Presentation is loading. Please wait.

Presentation is loading. Please wait.

Preparing Identities for the Cloud Randy Robb 2016 Redmond Summit | Identity Without Boundaries May 24 th 2016 Senior Consultant

Similar presentations


Presentation on theme: "Preparing Identities for the Cloud Randy Robb 2016 Redmond Summit | Identity Without Boundaries May 24 th 2016 Senior Consultant"— Presentation transcript:

1 Preparing Identities for the Cloud Randy Robb 2016 Redmond Summit | Identity Without Boundaries May 24 th 2016 Senior Consultant #OCGUS16 @OCGUSOfficial

2 Introduction

3 Preparing Identities for the Cloud

4 Company IT Infrastructure

5

6

7

8 Generic System

9 Generic Cloud System

10 Azure AD

11

12

13

14 Supported Topologies Single forest, single Azure AD directory Multiple forests, single Azure AD directory (objects represented mutually exclusive)

15 Supported Topologies Multiple forests – separate topologies (objects represented mutually exclusive) Multiple forests – match users (Objects joined that represent identical objects) Resources Shared via Trusts Users matched by selected attribute

16 Supported Topologies Multiple forests – full mesh with optional GALSync Multiple Forests – Account-Resource Forest MIM on premises Users matched by email address Exchange Org A Exchange Org B Users matched by msExchMasterAccountSID

17 Supported Topologies

18 GALsync with on-premises MIM sync server (Contact Objects Synchronized) Single Forest - Each object only once in an Azure AD directory

19 Supported Topologies Single Forest - Each object only once in an Azure AD directory

20 Supported Topologies Single Forest - Each object only once in an Azure AD directory

21 Supported Topologies Single Forest - Each object only once in an Azure AD directory The UPNs of the users in the on-premises AD must use separate namespaces. There must be a 1:1 correspondence between a namespace and an Azure AD instance. There is no GALsync between the Azure AD directory instances. The address book in Exchange Online and Skype for Business only shows users in the same directory. Only one of the Azure AD directories can enable Exchange hybrid with the on-premises Active Directory. Windows 10 devices can only be associated with one Azure AD directory. The requirement for mutually exclusive sets of objects also applies to writeback. Some writeback features are not supported with this topology since these features assume a single configuration on-premises: Group writeback with default configuration Device writeback

22 Source Anchor

23

24

25 The sourceAnchor attribute is defined as an attribute immutable during the lifetime of an object.

26 Source Anchor The sourceAnchor attribute is defined as an attribute immutable during the lifetime of an object. When a new sync engine server is built, or rebuilt after a disaster recovery scenario, this attribute will link existing objects in Azure AD with objects on-premises. If you move from a cloud-only identity to a synchronized identity model this attribute will allow objects to “hard match” existing objects in Azure AD with on-premises objects. If you use federation, this attribute together with the userPrincipalName is used in the claim to uniquely identify a user.

27 Source Anchor The sourceAnchor attribute is defined as an attribute immutable during the lifetime of an object. When a new sync engine server is built, or rebuilt after a disaster recovery scenario, this attribute will link existing objects in Azure AD with objects on-premises. If you move from a cloud-only identity to a synchronized identity model this attribute will allow objects to “hard match” existing objects in Azure AD with on-premises objects. If you use federation, this attribute together with the userPrincipalName is used in the claim to uniquely identify a user.

28 IDFix Free Download from Microsoft It doesn’t fix all issues, but it is good for most Originally created for Office 365 implementations

29 IDFix – What does it do?

30 “Provides customers the ability to identify and remediate the majority of object synchronization errors in their Active Directory forests in preparation for deployment to Office 365.”

31 IDFix – What does it do? Key Point – Remediate errors in preparation for Office 365 – In particular Exchange Online “Provides customers the ability to identify and remediate the majority of object synchronization errors in their Active Directory forests in preparation for deployment to Office 365.”

32 IDFix – Details Attribute mailNo white spaceRfc 2822 -routable namespace No duplicatesLess than 256 characters mailnicknameNot blankInvalid characters: whitespace \ ! # $ % & * + / = ? ^ ` { } | ~ ( ) ' ; :, [ ] " @ May not begin or end with a period Less than 64 characters proxyaddressesRfc 2822 -routable namespace (SMTP only) No duplicatesLess than 256 characters samaccountnameInvalid characters: \ " |, / [ ] : + = ; ? * No duplicatesLess than 20 characters targetAddressNot blankRfc 2822 -routable namespace (SMTP only) value = mail (contact and user [if no homeMdb]) Less than 256 characters userPrincipalNameRfc 2822 -routable namespace - Invalid chars whitespace \ % & * + / = ? ` { } | ( ) ; :, [ ] " No duplicatesLess than 64 characters before @ Less than 256 characters after @

33 IDFix – Details

34 AD Sync Health

35 Reporting – AD Sync Health

36 Preparing On-Premises AD Before installing / configuring Azure AD Sync: 1.Define a supported topology 2.Identify uniqueness of AD objects 3.Identify your Source Anchor 4.Clean up AD to ensure correct attribute formatting IDFix After installation and synchronization verification 1.Look at Synchronization Service 2.Review Azure AD Health Report

37 DEMO

38 2016 Redmond Summit Sponsors


Download ppt "Preparing Identities for the Cloud Randy Robb 2016 Redmond Summit | Identity Without Boundaries May 24 th 2016 Senior Consultant"

Similar presentations


Ads by Google