Managing Active Directory and Office365 through OpenIAM

Many of our Identity Management customers have a Microsoft Environment which consists of Microsoft Active Directory and complementary components such as Microsoft Exchange, Lync, SQL server, etc. Many of these customers have, or are in the process of adopting Microsoft’s Office 365 platform (O365). Adopting O365 allows companies to move some of the components to the cloud.

Microsoft provides a technology called DirSync (which is currently being replaced by Azure Connect), which allows you to sync accounts in AD to the cloud platform so that users have a single identity between the cloud and on-premise world.

By itself this functionality does not go far enough to address the needs of larger customers who need to manage thousands of users, integrate various other technologies and conform to corporate policies. Some of the challenges are listed below. You will find that some of these issues may not be relevant to your environment as this will depend on the components of the Microsoft stack which are being used and how the synchronization between AD and O365 has been enabled.

For new users (Joiners) and existing users, consider:

  • Activesync accounts from on-premise AD to O365 Tenant
  • Mailbox
    • Does the user get an on-premise mailbox or one in the cloud?
    • If on-premise, do we still want to synch to the cloud as a backup mailbox?
    • Being able to switch existing users from on-premise to cloud
    • Resource mailboxes (Room, Equipment, etc) on-premise or in the cloud
    • Creating a secondary mailbox in the cloud for users who may have a primary mailbox on-premise
    • Show in Global Address List (GAL) or not?
  • On-premise home folder vs OneDrive for Business or both
  • Office365 Subscription Management
    • If you pick an E3 subscription, should you be entitled to all the functionality in an E3 subscription?
    • Are there other O365 services like CRM Online which are available to some users?
  • Mobile Device Management - On-premise vs Intune (Cloud)

To enable deprovisioning users (Leavers), consider:

  • Disabling the account in Active Directory
  • If on-premise mailbox, then disable the mailbox per polices
  • If it’s a cloud mail then set cloud-related policies such as the retention period
  • Disabling from the GAL

If this process is not governed by a flexible automated solution, then the administrative overhead must also be factored in which will be both time consuming and potentially error prone.

The rest of this article describes how the OpenIAM Identity manager was used to address these challenges at a large customer. In this case, the organization:

  • Has users which are geographically distributed
  • Was moving from exchange online to O365, but both environments had to be supported
  • Needed to support both automated provisioning and deprovisioning from a source system to manage users from the UI

Please Post Your Comments & Reviews


Recent Posts
The latest commercial version of OpenIAM’s fully integrated next-gen, IAM platform features new capabilities for Customer IAM (CIAM), strong authentication, audit & compliance, and user life cycle for the mid to large enterprise with DevOps tools to simplify both on-premise...
RSA Conference 2020
OpenIAM will be exhibiting at RSA Conference 2020 in San Francisco at booth #3120.  We look forward to meeting you for questions and product demos.
The latest release by OpenIAM adds support for Red Hat Enterprise Linux 8 and continues to extend its scalable microservices based solution OpenIAM LLC, has announced the release of Identity and Access Management Platform version 4.1.6 today. This release adds...
OpenIAM v4.1 provides organizations with a feature complete IAM platform which leverages modern technologies such as Docker, Kubernetes, Elasticsearch and Redis to provide a user-friendly, small footprint solution which is currently in production at mid to large enterprises globally. Cortlandt...
read more
Sign in
Lost your password?

Products of Interest

How did you hear about us?

Registration confirmation will be emailed to you.