Usage Precautions
Read and understand the following section before using this software.
Domains That Must be Allowed Access to Use Directory Sync
If URL access is restricted via proxy servers or other means, allow the following domains to enable use of Directory Sync.
- auth.iij.jp (443/TCP)
IIJ ID User Passwords
Email notifications of account registration are not sent to IIJ ID users that are created by this software.Therefore, a temporary password needs to be issued for IIJ ID users who are not also using Password Sync.
A temporary password is issued after a user enters their login ID on the IIJ ID Service login page.An issued temporary password is sent to the user's notification email address.
Restrictions on Synchronized Users and Groups of Directory Sync
Do not change or delete attribute information of IIJ ID Service users and groups to be targeted for Directory Sync synchronization from IIJ ID Console.
Doing so will cause inconsistency with Directory Sync’s cache information, so an unexpected operation may be performed or an unexpected error may occur.
If you have accidentally performed such an operation from IIJ ID Console, execute Directory Sync’s recovery mode to delete the cache information.
Restrictions on Changing DNs of Active Directory Users and Groups
Do not change or delete attribute information of IIJ ID Service users and groups to be targeted for Directory Sync synchronization from IIJ ID Console.
If a DN has been changed while Directory Sync is running, group affiliation may not take place normally, depending on the timing. In such a case, run Directory Sync again.
Recreating Active Directory Accounts When IDs Are Linked with Microsoft 365
The process to link an ID with Microsoft 365 may sometimes fail when Active Directory accounts are recreated in environments where IDs of synchronized IIJ ID Service users are linked with Microsoft 365.
| User’s application-linking ID or external ID | Account on Microsoft 365 | ID linkage to Microsoft 365 | Comments |
|---|---|---|---|
| Same as before the recreation process | Exists but in the blocked state* | Succeeds | The account is unblocked, which makes the existing Microsoft 365 account available again. |
| Does not exist | Succeeds | Created as a new account | |
| Different from before the recreation process | Exists but in the blocked state* | Fails | Because the creation process would result in a duplicate of the blocked Microsoft 365 account, the creation process fails. Delete the existing Microsoft 365 account permanently. |
| Does not exist | Succeeds | Created as a new account |
* When IIJ ID users are disabled or set as pending deletion by Directory Sync, the Microsoft 365 account is blocked and the license is deactivated.
Group Synchronization (in Multi-forest and Multi-domain Environments Only)
Different groups with the same name cannot be synchronized with the IIJ ID Service.
Change the names of such groups in Active Directory or change the Directory Sync configuration file so that only one group is synchronized.
Perform either one of the following procedures to prevent the deletion of groups synchronized by a different Directory Sync instance.
- Use the SCIM filter to exclude groups synchronized by another instance of Directory Sync.
- Set the number of Active Directories used for syncing groups to one only.
When performing "2.," refer to the following sample and add the configuration to the config.yml file for the Directory Sync instance that will not synchronize groups.
ad:
ldap:
filter:
group: '!(cn=*)'
iid:
scim:
filter:
group: 'displayName eq ""'
Expiration date of an access token
If the access token set to Directory Sync has expired, synchronization with the IIJ ID Service will be failed.
Refer to "Updating Access Tokens" in the IIJ ID Service Online Manual [For Administrators] for how to check the expiration date of an access token and how to update access tokens.
Use of Older Versions of the Software
IIJ will not be liable for any issues related to old versions of this software 6 months after an update of this software is released.