none
FIM 2010 / AADSYNC Coexist RRS feed

  • Question

  • Hello,

    I am working with a client who use FIM 2010 R2.  It is taking inputs from 3rd party applications, and then using the information from the application to provision an account in AD including the users mailbox for Exchange.

    There are multiple management agents, one management agent then pushes a subset of users accounts from AD to 365.  The subset of users is close to 50,000 users.

    We are in the middle of a POC office 365 migration which will involve pushing a further 6-7 thousand users to 365 from the same AD. 

    FIM could accomplish this for us, but due to complications that I wont go into here, we are looking at other options.  The option favoured is to implement AADSYNC into the same domain in addition to FIM.  So to clarify, this would result in having FIM and AADSYNC in the same AD forest, same AD domain, syncing different accounts.

    I have on many occasions read that you can only have one DIRSYNC, FIM, AADSYNC instance per forest.  We are working with a 3rd party consultancy who advise that whilst this may not be supported, it is technically possible.

    In context to the above scenario, my question is:

    a) Is it supported by MS to have FIM and AADSYNC in the same forest

    b) Is it recommended

    c) What are the drawbacks if it is possible but not recommended and not supported

    Thanks very much

    Wednesday, September 23, 2015 2:20 PM

All replies

  • Hello,

    to a)

    Yes this is supported. User MIM for sync and provision identities from other sources to AD.

    User AAD Connect to Sync from AD to AAD

    to b)

    Is is also recommended as you can see at the video on channel9:

    https://channel9.msdn.com/events/TechEd/Europe/2014/EM-B319

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Wednesday, September 23, 2015 2:55 PM
  • Hi Peter,

    Thanks for the reply.  I have not had the chance to review the video link as yet.  Can I just be clear that in this scenario, both FIM and AADSYNC will both be exporting to Azure AD at the same time.

    From what I understand of your reply, it is supported so long as FIM is used as an input from other sources, so long as AADSYNC is the only method used to for exporting to AAD.

    Please confirm,

    Thanks

    Monday, September 28, 2015 2:27 PM
  • Hello,

    no only AADSync is exporting to AzureAD.

    User FIM (without WAAD Connector) to Synchronize all onPrem datasources/systems. Also FIM put all relevant data to AD.

    AADSync/Connect then gets data from AD and exports that to AzureAD.

    So (like in the video) AADConnect is your identity bridge to the cloud.

    Since AADC with get more update in shorter timeframes to cover new Azure features it is recommended to use this, as long as it can support your scenario.

    FIM with WAAD Connector ist still supported even in MIM2016 but will not get any updates, so it might be a good idea to switch over to only sync with AADC but i would avoid having both writing to same tenant.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Monday, September 28, 2015 2:36 PM
  • Hello,

    no only AADSync is exporting to AzureAD.

    User FIM (without WAAD Connector) to Synchronize all onPrem datasources/systems. Also FIM put all relevant data to AD.

    AADSync/Connect then gets data from AD and exports that to AzureAD.

    So (like in the video) AADConnect is your identity bridge to the cloud.

    Since AADC with get more update in shorter timeframes to cover new Azure features it is recommended to use this, as long as it can support your scenario.

    Adding to that, if you'd have both is a very nice tandem then - FIM creates user in AD, AADConnect takes user from AD to O365 and FIM can get the created user and automatically assign proper licenses based on source you have. Done that for multiple clients and works well :)

    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Tuesday, September 29, 2015 10:30 AM