ADMIN magazine recently published a write-up on implementing centralized user management with OpenIAM.
Many of our Identity Management customers have a Microsoft Environment which consists of Microsoft Active Directory and complementary components such as Microsoft Exchange, Lync, SQL server, etc. Many of these customers have, or are in the process of adopting Microsoft’s Office 365 platform (O365). Adopting O365 allows companies to move some of the components to the cloud.
Microsoft provides a technology called DirSync (which is currently being replaced by Azure Connect), which allows you to sync accounts in AD to the cloud platform so that users have a single identity between the cloud and on-premise world.
By itself this functionality does not go far enough to address the needs of larger customers who need to manage thousands of users, integrate various other technologies and conform to corporate policies. Some of the challenges are listed below. You will find that some of these issues may not be relevant to your environment as this will depend on the components of the Microsoft stack which are being used and how the synchronization between AD and O365 has been enabled.
For new users (Joiners) and existing users, consider:
- Activesync accounts from on-premise AD to O365 Tenant
- Does the user get an on-premise mailbox or one in the cloud?
- If on-premise, do we still want to synch to the cloud as a backup mailbox?
- Being able to switch existing users from on-premise to cloud
- Resource mailboxes (Room, Equipment, etc) on-premise or in the cloud
- Creating a secondary mailbox in the cloud for users who may have a primary mailbox on-premise
- Show in Global Address List (GAL) or not?
- On-premise home folder vs OneDrive for Business or both
- Office365 Subscription Management
- If you pick an E3 subscription, should you be entitled to all the functionality in an E3 subscription?
- Are there other O365 services like CRM Online which are available to some users?
- Mobile Device Management - On-premise vs Intune (Cloud)
To enable deprovisioning users (Leavers), consider:
- Disabling the account in Active Directory
- If on-premise mailbox, then disable the mailbox per polices
- If it’s a cloud mail then set cloud-related policies such as the retention period
- Disabling from the GAL
If this process is not governed by a flexible automated solution, then the administrative overhead must also be factored in which will be both time consuming and potentially error prone.
The rest of this article describes how the OpenIAM Identity manager was used to address these challenges at a large customer. In this case, the organization:
- Has users which are geographically distributed
- Was moving from exchange online to O365, but both environments had to be supported
- Needed to support both automated provisioning and deprovisioning from a source system to manage users from the UI