No4. Federate Microsoft 365 Newly (with Using Directory Sync)

This section describes how to sign up for Microsoft 365 newly to federate IIJ ID.
You are also to synchronize IDs from Active Directory to IIJ ID using Directory Sync.

[ Reference ]

The descriptions shown below are just reference.

Perform the actual task in accordance with your environment.

Federation Image

Synchronize the user by Directory Sync from Active Directory to IIJ ID.
In addition, perform provisioning on the user from IIJ ID to Azure AD, and then perform federation with the provisioned user.

Setup Flow Example
Example Configuration of Directory Sync

Perform synchronization as follows.

Active Directory
IIJ ID
Azure ADComments
ms-DS-ConsistencyGuid
objectGUID
->Application-linking ID (downstreamId)->immutalbeIdThe value of objectGUID is reflected when the value of ms-DS-ConsistencyGuid is empty.
userPrincipalName->ID (userName)->userPrincipalName

config.yml sample

log:
  loglevel:                      info

ad:
  ldap:
    server:
      addresses:
                                 - 127.0.0.1
      user:                      'CN=administrator,CN=Users,DC=example,DC=jp'
    base_dn:                     'DC=example,DC=jp'
    filter:
      user:                      'memberOf:1.2.840.113556.1.4.1941:=CN=IID_IDaaS利用者グループ,OU=IID_Groups,DC=example,DC=jp'
      group:                     'memberOf:1.2.840.113556.1.4.1941:=CN=IID_IDaaS利用者グループ,OU=IID_Groups,DC=example,DC=jp'

iid:
  scim:
    attribute:
      user:
        default:
          emails:
            - primary:           true
        ad_bind:
          externalId:            userPrincipalName
          downstreamId:
                                 - mS-DS-ConsistencyGuid
                                 - objectGUID
          userName:              userPrincipalName
          emails:
            - value:             mail
      group:
        ad_bind:
          externalId:            objectGUID
          displayName:           name