Many of our Identity Management customers have a Microsoft Environment which consists of Microsoft Active Directory and complementary components such as Microsoft Exchange, Lync, SQL server, etc. Many of these customers have, or are in the process of adopting Microsoft’s Office 365 platform (O365). Adopting O365 allows companies to move some of the components to the cloud.
Microsoft provides a technology called DirSync (which is currently being replaced by Azure Connect), which allows you to sync accounts in AD to the cloud platform so that users have a single identity between the cloud and on-premise world.
By itself this functionality does not go far enough to address the needs of larger customers who need to manage thousands of users, integrate various other technologies and conform to corporate policies. Some of the challenges are listed below. You will find that some of these issues may not be relevant to your environment as this will depend on the components of the Microsoft stack which are being used and how the synchronization between AD and O365 has been enabled.
For new users (Joiners) and existing users, consider:
- Activesync accounts from on-premise AD to O365 Tenant
- Does the user get an on-premise mailbox or one in the cloud?
- If on-premise, do we still want to synch to the cloud as a backup mailbox?
- Being able to switch existing users from on-premise to cloud
- Resource mailboxes (Room, Equipment, etc) on-premise or in the cloud
- Creating a secondary mailbox in the cloud for users who may have a primary mailbox on-premise
- Show in Global Address List (GAL) or not?
- On-premise home folder vs OneDrive for Business or both
- Office365 Subscription Management
- If you pick an E3 subscription, should you be entitled to all the functionality in an E3 subscription?
- Are there other O365 services like CRM Online which are available to some users?
- Mobile Device Management - On-premise vs Intune (Cloud)
To enable deprovisioning users (Leavers), consider:
- Disabling the account in Active Directory
- If on-premise mailbox, then disable the mailbox per polices
- If it’s a cloud mail then set cloud-related policies such as the retention period
- Disabling from the GAL
If this process is not governed by a flexible automated solution, then the administrative overhead must also be factored in which will be both time consuming and potentially error prone.
The rest of this article describes how the OpenIAM Identity manager was used to address these challenges at a large customer. In this case, the organization:
- Has users which are geographically distributed
- Was moving from exchange online to O365, but both environments had to be supported
- Needed to support both automated provisioning and deprovisioning from a source system to manage users from the UI
As indicated earlier, when companies adopt O365, they have a choice:
- They can manage the two environments separately and use some other technology besides DirSync to sync accounts
- Use DirSync or Azure Connect to sync the identities between the on-premise and cloud environments
For companies which have a significant number of users and investment in developing a robust on-premise solution, using the DirSync technology makes sense as a starting point. This decision was made and implemented before deciding to leverage the existing enterprise IdM solution to gain control over the challenges listed above. The resulting architecture is shown below.
In the architecture above users can be created, updated, or terminated from three different locations:
- HR system which will be processed by the automated provisioning functionality
- Administration interface where admins can create, update or terminate users
- End User who may make changes in their service
Assuming that we have a new user in the HR system, then that event will be sent to IdM and passed to the provisioning service where the following will occur:
- Provision the account in AD
- Determine if the person gets an on premise mailbox or cloud mailbox.
- If it’s a cloud mailbox, then set the following attributes in AD so that DirSync knows that this user needs a cloud account
- DirSync will then run at regular intervals and we will see the user
After DirSync runs, you will see the user in the O365 Admin console. However, the user will not be licensed.
To automate this functionality, the OpenIAM O365 Licensing utility was enabled to run right after the DirSync process. The license utility would use the entitlement information associated with the user to do the following:
- Add the appropriate type of O365 subscription - E1, E3, E5, etc.
- Activate the specific functionality within the subscription type based on a person’s entitlements
When events are triggered from the HR system, all of the above functionality is handled through business rules and powershell connectors.
For administrators, the objective was to provide an all inclusive interface where administrators could seamlessly manage both the on-premise infrastructure and the cloud infrastructure without accessing the O365 admin portal.
To achieve this, parts of the user interface were extended so that admin and helpdesk users could:
- Select if a person should get a cloud mailbox or an on-premise mailbox. We can see this from the screenshot below that shows the mailbox drop down with options for Cloud and various size of on-premise mailbox.
- Option to sync on-premise accounts to the cloud
- Enable OneDrive For Business (OFB) if needed
- Publish to the GAL
- If a cloud mailbox was selected, then you should select the options in O365 which are to be enabled which is shown in the screenshot below.
Other extensions were added to enable switching between on-prem and cloud accounts for existing users as well as adding secondary mailboxes.
Just as we added functionality to simplify the creation and management of users, the leavers process was also extended. Initially, the leavers process was only focused on the on-premise environment where:
- The account is first disabled and then policies are set in Exchange for the mailbox to start archiving, change the quota, etc.
- After a period of X days, the account is fully deleted
After O365 was added, the leaver process was extended to:
- Disable the account
- Determine if we have a cloud or on-premise account. If it’s on-premise, then use the on-premise rules. If it’s a cloud user, then set retention policies, etc
- After a period of X days, the leaver process will revoke the O365 licenses so that the licenses are freed up. This is after an “in-place hold” or “litigation hold” has been successfully created for the mailbox. An in-place hold provides the ability to preserve the contents of the mailbox. Since the time needed to apply an in-place hold may vary due to the size of the mailbox, OpenIAM waits for the process to complete before revoking the licenses.
- Delete the accounts.
As you can see, managing a hybrid On-Premise and Cloud environment poses some challenges. To overcome these challenges, organizations need to define policies and procedures which align to their business objectives. As a next step, tools can be deployed to provide a consistent way for admins and helpdesk staff to manage the environment without burdening them with additional overhead.