List of published manuals

List of manuals for contractors

No1. Case where Azure AD Connect Is Used

You are to link with Microsoft 365 while using Azure AD Connect.
You are also to synchronize accounts from Active Directory to IIJ ID using Directory Sync.

[ Reference ]

The descriptions shown below are just reference.

Perform the actual task in accordance with your environment.

Federation Image

While the user is being synchronized by Azure AD Connect from Active Directory to Azure AD, the user is synchronized by Directory Sync from Active Directory to IIJ ID.
Moreover, federation is carried out for the Azure AD user and IIJ ID user synchronized with the ID.


For Attribute Mapping for Federation with Azure AD, configure the Directory Sync setting in such a manner that the IIJ ID user's application-linking ID and ID will respectively correspond to the Azure AD user's immutableId and userPrincipalName.

Setup Flow Example
1. Preparation

1.1 Configuring Azure AD Connect
1.2 Registering Domains in Microsoft 365
1.3 Configuring Windows PowerShell
1.4 Add Microsoft 365 Application
2. Configuring Directory Sync

2.1 Directory Sync Setup
3. Configuring Federations

3.1 Changing General Application Settings
3.2 Configuring Graph API Settings
3.3 Configuring Federations
3.4 Configuring Users
Example Configuration of Directory Sync

Perform synchronization as follows.

[ Reference ]

The Active Directory attribute that is actually mapped must be the same as the setting of Azure AD Connect.

Active Directory
IIJ ID
Azure AD Comments

ms-DS-ConsistencyGuid

objectGUID

 ->

Application-linking ID

 (downstreamId)		 -> immutalbeId The value of objectGUID is reflected when the value of ms-DS-ConsistencyGuid is empty.
userPrincipalName -> ID (userName) -> userPrincipalName

config.yml sample

log:
 
  loglevel:                      info
 
 
         
 
         
 
          
ad:
 
         
 
         
 
          
  ldap:
 
         
 
         
 
          
    server:
 
         
 
         
 
          
      addresses:
 
         
 
         
 
          
                                 - 127.0.0.1
 
         
 
         
 
          
      user:                      'CN=administrator,CN=Users,DC=example,DC=jp'
 
         
 
         
 
          
    base_dn:                     'DC=example,DC=jp'
 
         
 
         
 
          
    filter:
 
         
 
         
 
          
      user:                      'memberOf:1.2.840.113556.1.4.1941:=CN=IID_IDaaS利用者グループ,OU=IID_Groups,DC=example,DC=jp'
 
         
 
         
 
          
      group:                     'memberOf:1.2.840.113556.1.4.1941:=CN=IID_IDaaS利用者グループ,OU=IID_Groups,DC=example,DC=jp'
 
         
 
         
 
          
 
         
 
         
 
          
iid:
 
         
 
         
 
          
  scim:
 
         
 
         
 
          
    attribute:
 
         
 
         
 
          
      user:
 
         
 
         
 
          
        default:
 
         
 
         
 
          
          emails:
 
         
 
         
 
          
            - primary:           true
 
         
 
         
 
          
        ad_bind:
 
         
 
         
 
          
          externalId:            userPrincipalName
 
         
 
         
 
          
          downstreamId:
 
         
 
         
 
          
                                 - mS-DS-ConsistencyGuid
 
         
 
         
 
          
                                 - objectGUID
 
         
 
         
 
          
          userName:              userPrincipalName
 
         
 
         
 
          
          emails:
 
         
 
         
 
          
            - value:             mail
 
         
 
         
 
          
      group:
 
         
 
         
 
          
        ad_bind:
 
         
 
         
 
          
          externalId:            objectGUID
 
         
 
         
 
          
          displayName:           name