In any hybrid environment, on-premises Active Directory objects are synchronized to Azure AD using Azure AD Connect. When Active Roles is deployed in such a hybrid environment, to continue using the functionality, you must synchronize back the existing users and groups' information, such as Id from Azure AD to on-premises AD. To synchronize existing AD users and groups from Azure AD to Active Roles use back synchronization.
When creating objects such as users, groups, or contacts in Federated or synchronized Identity environment, they are first created on-premise and then they are synchronized to Azure using AAD Connect. To allow further management, the BackSync is performed to obtain the ObjectID of these objects and update the edsvaAzureObjectID in Active Roles.
Back synchronization can be performed automatically or manually using the Active Roles Console:
-
Automatic Back Synchronization is performed using the Azure BackSync Configuration feature in Active Roles that allows you to configure the BackSync operation in Azure with on-premises Active Directory objects through the Active Roles Console. After the BackSync operation is completed successfully, the Azure application registration and the required connections, mappings, and sync workflow steps are created automatically.
For information on configuring the BackSync operation automatically using the Active Roles Console, see Configuring Sync Workflow to back synchronize Azure AD objects to Active Roles automatically using the Active Roles Synchronization Service Console.
For more information on the results of the BackSync operation see the Active Roles Administration Guide.
-
Manual Back Synchronization is performed by using the existing functionality of component of Active Roles. Sync workflows are configured to identify the Azure AD unique users or groups and map them to the on-premises AD users or groups. After the back synchronization operation is completed, Active Roles displays the configured Azure attributes for the synchronized objects.
For information on configuring sync workflows for Azure AD, see Active Roles Administration Guide.
Prerequisites
- You must install and configure Azure AD Connect for the hybrid environment.
-
The user account that is used for performing back synchronization configuration must have the following privileges:
-
For the back synchronization to work as expected, install the Windows Azure Active Directory (Azure AD) module version 2.0.0.131 or later.
-
You must enable the Directory Writers Role in Azure Active Directory. To enable the role, run the following script:
$psCred=Get-Credential
Connect-AzureAD -Credential $psCred
$roleTemplate = Get-AzureADDirectoryRoleTemplate | ? { $_.DisplayName -eq "Directory Writers" }
# Enable an instance of the DirectoryRole template
Enable-AzureADDirectoryRole -RoleTemplateId $roleTemplate.ObjectId
-
For the back synchronization to work as expected, the user in Active Roles must have write permissions for edsvaAzureOffice365Enabled, edsaAzureContactObjectId and edsvaAzureObjectID. The user must also have a local administrator privilege where the Active Roles synchronization service is running.
To configure Azure BackSync in Active Roles
-
In the upper right corner of the Administration Console, select Settings > Configure Azure BackSync.
The Configure BackSync operation in Azure with on-premises Active Directory objects dialog is displayed.
-
In the dialog that opens:
-
Enter the Azure domain valid Account ID credentials, and click Test Office 365 Connection.
-
Specify whether you want to use a proxy server for the connection. You can select one of the following options:
-
Use WinHTTP settings: Prompts the connector to use the proxy server settings configured for Windows HTTP Services (WinHTTP).
-
Automatically detect: Automatically detects and uses proxy server settings.
-
Do not use proxy settings: Specifies to not use proxy server for the connection.
On successful validation, the success message that the Office 365 Connection settings are valid is displayed.
-
Enter the valid Active Roles account details and click Test Active Roles Connection.
On successful validation the success message that the Active Roles connection settings are valid is displayed.
-
Click Configure BackSync.
The Azure App registration is done automatically. The required connections, mappings, and workflow steps are created automatically.
On successful configuration the success message is displayed.
If the Azure BackSync settings are already configured in the system, a warning message is displayed to confirm whether you want to override the existing back synchronization settings with the new settings.
-
To override the existing back synchronization settings with the new settings, click Override BackSync Settings.
-
To retain the existing back synchronization settings, click Cancel.
Prerequisites
- You must install and configure Azure AD Connect for the hybrid environment.
-
You must install and configure the Component for Active Roles.
-
You must complete the Azure AD configuration and the Administrator Consent for Azure AD application through the web interface.
-
You must enforce the Azure AD built-in policy for the container where Active Roles performs the back synchronization.
-
For the back synchronization to work as expected, the user in Active Roles must have write permissions for edsvaAzureOffice365Enabled, edsaAzureContactObjectId, edsvaAzureObjectID, and edsvaAzureAssociatedTenantId. The user must also have a local administrator privileges where the Active Roles is running.
To configure sync workflow to back synchronize users and groups
-
Create a connection to Azure AD in the hybrid environment
Create a connection to Azure AD using the Azure AD Connector. The configuration requires the Azure domain name, the Client ID of an application in Azure AD, and the Client Key to establish the connection with Azure AD. To configure an application:
-
Create an Azure Web Application (or use any relevant existing Azure Web Application) under the tenant of your Windows Azure Active Directory environment.
The application must have Application Permissions set to read and write directory data in Windows Azure Active Directory.
NOTE: Alternatively, to assign the required permissions to the application by running a Windows PowerShell script, see the Creating a Windows Azure Active Directory connection section in the Administration Console.
-
Open the application properties and copy the following:
-
You need to supply the copied client ID and key when creating a new or modifying an existing connection to Windows Azure Active Directory in the Administration Console.
NOTE: The Web Application that is created or is already available for Azure AD Connector, is different from the application that is created while configuring Azure AD using Active Roles Web Interface. Both the applications must be available for performing back synchronization operations.
-
Create a connection to Active Roles in the hybrid environment
Create a connection to Active Roles using the Active Roles Connector. The configuration requires the local domain details and Active Roles version used. To select the container that the objects for synchronization must be selected from, define the scope.
-
Create a Sync Workflow
Create a Sync Workflow using the Microsoft 365 and Active Roles connections. Add a Synchronization step to update Microsoft 365 Contacts to Active Roles Contacts. To synchronize the following, configure the Forward Sync Rule:
-
Set the Azure ExternalDirectoryObjectId property of a contact to the Active Roles contact edsaAzureContactObjectId property.
-
Set the edsvaAzureOffice365Enabled attribute in Active Roles contact to True.
-
Set edsvaAzureAssociatedTenantId with Azure Tenant ID.
-
Create a Mapping rule
Create a Mapping rule which identifies the user/group in Azure AD and on-premises AD uniquely and map the specified properties from Azure AD to Active Roles appropriately.
For example, the property userprincipalname can be used to map users between on-premises AD and Azure AD in a federated environment.
NOTE: Consider the following when creating a Mapping rule:
- Based on the environment, make sure to create the correct Mapping rule to identify the contacts uniquely. An incorrect mapping rule might create duplicate objects and the back-sync operation might not work as expected.
-
The initial configuration and running of the back synchronization operation for Azure AD users ID is a one-time activity.
- In Federated or Synchronized environments, Azure AD group creation is not supported. The group is created in Active Roles and it is synchronized eventually to Azure using Microsoft Native tools, such as AAD Connect. To manage the Azure AD group through Active Roles, you must perform periodic back-synchronization to on-premise AD.
-
You must configure the Sync engine to synchronize the data back to AD based on the frequency of groups creation.
To configure sync workflow to back synchronize contacts
-
Create Connection to Microsoft 365 in the hybrid environment
Create a connection to Microsoft 365 using the Microsoft 365 Connector. The configuration requires Microsoft Online Services ID, Password, Proxy server (if required) and Exchange Online services.
NOTE: The back-synchronization of contacts uses Microsoft 365 Connector to establish connection to Microsoft 365. The back synchronization of users and groups uses the Azure AD Connector to establish connection to Azure AD.
-
Create a connection to Active Roles in the hybrid environment
Create a connection to Active Roles using the Active Roles Connector. The configuration requires the local domain details and Active Roles version used. To select the container that the objects for synchronization must be selected from, define the scope.
-
Create a Sync Workflow
Create a Sync Workflow using the Microsoft 365 and Active Roles connections. Add a Synchronization step to update Microsoft 365 Contacts to Active Roles Contacts. To synchronize the following, configure the Forward Sync Rule:
-
Set the Azure ExternalDirectoryObjectId property of a contact to the Active Roles contact edsaAzureContactObjectId property.
-
Set the edsvaAzureOffice365Enabled attribute in Active Roles contact to True.
-
Set edsvaAzureAssociatedTenantId with Azure Tenant ID.
-
Create a Mapping rule
Create a Mapping rule, which identifies the contact in Microsoft 365 and on-premises AD uniquely and map the specified properties from Microsoft 365 to Active Roles appropriately.
NOTE: Consider the following when creating a Mapping rule:
- Based on the environment, make sure to create the correct Mapping rule to identify the contacts uniquely. An incorrect mapping rule might create duplicate objects and the back-sync operation might not work as expected.
- In Federated or Synchronized environments, Azure AD group creation is not supported. The group is created in Active Roles and it is synchronized eventually to Azure using Microsoft Native tools, such as AAD Connect. To manage the Azure AD group through Active Roles, you must perform periodic back-synchronization to on-premise AD.
