Sep 8, 2021
Designing synchronization solutions– Planning Identity Synchronization
We’ve already touched on the fact that Microsoft 365 is an identity-driven platform. This means you need to provision some sort of identity for your users to begin accessing the tools and features of the service.
When discussing Azure AD, it’s important to understand where identities are stored and how authentication is performed. With Azure AD, three basic identity models are available:
- Cloud authentication: Cloud authentication is a model where identities are created in (or synchronized to) Azure AD and the authentication is processed by Azure AD
- Federated identity: With federated identity, user objects are synchronized to Azure AD, but the authentication happens in the identity source’s directory
- External identity: Commonly used for business-to-business (B2B) or business-to-consumer (B2C) scenarios, external identity is used when a tenant stores a type of reference or a guest object that represents an external user in another directory, such as a business partner’s Azure AD environment, Facebook, or Google
For the exam objective, however, we’re going to focus on identity models that involve directory synchronization and working with the features surrounding those solutions. Hybrid identity is an identity and authentication model that involves both an on-premises identity and a corresponding synchronized cloud identity. With Microsoft 365, you can deploy a hybrid identity solution using Azure Active Directory Connect (most commonly referred to as Azure AD Connect).
Overview of Azure AD Connect
Azure AD Connect is a directory synchronization tool that has steadily evolved over the past several years to provide increased capabilities in the identity synchronization and authentication management areas. The current Azure AD Connect platform is built on Microsoft Identity Manager (MIM).
At a high level, Azure AD Connect works by connecting to various on-premises and cloud directories, reading in objects such as users and groups, and then provisioning them to another directory. There are several key terms to understand when working with Azure AD Connect, which we’ll discuss in this section.
Connected system
Sometimes referred to as a connected directory, a connected system is any directory source that has been configured for use with Azure AD Connect.
Connector
A connector is a logical object that represents the configuration necessary to communicate with a connected directory. For example, the Azure AD Connector stores the configuration necessary for Azure AD Connect to read and write data to Azure Active Directory. A connector can contain information about what attributes are available from the connected directory or what server is used when accessing the directory.
Connector space
You can think of the connector space as a database table that is used to hold all the objects related to a particular connector. Each connector has its own connector space.
sourceAnchor
Each object has a unique, immutable attribute that stays with it throughout its lifetime. The sourceAnchor is an attribute you can use to trace the lineage of an object as it moves between connector spaces and is represented in various connected directories. No two objects can share the same sourceAnchor.
Import
To populate each connector’s connector space, Azure AD Connect must read the object data from a source directory. Objects commonly include users, contacts, groups, and devices. The process for reading data is called import.
Synchronization
Once objects have been imported into the connector space, a synchronization job is executed. Synchronization is responsible for executing logic (called rules) that can be used to connect (or join, in Azure AD Connect terminology) objects from different directories together or map attributes from between directory objects.
For example, a synchronization rule is responsible for mapping a user’s Department property in Active Directory to the Department property in Azure AD. If you have users who are represented in more than one source directory, a synchronization rule can be used to join the two objects together and map their attributes accordingly.
Synchronization also has the idea of precedence, meaning that the order of the synchronization rules can (and will) affect the outcome of the processing. Rules configured with higher precedence (which translates to a lower ordinal number when looking at the rules list) means that the outcome of their processing overrides that of lower-precedence (higher-numbered) rules.
More Details