User Migration When Using Microsoft 365 with Another Company’s IDaaS
If Microsoft 365 (Azure AD) is federated with another company’s IDaaS, users will need to be migrated to federate IIJ IDs and Microsoft 365.
This page describes the procedure for user migration in such a case.
Prerequisites for migration
In this procedure, you need to write values in the mS-DS-ConsistencyGuid attributes of Active Directory users and synchronize the attribute values with application-linking IDs of IIJ ID Users.
If you have already used the mS-DS-ConsistencyGuid attribute for a different purpose, you cannot use this function.
Flow of migration
Use the migration script described in this procedure to write immutableId attribute values of Azure AD in the mS-DS-ConsistencyGuid attribute of Active Directory.
| Azure AD | Active Directory | |
|---|---|---|
| immutableId | ⇒ Synchronize ⇒ | downstreamId |
Next, change the Directory Sync settings and synchronize the mS-DS-ConsistencyGuid attribute values of Active Directory users with downstreamId (application-linking ID) of IIJ IDs.
| Active Directory | IIJ ID | |
|---|---|---|
| mS-DS-ConsistencyGuid | ⇒ Synchronize ⇒ | downstreamId |
Migration procedure
- Configure Windows PowerShell.
Refer to "Configuring Windows PowerShell" for how to configure Windows PowerShell. Create a migration script.
Create a migration script that has the following contents, with the file name "migrate.ps1."Import-Module ActiveDirectory Install-Module -Name Microsoft.Graph Write-Host 'Start importing immutableId' Connect-MgGraph -Scopes 'User.Read.All' -ContextScope Process $azureADUsers = Get-MgUser -All -Property @("UserPrincipalName", "OnPremisesImmutableId") $SearchBase = Read-Host -Prompt 'Input your BaseDN' $adUsers = Get-ADUser -Filter * -Properties DistinguishedName,UserPrincipalName,mS-DS-ConsistencyGuid -SearchBase $SearchBase ForEach ($azureADUser in $azureADUsers) { ForEach ($adUser in $adUsers) { If ($azureADUser.UserPrincipalName -eq $adUser.UserPrincipalName) { Write-Output("Import the immutableId ({0}) into {1}" -f $azureADUser.OnPremisesImmutableId, $azureADUser.UserPrincipalName) Set-ADUser -Identity $adUser.DistinguishedName -replace @{'mS-DS-ConsistencyGuid' = $azureADUser.OnPremisesImmutableId} } } } Write-Host 'End importing immutableId'[ Reference ]
The migration script operates as follows.
- Obtains all users of Azure AD
- Searches for Active Directory users whose UserPrincipalName attribute matches that of Azure AD users
- Processing will be terminated without doing anything if no users whose UserPrincipalName attribute matches exist in Active Directory
- Sets the immutableId attribute values of Azure AD users to the mS-DS-ConsistencyGuid attributes of Active Directory users if any users whose UserPrincipalName attribute matches exist in Active Directory
[ Reference ]
We recommend to comment out the Set-ADUser command line and execute the script first.
By commenting out the Set-ADUser command, you can check the values to be set to the mS-DS-ConsistencyGuid attributes of Active Directory users in advance.Run PowerShell on a Windows computer.
Use the following command to run the PowerShell script as illustrated in the example.
Example command line display
PS> powershell -ExecutionPolicy bypass -File '.\migrate.ps1'
An authentication screen for connecting to Azure AD will appear. Perform authentication.
[ Reference ]
The following window may be displayed at the time of execution.
If this window is displayed, click "承認" without checking the "組織の代理として同意する" box.
Enter the path (BaseDN) to search for Active Directory users.
Example value
OU=Users,DC=EXAMPLE,DC=COM
Set up Directory Sync.When setting up Directory Sync, configure the application-linking ID (downstreamId) and base64_disabled option of the user by using config.yml.
Example of config.yml
iid: scim: attribute: user: ad_bind: downstreamId: mS-DS-ConsistencyGuid base64_disabled: - mS-DS-ConsistencyGuid #*1*1 Disables conversion by Base64 encoding.Refer to "config.yml" for more information.