attributes mapped to the same attributes, this part of the rules can be very complex, especially when we look at an outbound rule, like the following screen, Out to AAD - User ExchangeOnline:
- Now, we have to use Synchronization Service of AAD Sync in the start page to see the remaining parts of AAD Sync.
- The configuration steps have created a series of Operations and Connectors, as we can see in the following screenshot:
If we are already familiar with FIM, this part of AAD Sync is really similar to what we had in Identity Manager. The Connectors option is used to transmit data to the various systems in a transparent manner. The Operations option activates the transmission of information based on the rules.
- We are able to customize the connectors. For example, we will see how to limit the organizational units used in the synchronization process. Click on Connectors and select the one named as the user forest (ForestB.lab), as shown in the following screenshot. Right-click and select Properties.
- Select Configure Directory Partition and click on Containers. We have to insert the password required to access the ForestB domain and then click on OK. Now, we can select the Organizational Unit where the accounts (which we want to import in the cloud) are located, as shown in the following screenshot:
- The steps from here on are similar to the ones that we have seen for FIM, including import, synchronization, and export to and from the metaverse.
- Mike Branstein published a blog post Using Azure Active Directory Sync to Extend your Local AD into Azure at https://brosteins.com/2014/11/15/using-azure-active-directory-to-extend-your-local-ad-into-azure/.
- The blog of the University of Vermont contains an interesting article on Replacing DirSync With Microsoft Azure Active Directory Sync Services at http://blog.uvm.edu/jgm/2014/11/06/replacing-dirsync-with-microsoft-azure-active-directory-sync-services/. Their test on AAD Sync contains some important results.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.