none
Can FIM provision users to Azure Active Directory? RRS feed

  • Question

  • Hi,

    I have an Active Directory with FIM and Exchange 2010. Users are synced to this environment via a CSVDE export from another AD.

    Can FIM 2010 R2 sync users to Azure Active Directory using the Azure connector so that:

    - New users are provisioned (including Exchange 2010 mailboxes, I know Exchange 2010 as a VM isn't officially supported in Azure)
    - Old users are deleted
    - User account information is updated based on ObjectSid

    I know that with an on premise DC\AD you can run the registration script to register Self Service Password Reset (SSPR) answers against FIM - is this still the case when relying exclusively on Azure AD?

    Lastly, if we skipped FIM sycnhronisation and relied on AD Connect to sync users from on premise to Azure AD, could we still use FIM SSPR to reset passwords for users?

    • Edited by Aetius2012 Wednesday, February 3, 2016 7:39 PM after thought
    Wednesday, February 3, 2016 7:26 PM

Answers

  • Hi,

    you can't do what you describe in the 2nd part. Exchange needs a real AD, and AzureAD is completely different in that way. Also the new DCaaS (Azure AD Directory Services) in Preview will not work for that.

    You NEED a IaaS DC and of course 2 do implement that.

    Then you need a VPN to connect to the IaaS for the FIM or open Ports to the whole World in the IaaS but that is not a good idea.

    Users can then connect to OWA also via a Portforwarding i think.

    So from the FIM perspective the IaaS solution will always be a normal AD and you must use the AD MA and find some way to connect FIM and the IaaS solution via network. (VPN or Internet).

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    • Marked as answer by Aetius2012 Friday, February 5, 2016 7:16 AM
    Thursday, February 4, 2016 5:44 PM

All replies

  • Hello,

    I don't completely understand your scenarion, mainly the Exchange 2010 (as a VM?) thing.

    Are you saying you have an Exchange 2010 as a VM in Azure, but then you also need a DC as a VM in Azure, and Sync from FIM to that AD will have nothing to do with Azure AD.

    This is a normal AD which you can Connect by normal AD Connector through a VPN.

    In generell for FIM there is a WAAD Connector, but that will not get any further updates but is still supported in FIM and MIM. But that connector misses some features like PW hash sync. You will need to have ADFS in order to get things working. It is also not recommended to use that connector any more, but it will work.

    I would suggest using AADConnect for Syncing to Azure AD, and then User a PS MA or PS Script to assign O365 license, that will automaticly provision a mailbox for Azure users.

    Also FIM/MIM SSPR has "nearly" nothing to do and cannot be combined with Azure. Its an OnPrem solution. The only thing that is Azure related is that you can use Azure MFA within MIM2016 SSPR (New Phone Gate).

    Regarding the last question.

    Yes you can still use FIM SSPR if you enable PW hash sync in AADC.
    FIM SSPR will reset onPrem AD PW and that PW is then synchronized by AADC to Azure AD. But you can instead also use Azure PW Reset and use PW writeback feature of AADConnect.

    Depends on what best fits your scenario.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Thursday, February 4, 2016 3:12 PM
  • Hi Peter,
     Thanks for the reply. To better understand the scenario, I have 2 domains - let's call them onprem (primary) and datacentre (small DR domain).

    For security reasons there cannot be a vpn connection between environments. The environments are kept in sync by a AD CSVDE export from onprem. The resulting CSV file from onprem is then loaded and synced to datacentre via FIM. The security requirements dictate that onprem passwords and onprem password hashes are not stored in Azure or datacentre.

     I'm looking at moving my datacentre environment (which consists of exchange 2010) to Azure. I know Exchange 2010 within Azure as an infrastructure VM (as opposed to a service) isn't officially supported.

    The requirements which my current datacentre meets is:
    - Perfect synchronisation of AD accounts from onprem to datacentre (password sync is not required)
    - Exchange 2010 mailboxes for onprem users using an alternative username and password
    - Ability for users to reset their datacentre passwords via FIM SSPR


    We can't use O365 as Exchange 2010 uses a custom DLL we've written, we can't match it's functionality natively in O365. In addition, buying several thousand O365 licences would be prohibitive. 
     
    So, you can't have an Azure Active Directory and have password reset functionality provided by FIM? I'm guessing my options are to use AD premium or stick a domain controller in Azure as a VM if I want to allow onprem users to reset their passwords in datacentre?

    Hope that makes sense!
    cheers in advance

    IT Support/Everything

    Thursday, February 4, 2016 4:38 PM
  • ok understood.

    1. If you put your DR domain with the exchange to Azure IaaS then you have an normal AD just like in your datacentre or like a hosting service. That has nothing to do with Azure AD.

    To reach that DR domain in Azure IaaS you need a VPN connection, for the FIM Server als also for all Client that should connect to that domain.

    Its for security not a good idea to open firewall in Azure and do Portforwarding for all Domain Service Ports. As you already said, security is important to your organization.

    So I think your are mixing the words Azure AD and an OnPrem AD hosted in Azure.
    If you use Azure IaaS it is just like any other hosting Service and you need a network connection to it.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Thursday, February 4, 2016 4:48 PM
  • Thanks Peter, datacentre isn't a typical DR scenario, it's specifically used for Exchange Outlook Web App via HTTPS - no VPN connection required whatsoever, the environments are completely air gapped. The sync is maintained by a manual file upload - i.e. physically carry a CSV file over, secure email, sftp from onprem to datacentre.

    My question was designed to find out if I can move my datacentre environment to Azure IaaS with a mixture of SaaS - i.e. create Exchange as a VM (IaaS), but also use Azure AD (SaaS) rather than creating a DC in Azure (Iaas)  whilst maintaining 100% functionality. However from what you've described, I'll need to go the IaaS route to maintain full functionality.

    Thanks


    IT Support/Everything

    Thursday, February 4, 2016 5:31 PM
  • Hi,

    you can't do what you describe in the 2nd part. Exchange needs a real AD, and AzureAD is completely different in that way. Also the new DCaaS (Azure AD Directory Services) in Preview will not work for that.

    You NEED a IaaS DC and of course 2 do implement that.

    Then you need a VPN to connect to the IaaS for the FIM or open Ports to the whole World in the IaaS but that is not a good idea.

    Users can then connect to OWA also via a Portforwarding i think.

    So from the FIM perspective the IaaS solution will always be a normal AD and you must use the AD MA and find some way to connect FIM and the IaaS solution via network. (VPN or Internet).

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    • Marked as answer by Aetius2012 Friday, February 5, 2016 7:16 AM
    Thursday, February 4, 2016 5:44 PM
  • Thanks for confirming Peter

    IT Support/Everything

    Friday, February 5, 2016 7:16 AM