• State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 92 subscribers
  • Views 8478 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Azure AD ImmutableID

Wolfgang Zwerch
over 6 years ago

Hi,

we are running our MS Azure environment in an hybrid mode, meaning that our on-prem MS AD account GUID should be linked with the MS Azure AD Account ImmutableID attribute.

We are right now discussing if we should further use AD Connect to synchronize on-prem AD accounts to the Azure domain or should we use IAM functionality to generate the AAD account. In the second case it would be easier for us (no process has to wait an look till the AAD accounts was generated), we could turn off AD connect but we have to set the ImmutableID attribute right.

Has anybody solved this kind of issue ? any recommendations / feedback / lessons learned ?

Thank you 

CU all

Wolfgang

  • 0 over 6 years ago
    Hi Wolfgang, thanks for your question, we actually have customers who do both methods, some use AD.Connect whilst others use Identity Manager itself. For the reasons you mention, more control, more configuration, the ability to tailore the implementation exactly to your needs. In the early days AD.Connect was not that great, the scheduling wasn't great for one thing but things have improved over time for sure. As i mentioned we have customers who are mastering the immutable ID themselves.

    Best,
    PaulW
  • 0 over 6 years ago
    Hi Paul,
    thanks for your fast replay. Just one technical question: If I understood it right, the on-prem AD account GUID will be "translated" and used as the ImmutalbleID in the Azure account. Only if this is done, the SSO functionality between on-prem AD and Azure will work.

    Right now we found no functionality/parameter in the process of generating an AAD account to set the ImmutableID. Do you know how this have to be done?

    Thanks so much
    CU

    Wolfgang
  • 0 over 6 years ago
    Hi Wolfgang, of course , our AAD connector module uses the MSFT Graph API and this API exposes this particular attribute. The Graph API has supported it since this release from 2013. Take a read of the link below. I'm not in a position to open up a virtual image right now to check our schema/process chains I'm afraid.

    blogs.msdn.microsoft.com/.../
  • +1 over 6 years ago
    Version 7.1.1 : Check the AADUser.OnPremImmutableId column