Feb 17, 2024
Creating and managing synchronized users– Planning and Managing Azure AD Identities
As you saw in Chapter 3 and Chapter 4, the process of identity synchronization replicates your on-premises identity in Azure AD. Whether you are using Azure AD Connect sync, Azure AD Connect Cloud sync, or a third-party product, the process is largely the same: an on-premises agent or service connects to both Active Directory and Azure Active Directory, reads the objects from Active Directory and recreates a corresponding object in Azure AD.
During this provisioning process, the on-premises and cloud objects are linked through a unique, immutable attribute, which stays the same throughout the life cycle of the object.
Exam tip
Originally, an on-premises object was linked to its corresponding cloud object by converting the on-premise object’s objectGUID attribute value into a base64 string, and stored in the cloud object’s ImmutableID attribute. Modern versions of Azure AD Connect use the ms-DS-ConsistencyGuid attribute instead. The ms-DS-ConsistencyGuid value is blank by default; after Azure AD Connect is configured to use ms-DS-ConsistencyGuid as the source anchor during setup, an object’s objectGUID value is copied to the ms-DS-ConsistencyGuid attribute. Since a new objectGUID attribute is generated every time an object is created, a static value such as ms-DS-ConsistencyGuid helps organizations maintain the relationship between identities through the Active Directory domain migrations that happen as part of business mergers, acquisitions, and divestitures.
After Azure AD Connect has been deployed, you can create a new synchronized identity by creating a new user in the on-premises Active Directory. See Figure 5.5.
Figure 5.5 – Creating a new user through Active Directory Users and Computers
After synchronization completes, the new user account is ready to sign into the service. From the Microsoft 365 admin center, it’s simple to visually distinguish between cloud and synchronized accounts. Figure 5.6 shows both a cloud user and a synchronized user.
Figure 5.6 – Displaying cloud and synchronized users
Under the Sync status column, a cloud user is represented by a cloud icon, while a synchronized user is represented by a notebook icon.
Creating and managing guest users
Guest users are special accounts that have limited rights in the Azure AD environment. In most contexts, guest users are synonymous with Azure Business-to-Business (B2B) identities, so that’s the reference point that we’ll use to discuss them.
Azure B2B guest accounts are generally created through an invitation process, such as inviting someone from an external organization to participate in a Microsoft SharePoint site, collaborate on a document in OneDrive, or access files in a Teams channel. When an invitation is sent, an Azure identity object is created in the inviting organization’s tenant and an invitation email is sent to the external recipient. After the recipient clicks on the link in the invitation email, the recipient is directed to an Azure sign-in flow, which prompts them to enter credentials corresponding to their own identity source (whether that’s another Azure AD or Microsoft 365 tenant, a consumer account (such as Microsoft, Google, or Facebook), or another third-party issuer that uses a SAML/WS-Fed-based identity provider. The process of the recipient accepting the invitation is called redemption.
More Details