none
managing syced AD users from azure- Switching to azure

    Question

  • Hi,

    currently we have synced user accounts to azure AD, we some bad experience with Dirsync server getting crash and again re-build

    We have requirement to change or to remove dependancy of dirsync and to continue and manage synced user account from azure AD or how to convert synced users to managed by azure without loosing current settings

    Please let me know approach to follow, what i understand is immutable ID will be linked with on-prem ID, will it cause any issue if we convert?

    Thanks

    Ragav


    Ragav

    Thursday, March 09, 2017 6:49 AM

Answers

  • DirSync is quite an old technology. Have you tried the newer Azure AD Connect instead? Maybe you have a better experience with the new sync engine. In general, if you still have an on-prem environment it is still recommended to sync your identities so your users have the same password on-prem anc in the cloud and you only have to manage your users in one place.

    If you still want to disable sync and start managing your users directly in Azure AD, then use the powershell cmdlet set-msoldirsyncenabled to disable the feature. The cmdlet takes a while to run since every object must be touched. As a rule of thumb, estimate that about 2000 objects/hour can be processed.

    ImmutableID is only needed if you still use federation for authentication. If you are not, the attribute is still populated in Azure AD, but it does not serve any use. The important attribute is the one that says if the object is managed in the cloud or on-prem.

    Thursday, March 09, 2017 8:40 AM

All replies

  • DirSync is quite an old technology. Have you tried the newer Azure AD Connect instead? Maybe you have a better experience with the new sync engine. In general, if you still have an on-prem environment it is still recommended to sync your identities so your users have the same password on-prem anc in the cloud and you only have to manage your users in one place.

    If you still want to disable sync and start managing your users directly in Azure AD, then use the powershell cmdlet set-msoldirsyncenabled to disable the feature. The cmdlet takes a while to run since every object must be touched. As a rule of thumb, estimate that about 2000 objects/hour can be processed.

    ImmutableID is only needed if you still use federation for authentication. If you are not, the attribute is still populated in Azure AD, but it does not serve any use. The important attribute is the one that says if the object is managed in the cloud or on-prem.

    Thursday, March 09, 2017 8:40 AM
  • Thanks andreas and this was quite informative , but also we have upgraded some times back with new Azure AD connect more over the organization objective is to remove depndancy from onprem to have any sync or connectivity , and yes we use ADFS here and where immutabe ID is must.

    so after i turn off Azure AD Connect by disabling sync, the immutable ID will still be same as my on prem AD or will it switchover to azure immutable ID , if yes then will user be able to login and access thier mailbox since at this point of time immucatble ID still associated with my on-prem AD?



    Ragav

    Wednesday, March 22, 2017 1:25 AM
  • The immutableID will be left unchanged. As long as you have ADFS you need this attribute populated. Without the sync engine you need to populate this attribute for new users. You have to move from ADFS to cloud passwords before you do not have a dependency on on-prem anymore. But the switch itself does not impact the immutableID attribute.
    Wednesday, March 22, 2017 2:53 PM