No6. Migration from Azure AD Authentication Infrastructure (without Using Directory Sync)

Migrate the authentication infrastructure to the IIJ ID Service from the state where accounts are managed directly on Azure AD (Microsoft 365) without using Azure AD Connect.

[ Reference ]

The descriptions shown below are just reference.

Perform the actual task in accordance with your environment.

Federation Image

Perform provisioning on the user from IIJ ID to Azure AD, and then perform federation with the provisioned user.


Because an existing Azure AD user exists on Azure AD, consider the link with the existing Azure AD user too.
For the existing Azure AD user, set the ID of the IIJ ID User to be the same as userPrincipalName for Azure AD.
If federation with an external authentication infrastructure is not enabled by Azure AD, no value will be set to immutableId of the Azure AD user.
Therefore, it is overwritten with the UUID of IIJ ID by provisioning from IIJ ID.

Setup Flow Example
1. PreparationComments



1.1 Registering Domains in Microsoft 365
1.2 Configuring Windows PowerShell
1.3 Add Microsoft 365 Application
1.4 Reflecting User Attribute Value Set to the Existing Azure AD User to IIJ ID UserIf there are many users, it is recommended that you export attributes of Azure AD users to a CSV file and reflect the data at once by CSV import of IIJ ID Users.
2. Configuring Federations








2.1 Changing General Application Settings
2.2 Configuring Graph API Settings
2.3 Provisioning
2.4 Configuring Users


2.5 Configuring Federations
 

Make sure to confirm that provisioning of users has been completed.

Through the provisioning process, the value of immutableId is set with respect to each user of Azure AD from IIJ ID. If federation is enabled in a state where the provisioning process for users has not been completed, the users for whom the value of immutabeld has not been set can no longer log in to Microsoft 365.