No3. Migration from Azure AD Authentication Infrastructure (with Using Directory Sync)
You are to migrate the authentication infrastructure to the IIJ ID Service in a state where you are using Azure AD as an authentication infrastructure.
Migrate the authentication infrastructure to the IIJ ID Service from the state where accounts are managed directly on Azure AD (Microsoft 365) without using Azure AD Connect.
[ Reference ]
The descriptions shown below are just reference.
Perform the actual task in accordance with your environment.
Federation Image
Synchronize the user by Directory Sync from Active Directory to IIJ ID.
In addition, perform provisioning on the user from IIJ ID to Azure AD, and then perform federation with the provisioned user.
Because an existing Azure AD user exists on Azure AD, consider the federation with the existing Azure AD user too.
For the existing Azure AD user, set the ID of the IIJ ID User to be the same as userPrincipalName for Azure AD.
If federation with an external authentication infrastructure is not enabled by Azure AD, no value will be set to immutableId of the Azure AD user.
Therefore, it is overwritten with the external ID of IIJ ID by provisioning from IIJ ID.
Setup Flow Example
1. Preparation | Comments | ||
---|---|---|---|
1.1 Registering Domains in Microsoft 365 | |||
1.2 Configuring Windows PowerShell | |||
1.3 Add Microsoft 365 Application | |||
2. Configuring Directory Sync | |||
2.1 Directory Sync Setup | |||
3. Configuring Federations | |||
3.1 Changing General Application Settings | |||
3.2 Configuring Graph API Settings | |||
3.3 Provisioning | |||
3.4 Configuring Users | |||
3.5 Configuring Federations | Make sure to confirm that provisioning of users to Microsoft 365 has been completed. Through the provisioning process, the value of immutableId is set with respect to each user of Azure AD from IIJ ID. If federation is enabled in a state where the provisioning process for users has not been completed, the users for whom the value of immutabeld has not been set can no longer log in to Microsoft 365. |
Example Configuration of Directory Sync
Perform synchronization as follows.
[ Reference ]
In this example, userPrincipalName of the existing Azure AD user must be the same as that of the Active Directory user.
Active Directory | IIJ ID | Azure AD | 備考 | ||
---|---|---|---|---|---|
ms-DS-ConsistencyGuid objectGUID | -> | Application-linking ID (downstreamId) | -> | immutalbeId | The value of objectGUID is reflected when the value of ms-DS-ConsistencyGuid is empty. |
userPrincipalName | -> | ID (userName) | -> | userPrincipalName |
config.yml sample
log: loglevel: info ad: ldap: server: addresses: - 127.0.0.1 user: 'CN=administrator,CN=Users,DC=example,DC=jp' base_dn: 'DC=example,DC=jp' filter: user: 'memberOf:1.2.840.113556.1.4.1941:=CN=IID_IDaaS利用者グループ,OU=IID_Groups,DC=example,DC=jp' group: 'memberOf:1.2.840.113556.1.4.1941:=CN=IID_IDaaS利用者グループ,OU=IID_Groups,DC=example,DC=jp' iid: scim: attribute: user: default: emails: - primary: true ad_bind: externalId: userPrincipalName downstreamId: - mS-DS-ConsistencyGuid - objectGUID userName: userPrincipalName emails: - value: mail group: ad_bind: externalId: objectGUID displayName: name