It is necessary to create Active Directory groups to manage Directory Sync synchronization targets.

If Active Directory groups for managing synchronization targets have already been created, no additional groups need to be created.

Recommended Active Directory group structure

In IIJ ID Service, application users and login policies can be configured for each group.

When groups synchronized using Directory Sync are assigned to application users and login policies, it is possible to add and delete application users and change login policies simply by performing actions on group members in Active Directory.

To enable this, it is recommended that you create Active Directory groups in the following way:

• Create a group for each use case in IIJ ID Service.
  • Example: Microsoft 365 user group, external access group, etc.
  • Active Directory user objects and group objects belong to these groups.
• Create groups to be specified as Directory Sync synchronization targets.
  • Example: IIJ ID Service user group
  • Place as members of this group the groups created for different use cases in the previous step.

The diagram below shows an example of a recommended layout formed in Active Directory’s directory information tree.

When the settings are configured with the previously mentioned data, the "Active Directory ユーザとコンピューター" window appears as shown below.

As you open the property of "IIJ IDサービス利用者グループ," the following window appears.

As you open the property of "Microsoft 365利用者グループ," the following window appears.