Usage Precautions

Read and understand the following section before using this software.

Initial IIJ ID User Passwords

Email notifications of initial passwords are not sent to IIJ ID users that are created by this software. After an IIJ ID user is created when not also using Password Sync, the user must perform a password reset from the login page to obtain the password via an email sent to the notification email address.

Recreating Active Directory Accounts When IDs Are Linked with Office 365

The process to link an ID with Office 365 may sometimes fail when Active Directory accounts are recreated in environments where IDs of synchronized IIJ ID Service users are linked with Office 365.

External User IDOffice365 AccountLinking IDs with Office 365Comments
Same as before the recreation processExists but in the blocked state*SucceedsThe account is unblocked, which makes the existing Office 365 account available again.
Does not existSucceedsCreated as a new account
Different from before the recreation processExists but in the blocked state*Fails 

Because the creation process would result in a duplicate of the blocked Office 365 account, the creation process fails.

Delete the existing Office 365 account permanently.

Does not existSucceedsCreated as a new account

* When IIJ ID users are disabled or set as pending deletion by Directory Sync, the Office 365 account is blocked and the license is deactivated.

Group Synchronization (in Multi-forest and Multi-domain Environments Only)

Different groups with the same name cannot be synchronized with the IIJ ID Service.

Change the names of such groups in Active Directory or change the Directory Sync configuration file so that only one group is synchronized.

Perform either one of the following procedures to prevent the deletion of groups synchronized by a different Directory Sync instance.

  1. Use the SCIM filter to exclude groups synchronized by another instance of Directory Sync.
  2. Set the number of Active Directories used for syncing groups to one only.

When performing "2.," refer to the following sample and add the configuration to the config.yml file for the Directory Sync instance that will not synchronize groups.




      group:                     '!(cn=*)'




      group:                    'displayName eq ""'

Destinations for Email Sent by the IIJ ID Service

Email sent to users by the IIJ ID Service is sent to all configured email addresses for the user.


Currently, the following types of email are sent to all email addresses registered to a user.

  • [IIJ ID Service] Password reset requested
  • [IIJ ID Service] Password has been reset
  • [IIJ ID Service] Your password has expired

All other types of email are sent only to the email address configured as the primary email address.

Other types of email will be sent to all email addresses sequentially with future updates.