A Solutions Guide to New Directory Synchronization Capabilities offered in Quest On Demand Migration

Comprehensive, secure and scalable directory synchronization services are essential for every organization conducting M&A projects or establishing long-term coexistence between separate Microsoft 365 tenancies and/or Active Directory (AD) Forests.

Modern directory synchronization solutions must provide capabilities that extend services beyond on-premises directories and into the cloud with Azure Active Directory (AAD). Contemporary migration projects have complex Identity and Access Management (IAM) schemes that include a mix of hybrid, cloud and on-premises objects. In addition, hybrid organizations will also have other directory synchronization technologies in place, such as Azure AD Connect, that must be taken into consideration when deploying multiple solutions to manage different use cases.

Other organizations may find the need to maintain separate tenancies for their user populations due to requirements like data sovereignty, regional administration or financial constraints. In these multitenant management scenarios administrators may need to maintain different populations, such as users, guests, contacts and groups, across many directories. The goal is to provide seamless access across security boundaries while also providing an anchor or central location to manage the one identity that lives in many places. For example, let’s assume the following requirements for long-term directory synchronization scenario:

• Enterprise Organization with a central Microsoft 365 tenant where most users and groups reside.

• This Enterprise also manages four additional Microsoft 365 tenants in different locations around the globe. • Each tenant must have a Mail Contact synchronized to every tenant representing every mail enabled user and group so that each set of users in each tenant may see the other user’s contact information in the Global Address List, including their most current personal contact information.

• However, some of these users can’t be represented by a Mail Contact because they will require Guest access to access remote resources in the CrossTenant(s). The Guest account must also be displayed in the Global Address List in Exchange Online with all the user’s pertinent personal information details (such as title, phone, business unit, etc.) present.

• An even smaller percentage of accounts with elevated access will require a Hybrid User account be synchronized to each local Active Directory Forest to maintain central management of all elevated identities and assign various administrator roles to these identities to manage those systems. These users must also be hidden from the Exchange Online Global Address Lists.

• The Enterprise’s central Microsoft 365 tenant is considered the authoritative source for all IAM activities. Meaning, if an identity or group is created, modified or deleted, those changes are propagated throughout the other directories to maintain security, access and coexistence.

Integrating IAM systems in the described scenario cannot effectively be managed by scripts or using traditional, Commercial Off The Shelf (COTS) software.

Quest On Demand Migration Support for Active Directory with Directory Synchronization

Before reviewing the common and supplemental use cases, get familiar with the new On Demand Migration Directory Synchronization functionality by examining the following section.

Capabilities

• Sync between multiple Active Directory (Local) environments — Build workflows to keep on-premises ADs in continuous sync, including user passwords and SID History.

• Sync between multiple Azure Active Directory (Cloud) environments — Build workflows to have Azure ADs in continuous sync, including Teams, Office 365 Groups and their membership.

• Sync from Local to Cloud environment — Build workflows to move objects between on-premises and cloud directories.

• Sync from Cloud to Local environment — Build workflows to move objects between the cloud and on-premises directories.

• Mesh Synchronization between multiple environments — Build complex workflows to maintain continuous cross-directory synchronization.

 Features

• Customizable Workflow Management — Tailor each step and place them in the order needed to meet the project requirements. With an easy drag and drop interface, you can build workflows in minutes.

• Complete Object Lifecycle Management — Maintain current account procurement and management practices where new hires, leavers and renames are automatically propagated to matching accounts across environments, both in the cloud and on-premises.

• Attribute Synchronization and Transformation — Maintain continuous attribute synchronization and transform attribute values to meet the target environment’s standards and practices. Reorganize and restructure Active Directory hierarchy during transition and integration.

• Active Directory Password Sync — Near Real Time (NRT) synchronization of updated passwords with the option to allow changes from any environment to propagate to others.

• Active Directory SID History Migration — Prepare Active Directory for coexistence by migrating an account’s SID History to the target directory so that when a trust is established, user’s may continue to access their shared files and resources.

  Benefits

• No Servers to Build

• No Databases to Install

• No Software to Install for Cloud Endpoints

• No Network Connectivity Required

• Deploy up to five Local Agents for Scalability

• Comes with the On Demand Management Suite with Migrations, T5 Subscription Plan

What are the two most common use cases for directory synchronization?

The need for Directory Synchronization Services was born from M&A activity. Any time an organization is moving, consolidating or divesting all or part of their business to another organization, there will be a time when all accounts, groups and security will need to be created in the new destination. However, simply creating new accounts or groups isn’t enough, and it creates its own set of new problems to contend with, such as how to manage new hires while this process is in place. That is just one small example of why simply creating new accounts and groups in the destination will not suffice and a complete synchronization solution is required to maintain IAM systems through the project.

Short-Term Coexistence

Integrating directories during different migration projects is the most common use case for temporary directory synchronization solutions. On Demand Migration with Directory Sync supports the following migration project types:

• Tenant-to-Tenant Migrations

• Active Directory Migrations

• Exchange On-Premises-to-Exchange On-Premises Migrations

• Exchange On-Premises-to-Exchange Online Migrations

Long-Term Coexistence

Integrating directories to maintain long-term collaboration and coexistence for users and resources is the second most common use case for deploying directory synchronization services.

What supplemental use cases can directory synchronization solve?

Beyond the core value that directory synchronization services provide, there are additional edge cases that it can easily be applied to. The following section outlines a listing of additional features, functions and capabilities that On Demand for Active Directory with Directory Synchronization delivers.

• Migrations

  One-Time Identity and Access Migrations

  That is right: migrations. Most often when directory synchronization is thought of, continuous activity is envisioned where objects are being updated constantly due to normal business operations. However, that is not the only way to utilize directory sync technology to fill operational gaps. In this section, let’s explore some simple example use cases to get more familiar with this concept.

• Migration of Groups & Membership – Most administrators, at one time or another, will find themselves with a task to move, duplicate or copy a set of groups and their members from one location to another. For example, an administrator is deploying an application to a new environment for development and testing purposes. To manage access, the administrator wants to duplicate a set of existing security groups with their existing members into the other environment to get things started. Afterwards, the new security group will be managed from the new environment. Directory Sync is a perfect solution to siimply duplicating the security group and setting the membership so that users may begin providing feedback on the test application immediately.

• Copying Objects from the cloud to on-premises – There is one sure thing with migration projects: one never knows what may come up. Take this divestment project as an example. An organization was divesting a subset of resources from their cloud-only Microsoft 365 tenant to a Hybrid deployment of Microsoft 365. The challenge was to migrate those objects from the cloud with all their relevant attributes set to meet on-premises Active Directory standards and also allow for Exchange on-premises mailbox users to see the new user’s in the global address list (GAL). In addition, once the new objects were migrated to the local AD, those objects then must be brought into scope with Azure AD Connect (AADC) to synchronize to the new destination tenant to be licensed to prepare for data migrations. With Directory Synchronization services, it’s easy to build a simple workflow to execute once to prepare and migrate those objects to meet the new directory standards and criteria. The alternative is to script a solution using MS PowerShell because there is no native method to solve this problem.

• Copying objects from on-premises to the cloud – This example centers around an organization that already has Azure AD Connect configured with their on-premises Active Directory, but in this case, needs to copy the same objects to an existing cloud-only tenant to prepare to divest those resources. They can’t use Azure AD Connect because it is already attached to their production AD and those users are active in the current tenant. Therefore, this organization requires a solution that can quickly and easily copy on-premises Active Directory objects to Azure AD for preparation of the coming migration activities.

• Guests

  Provisioning Business-to-Business (B2B)

  Guest Accounts

  Guest accounts are quickly becoming a staple to managing external access to internal resources, which means these accounts are a critical component to establishing rich coexistence during migration projects. Typically, during these projects, either the user objects or mail contacts are created in a corresponding tenant to facilitate address list personal contact information. However, with the advent of Guest accounts, there is now a new need to identify which users should be granted additional access before their migration is conducted and to utilize guest accounts to facilitate that access. This may include early teams that are involved in the planning of M&A activities and need to share resources easily and quickly through Teams and SharePoint Online. With this new option in coexistence, administrators need an easy way to manage the bulk provisioning of these accounts. They’ll need a method to create the new accounts based on existing users who were defined as requiring additional access, all while maintaining their current personal contact information. This is where directory synchronization services can help. The following outlines two additional capabilities currently available that can assist administrators with managing how different sets of objects get created and when.

• Sending Bulk Guest Invitations – Directory Sync has many different options for creating objects such as users, groups and teams to meet the needs of contemporary directory integration projects. One such option is the ability to choose to create a B2B guest user account (State 1) in Azure AD. The creation of the account will trigger the invitation, which will be sent to the source user being invited to the new target tenant. Once the source user accepts the invite, they’ll have the ability to access target tenant resources that they have been granted access too.

• Creating Bulk Guest Users – Another type of guest user account is one where no invitation is sent and the new account’s password is managed by the target tenant administrators (State 4). In other words, these types of guests are homed in the host organization’s Azure AD with the UserType Guest and the host organization manages credentials. This is the second option for creating guest accounts using Directory Sync.

• Conversions

  Converting Groups

  The next set of capabilities centers around the transformation of group types to meet the target environment requirements. These features manage what type of group will be created in the target environment when executed. And with continuous sync, their membership changes will continue to update.

• Converting Groups to an Office 365 Group – This option allows the administrator to sync any distribution list or security group from the source to the target as an Office 365 Group, all while maintaining membership and attributes.

• Converting Groups to a Distribution Lists – This option allows the administrator to sync any distribution list, security group or Office 365 Group from the source to the target as a distribution list group, all while maintaining membership and attributes.

• Converting Groups to Contacts – This option allows administrators to create mail-enabled contacts or pointers in one directory so that users can send email to the mail-enabled group, but the group remains in the source environment.

• Converting Office 365 Groups to Teams– This option allows administrators to create a new Team in the target tenant based on the source Office 365 Group. Membership and corresponding attributes will be synchronized.

What future use cases will be solved with directory synchronization?

Directory Synch, within On Demand Migration support for Active Directory, is a key solution for properly integrating directories for migrations or long-term management. Future investments, such as these listed below are planned for Directory Sync:

• Converting Mail Contacts to Users to prepare for migrations – Often, organizations have already established GAL sync using Mail Contacts prior to deploying any directory synchronization services. In these cases, the directory synchronization solution must be able to match or pair these objects together; then when the time is needed, create a new user to take the place of the previous mail contact and carry over all the previous attributes, such as proxy address, department or display name, so that GAL sync continues to operate as it did before and migrations can begin for that account.

• More Granular Cloud Environment Filters based on Attributes – To better support divestment projects, On Demand Migration will continue to expand upon options to filter what is not required for a particular Azure AD workflow.

  These new options will increase workflow performance by reducing the total dataset and will ensure the objects that should be synchronized are the only ones that can be read. Learn More If you would like to learn more about On Demand Migration support for Active Directory with Directory Sync, or any of our hybrid, cloud and on-premises solutions, please visit us at https://www.quest.com/ products/on-demand-migration/.

  How can I try it? If you want to schedule a demonstration or trial, please contact your sales representative today.