Real world Azure AD Connect: the case for TWO Azure AD Connect servers

6th of December, 2016 / / 4 Comments

I was exchanging some emails with an account manager (Andy Walker) at Kloud and thought the exchange would be for some interesting reading. Here’s the outcome in an expanded and much more helpful (to you dear reader) format…

***

Background

When working with the Microsoft Cloud and in particular with identity, depending on some of the configuration options, it can be quite important to have Azure AD Connect highly available. Unfortunately for us, Microsoft has not developed AADConnect to be highly available.… [Keep reading] “Real world Azure AD Connect: the case for TWO Azure AD Connect servers”

Real world Azure AD Connect: multi forest user and resource + user forest implementation

2nd of December, 2016 / / 17 Comments

Disclaimer: During October I spent a few weeks working on this blog posts solution at a customer and had to do the responsible thing and pull the pin on further time as I had hit a glass ceiling. I reached what I thought was possible with Azure AD Connect. In comes Nigel Jones (Identity Consultant @ Kloud) who, through a bit of persuasion from Darren (@darrenjrobinson), took it upon himself to smash through that glass ceiling of Azure AD Connect and figured this solution out.

[Keep reading] “Real world Azure AD Connect: multi forest user and resource + user forest implementation”

Azure AD Connect – Using AuthoritativeNull in a Sync Rule

1st of December, 2016 / / No Comments

There is a feature in Azure AD Connect that became available in the November 2015 build 1.0.9125.0 (listed here), which has not had much fanfare but can certainly come in handy in tricky situations. I happened to be working on a project that required the DNS domain linked to an old Office 365 tenant to be removed so that it could be used in a new tenant. Although the old tenant was no long used for Exchange Online services, it held onto the domain in question, and Azure AD Connect was being used to synchronise objects between the on-premise Active Directory and Azure Active Directory.… [Keep reading] “Azure AD Connect – Using AuthoritativeNull in a Sync Rule”

AAD Connect – Using Directory Extensions to add attributes to Azure AD

14th of November, 2016 / / No Comments

I was recently asked to consult on a project that was looking at the integration of Workday with Azure AD for Single Sign On. One of the requirements for the project, is that staff number be used as the NameID value for authentication.
This got me thinking as the staff number wasn’t represented in Azure AD at all at this point, and in order to use it, we will need to get it to Azure AD.… [Keep reading] “AAD Connect – Using Directory Extensions to add attributes to Azure AD”

AAD Connect – Updating OU Sync Configuration Error: stopped-deletion-threshold-exceeded

11th of November, 2016 / / No Comments

I was recently working with a customer on cleaning up their Azure AD Connect synchronisation configuration.
Initially, the customer had enabled sync for all OU’s in the Forest (As a lot of companies do),  and had now come to a point in maturity where they could look at optimising the solution.
We identified an OU with approximately 7000 objects which did not need to be synced.
So…
I logged onto the AAD Connect server and launched the configuration utility.… [Keep reading] “AAD Connect – Updating OU Sync Configuration Error: stopped-deletion-threshold-exceeded”

How to export user error data from Azure AD Connect with CSExport

24th of October, 2016 / / 1 Comment

A short post is a good post?! – the other day I had some problems with users synchronising with Azure AD via Azure AD Connect. Ultimately Azure AD Connect was not able to meet the requirements of the particular solution, as Microsoft Identity Manager (MIM) 2016 has the final 5% of the config required for, as I found out, a complicated user+resource and user forest design.
In saying that though, during my troubleshooting, I was looking at ways to export the error data from Azure AD Connect.… [Keep reading] “How to export user error data from Azure AD Connect with CSExport”

Complex Mail Routing in Exchange Online Staged Migration Scenario

15th of October, 2016 / / No Comments

Notes From the Field:

I was recently asked to assist an ongoing project with understanding some complex mail routing and identity scenario’s which had been identified during planning for an upcoming mail migration from an external system into Exchange Online.
New User accounts were created in Active Directory for the external staff who are about to be migrated. If we were to assign the target state, production email attributes now, and create the exchange online mailboxes, we would have a problem nearing migration.… [Keep reading] “Complex Mail Routing in Exchange Online Staged Migration Scenario”

Active Directory – What are Linked Attributes?

26th of September, 2016 / / No Comments

A customer request to add some additional attributes to their Azure AD tenant via Directory Extensions feature in the Azure AD Connect tool, lead me into further investigation. My last blog here set out the customer request, but what I didn’t detail in that blog was one of the attributes they also wanted to extend into Azure AD was directReports, an attribute they had used in the past for their custom built on-premise applications to display the list of staff the user was a manager for.… [Keep reading] “Active Directory – What are Linked Attributes?”

Azure AD Connect – Multi-valued Directory Extensions

16th of September, 2016 / / No Comments

I happened to be at a customer site working on an Azure project when I was asked to cast a quick eye over an issue they had been battling with. They had an Azure AD Connect server synchronising user and group objects between their corporate Active Directory and their Azure AD, used for Office 365 services and other Azure-based applications. Their intention was to synchronise some additional attributes from their Active Directory to Azure AD so that they could be used by some of their custom built Azure applications.… [Keep reading] “Azure AD Connect – Multi-valued Directory Extensions”

Azure AD Application SSO and Provisioning – Things to consider

14th of September, 2016 / / 3 Comments

I’ve had the opportunity to work on a couple of customer engagements recently integrating SaaS based cloud applications with Azure Active Directory, one being against a cloud-only Azure AD tenant and the other federated with on-premises Active Directory using ADFS. The Azure AD Application Gallery now has over 2,700 applications listed which provide a supported and easy process to integrate applications with Azure AD, although not every implementation is the same. Most of them have a prescribed tutorial on how to perform the integration (listed here), while some application vendors have their own guides.… [Keep reading] “Azure AD Application SSO and Provisioning – Things to consider”