Integrating Your On-Premises Active Directory with Azure Active Directory

Play Integrating Your On-Premises Active Directory with Azure Active Directory

The Discussion

  • User profile image
    Sean Douglas

    Would you consider it a best practice to limit the objects that are synchronized using the OU or Group filter? In your video you sync the entire directory, however this could be problematic and cleaning thing up after a botched sync is tough.

  • User profile image

    I wanted to try and answer the question with regards to whether to use an OU or Group filter? I have run into this in practice and below are my thoughts.

    First Approach:
    If you know that all of the objects (user, groups, etc.) exist under one OU structure hierarchy, it is fine to just filter based on OU. This is a simple and great scenario with little to no maintenance, but most organizations do not fall into this category, except for very specific scenarios and/or applications.

    Second Approach:
    Now, if the above is not the case and if have objects scattered about in different OU structures throughout your directory tree like most organizations, then you are better off creating a security group, dropping users that you want to grant access to the application and then create your ldap filter based on this new group.

    This makes it easier from a maintenance perspective as well, since you don't have to worry about whether or not all objects reside in the OU structure you are pointing; but instead, you just need to make sure all of your users are members of the appropriate security group granting access to the application.

  • User profile image

    I should have watched the video previously, I just got a chance. The answer to Sean Douglas, is it depends.

    If you have a cap on the number of Office 365 licenses or your other application you are integrating into AD, then you may want to filter based on security group, since you can granularly control access to the application based on what you explicitly synchronize between Azure and your On-Premise AD. Otherwise, if you have no licensing or other security requirements that would prevent you from using an entire OU to synchronize accounts, you can use the OU path to synchronize accounts.

    Hope this answers your questions.

  • User profile image
    Michael House

    Say we have a user that is no longer with the company, we disable there account or delete the account. Will replication then remove the account from Azure?

  • User profile image

    This reminds me of the old Steve Martin routine - on how to make a million dollars and never pay taxes - first get a million dollars and then... Why would you skip the part about setting up the domain in azure?

Add Your 2 Cents