Pre-requisites to configure the back-synchronization:
The user account used to perform back sync configuration must have the following privileges:
Directory Writers Role must be enabled in Azure Active Directory. To enable the role use the following script:
$psCred=Get-Credential
Connect-AzureAD -Credential $psCred
$roleTemplate = Get-AzureADDirectoryRoleTemplate | ? { $_.DisplayName -eq "Directory Writers" }
# Enable an instance of the DirectoryRole template
Enable-AzureADDirectoryRole -RoleTemplateId $roleTemplate.ObjectId
To configure Azure backsync in Active Roles Synchronization Service
In the upper right corner of the Synchronization Service Administration Console, select Settings | Configure Azure BackSync.
The Configure BackSync operation in Azure with on-premises Active Directory objects dialog box is displayed.
In the dialog box that opens:
Enter the Azure domain valid Account ID credentials, and click Test Office 365 Connection.
Use Internet Explorer settings: Causes the connector to automatically detect and use the proxy server settings specified in Microsoft Internet Explorer installed on the Synchronization Service computer.
Use WinHTTP settings: Causes the connector to use the proxy server settings configured for Windows HTTP Services (WinHTTP).
Automatically detect: Automatically detects and uses proxy server settings.
Do not use proxy settings: Specifies to not use proxy server for the connection.
On successful validation, the success message that the Office 365 Connection settings are valid is displayed.
Enter the valid Active Roles account details and click Test Active Roles Connection.
On successful validation the success message that the Active Roles connection settings are valid is displayed.
The Azure App registration is done automatically. The required connections, mappings, and workflow steps are created automatically.
On successful configuration the success message is displayed.
If the Azure BackSync settings are already configured in the system, a warning message is displayed to confirm if you want to override the existing backsync settings with the new settings. If yes, click Override BackSync Settings. Else, click Cancel to retain the existing settings.
Prerequisites to configure the back-synchronization manually:
|
NOTE: Before adding a replication partner in a Replication environment, make sure to perform back-synchronization in the Service that is configured with the Publisher database. |
To configure sync workflow to back-synchronize users and groups perform the following steps:
Create a connection to Azure AD using the Azure AD Connector. The configuration requires the Azure domain name, the Client ID of an application in Azure AD, and the Client Key to establish the connection with Azure AD.
To configure an application:
The application must have "Application Permissions" to "read" and "write" directory data in Windows Azure Active Directory.
Create a connection to Active Roles using the Active Roles Connector. The configuration requires the local domain details and Active Roles version used. Define the scope to select the container from which the objects for synchronization must be selected.
Create a Sync Workflow using the Azure AD and Active Roles connections. Add a Synchronization step to Update Azure User/Group to Active Roles User/Group. Configure the Forward Sync Rule to synchronize the following:
Create a Mapping Rule which identifies the user/group in Azure AD and on-premises AD uniquely and map the specified properties from Azure AD to Active Roles appropriately.
For example, the property userprincipalname can be used to map users between on-premises AD and Azure AD in a federated environment.
To configure sync workflow to back-synchronize contacts perform the following steps:
Create a connection to Office 365 using the Microsoft Office 365 Connector. The configuration requires Microsoft Online Services ID, Password, Proxy server (if required) and Exchange Online services.
Create a connection to Active Roles using the Active Roles Connector. The configuration requires the local domain details and Active Roles version used. Define the scope to select the container from which the objects for synchronization must be selected.
Create a Sync Workflow using the Office 365 and Active Roles connections. Add a Synchronization step to Update Office 365 Contacts to Active Roles Contacts. Configure the Forward Sync Rule to synchronize the following:
Create a Mapping Rule, which identifies the contact in Office 365 and on-premises AD uniquely and map the specified properties from Office 365 to Active Roles appropriately.
The Active Roles web interface enables you to perform administrative tasks such as create, read, update, deprovision, undo-deprovison, and delete Azure AD users in Hybrid environment. You can also perform other operations such as add and remove Azure AD users to Groups and assign Office 365 licenses to users. Some of the user operations can be performed using the Management Shell in addition to the web interface. The following section guides you through the Active Roles web interface and Management Shell to manage Azure AD users.
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy