No4. Federate Microsoft 365 Newly (with Using Directory Sync)
This section describes how to sign up for Microsoft 365 newly to federate IIJ ID.
You are also to synchronize IDs from Active Directory to IIJ ID using Directory Sync.
[ Reference ]
The descriptions shown below are just reference.
Perform the actual task in accordance with your environment.
Federation Image
Synchronize the user by Directory Sync from Active Directory to IIJ ID.
In addition, perform provisioning on the user from IIJ ID to Azure AD, and then perform federation with the provisioned user.
Setup Flow Example
1. Preparation | ||
---|---|---|
1.1 Registering Domains in Microsoft 365 | ||
1.2 Configuring Windows PowerShell | ||
1.3 Add Microsoft 365 Application | ||
2. Configuring Directory Sync | ||
2.1 Directory Sync Setup | ||
3. Configuring Federations | ||
3.1 Changing General Application Settings | ||
3.2 Configuring Graph API Settings | ||
3.3 Provisioning | ||
3.4 Configuring Users | ||
3.5 Configuring Federations |
Example Configuration of Directory Sync
Perform synchronization as follows.
Active Directory | IIJ ID | Azure AD | Comments | ||
---|---|---|---|---|---|
ms-DS-ConsistencyGuid objectGUID | -> | Application-linking ID (downstreamId) | -> | immutalbeId | The value of objectGUID is reflected when the value of ms-DS-ConsistencyGuid is empty. |
userPrincipalName | -> | ID (userName) | -> | userPrincipalName |
config.yml sample
log: loglevel: info ad: ldap: server: addresses: - 127.0.0.1 user: 'CN=administrator,CN=Users,DC=example,DC=jp' base_dn: 'DC=example,DC=jp' filter: user: 'memberOf:1.2.840.113556.1.4.1941:=CN=IID_IDaaS利用者グループ,OU=IID_Groups,DC=example,DC=jp' group: 'memberOf:1.2.840.113556.1.4.1941:=CN=IID_IDaaS利用者グループ,OU=IID_Groups,DC=example,DC=jp' iid: scim: attribute: user: default: emails: - primary: true ad_bind: externalId: userPrincipalName downstreamId: - mS-DS-ConsistencyGuid - objectGUID userName: userPrincipalName emails: - value: mail group: ad_bind: externalId: objectGUID displayName: name