Multiforest Sync to Windows Azure Active Directory. RRS feed

  • General discussion

  • Hi All

    I know that many integrator is in the same situation where only MCS can install the multiforest syncronization to Office365. (please corrent me if i'm wrong). This is not rocket or space sciense and i assume that many integrator has done even bigger IDM implementation using FIM but maybe not against Office365 or even Windows Azure Active Directory.

    We are currently starting project to build multiforest sync to Azure Active Directory to be used in custom applications - and now i'm keen to know if someone else has done this earlier and can share tips and tricks and possible guides.

    We will have 3 forest in differrent location and we are going to create new site to Azure and then using Site to Site VPN connect those and create/build the FIM environment also to Azure.

    Based on the solution also interested to know if someone has configured FIM to use Azure SQL service or is that even possible. From business perspective we need to use two SQL server for high availability and fault tolerance but would like to hear if someone has configured Azure IaaS based FIM server to use Azure SQL server instead of dedicated virtuall machines.




    Wednesday, January 2, 2013 1:13 PM

All replies

  • I am not of aware of anyone having used the Azure SQL Service to host the FIM database. I have heard of someone deploying FIM on a VM in Azure with SQL hosted as a VM.

    At the Redmond Identity Summit last week it was discussed that you might be able to use your contacts as a partner to ask MSFT for the Office 365 connector. 

    David Lundell, Get your copy of FIM Best Practices Volume 1

    Wednesday, January 16, 2013 11:37 PM
  • We do have a product called CloudAnywhere that works in multi forest and multi tenant environnement.

    We recently deployed it on a customer site who has 22000 users, 2 AD forest and 15 FQDN domains splitted in 2 Office 365 tenants.

    We replaced the existing solution (dirsync+ADFS) which could not work in their environnement because of the limitations you explain.

    CloudAnywhere synchronizes users, groups (security, dl, dl with security), contacts, passwords and now galsync. It also assigns the licences of your choice base on AD group membership.

    CloudAnywhere works standalone (password sync is performed without schema extension, without bi directionnal trustrelationships, etc...) or can work on top of FIM 2010 to provision just the cloud targets that FIM 2010 cannot handle.


    Emmanuel Dreux

    Thursday, January 31, 2013 8:30 PM
  • And just forgot to mention,

    we do have a connector for Azure Active Directory.

    However, it's quite limited:

    - the Azure Active Directory Graph apis does not allow to write contacts.

    - Password changes currently forces the flag "User must change password at next logon". For transparent password changes, we must still use the powershell commands.


    Emmanuel Dreux

    Thursday, January 31, 2013 8:34 PM