Integrating Your On-Premises Active Directory with Azure Active Directory

Sign in to queue

The Discussion

  • User profile image
    Sean Douglas

    Would you consider it a best practice to limit the objects that are synchronized using the OU or Group filter? In your video you sync the entire directory, however this could be problematic and cleaning thing up after a botched sync is tough.

  • User profile image
    sjsueztech

    I wanted to try and answer the question with regards to whether to use an OU or Group filter? I have run into this in practice and below are my thoughts.

    First Approach:
    If you know that all of the objects (user, groups, etc.) exist under one OU structure hierarchy, it is fine to just filter based on OU. This is a simple and great scenario with little to no maintenance, but most organizations do not fall into this category, except for very specific scenarios and/or applications.

    Second Approach:
    Now, if the above is not the case and if have objects scattered about in different OU structures throughout your directory tree like most organizations, then you are better off creating a security group, dropping users that you want to grant access to the application and then create your ldap filter based on this new group.

    This makes it easier from a maintenance perspective as well, since you don't have to worry about whether or not all objects reside in the OU structure you are pointing; but instead, you just need to make sure all of your users are members of the appropriate security group granting access to the application.

  • User profile image
    sjsueztech

    I should have watched the video previously, I just got a chance. The answer to Sean Douglas, is it depends.

    If you have a cap on the number of Office 365 licenses or your other application you are integrating into AD, then you may want to filter based on security group, since you can granularly control access to the application based on what you explicitly synchronize between Azure and your On-Premise AD. Otherwise, if you have no licensing or other security requirements that would prevent you from using an entire OU to synchronize accounts, you can use the OU path to synchronize accounts.

    Hope this answers your questions.

  • User profile image
    Michael House

    Say we have a user that is no longer with the company, we disable there account or delete the account. Will replication then remove the account from Azure?

Add Your 2 Cents