List of published manuals

List of manuals for contractors

IIJ ID Service Manual [For Administrators]

No1. Case where Azure AD Connect Is Used

You are to link with Microsoft 365 while using Azure AD Connect.
You are also to synchronize accounts from Active Directory to IIJ ID using Directory Sync.

[ Reference ]

The descriptions shown below are just reference.

Perform the actual task in accordance with your environment.

Federation Image

While the user is being synchronized by Azure AD Connect from Active Directory to Azure AD, the user is synchronized by Directory Sync from Active Directory to IIJ ID.
Moreover, federation is carried out for the Azure AD user and IIJ ID user synchronized with the ID.


For Attribute Mapping for Federation with Azure AD, configure the Directory Sync setting in such a manner that the IIJ ID user's application-linking ID and ID will respectively correspond to the Azure AD user's immutableId and userPrincipalName.

Setup Flow Example
1. Preparation

1.1 Configuring Azure AD Connect
1.2 Registering Domains in Microsoft 365
1.3 Configuring Windows PowerShell
1.4 Add Microsoft 365 Application
2. Configuring Directory Sync

2.1 Directory Sync Setup
3. Configuring Federations

3.1 Changing General Application Settings
3.2 Configuring Graph API Settings
3.3 Configuring Federations
3.4 Configuring Users
Example Configuration of Directory Sync

Perform synchronization as follows.

[ Reference ]

The Active Directory attribute that is actually mapped must be the same as the setting of Azure AD Connect.

Active Directory
IIJ ID
Azure ADComments

ms-DS-ConsistencyGuid

objectGUID

->

Application-linking ID

 (downstreamId)		->immutalbeIdThe value of objectGUID is reflected when the value of ms-DS-ConsistencyGuid is empty.
userPrincipalName->ID (userName)->userPrincipalName

config.yml sample

log:
  loglevel:                      info

ad:
  ldap:
    server:
      addresses:
                                 - 127.0.0.1
      user:                      'CN=administrator,CN=Users,DC=example,DC=jp'
    base_dn:                     'DC=example,DC=jp'
    filter:
      user:                      'memberOf:1.2.840.113556.1.4.1941:=CN=IID_IDaaS利用者グループ,OU=IID_Groups,DC=example,DC=jp'
      group:                     'memberOf:1.2.840.113556.1.4.1941:=CN=IID_IDaaS利用者グループ,OU=IID_Groups,DC=example,DC=jp'

iid:
  scim:
    attribute:
      user:
        default:
          emails:
            - primary:           true
        ad_bind:
          externalId:            userPrincipalName
          downstreamId:
                                 - mS-DS-ConsistencyGuid
                                 - objectGUID
          userName:              userPrincipalName
          emails:
            - value:             mail
      group:
        ad_bind:
          externalId:            objectGUID
          displayName:           name