Synchronize Microsoft Entra ID users with IDaaS

You must synchronize Microsoft Entra ID users to an Identity as a Service directory so that your users can log in to Microsoft Entra ID from Identity as a Service. Synchronization of users from Microsoft Entra ID supports synchronizing the Security ID value into IDaaS. The Security ID uniquely identifies users in a Microsoft Windows environment.

a. Use the Microsoft Entra Connect tool available at https://www.microsoft.com/en-us/download/details.aspx?id=47594 to port users from On-premises AD into Microsoft Entra ID.

b. When configuring Microsoft Entra Connect to sync users into Microsoft Entra ID, you need to ensure to do the following in the Entra Connect Wizard:

c. Select Password-hash synchronization on the User sign-in page.

d. In the Azure AD sign-in configuration page, select the on-premise AD attribute that maps to UPN on Microsoft Entra ID from the User Principal Name drop-down list.

e. In the Uniquely identifying your users page, do the following:

– Select Users are only represented once across all forests. This ensures that all users are created as individual objects in Azure AD.

– Under Select how users should be identified with Azure AD, select A specific attribute and then select ObjectGUID from the drop-down list.

f. In the Optional features page, select Password synchronization and Password writeback.

g. Use PowerShell to run Entra Connect commands to initiate the sync operation between on-premises AD and Microsoft Entra ID.

– Disable the scheduler by running the following command:

Set-ADSyncScheduler -SyncCycleEnabled $false

– Initiate a full sync cycle by entering the following command:

Start-ADSyncSyncCycle -PolicyType Initial

h. Use the Azure AD Synchronization Services to confirm the synchronization operations. When the Services reports a Success status, go to the Azure AD portal at https://portal.azure.com to verify the changes.

i. Return to PowerShell and run the following command to re-enable the scheduler:

Set-ADSyncScheduler -SyncCycleEnabled $true

Note: If your On-premises AD user has a mail attribute that differs from the userPrincipalName attribute, the samAccountName attribute may change when synced to Microsoft Entra ID. You should review and resolve any issues before you Synchronize users with IDaaS. This could result in unexpected Identity as a Service userIDs.

Attention: When performing the AD Connect operation, each user is automatically assigned a Microsoft ImmutableID that allows O365 SAML authentication. The value is equal to the on-premise AD objectGUID. When synchronizing Microsoft Entra ID users with Identity as a Service, do not map objectGUID to O365 ImmutableID on the User Defined Attributes tab. Instead, manually copy the value from the results of the following Powershell command into each users O365 ImmutableID field and save it:

Get-MgUser -All -Property OnPremisesImmutableId,UserPrincipalName | Select OnPremisesImmutableId,UserPrincipalName

3. Open the Azure Portal in a Web browser and use it as a reference to configure the directory on Identity as a Service.

4. In Identity as a Service, go to Resources > Directories and click add (

) to create a directory. The Directories page appears.

7. Click add (

) and type OU=AADDC Users in the SearchBases field so that the directory configuration can find and sync Microsoft Entra ID users.

Attention: When performing the AD Connect operation, each user is automatically assigned a Microsoft ImmutableID that allows O365 SAML authentication. The value is equal to the on-premise AD objectGUID. When synchronizing Azure AD users with Identity as a Service, do not map objectGUID to O365 ImmutableID on the User Defined Attributes tab. Instead, manually copy the value from the results of the following Powershell command into each users O365 ImmutableID field and save it:

Get-MgUser -All -Property OnPremisesImmutableId,UserPrincipalName | Select OnPremisesImmutableId,UserPrincipalName

12. From the Select a Directory Sync. Agent drop-down list, select the Gateway you created for Microsoft Entra ID.

13. Select the User Desynchronization Policy from the drop-down list. This policy determines what happens to user accounts in Identity as a Service that are no longer found in the directory or no longer match the filters.

14. Click Save. The Directories page appears showing a list of configured directories.

16. Go to Members > Users to see an updated list of users on Identity as a Service.

17. Click a User ID to see the Microsoft Entra ID groups associated with the user.

Directory credential	Value
Directory name	Enter the directory name from the Azure Portal. For example: mymanageddomain
Username	Enter the username of the user on the Azure portal that has admin privileges. For example: test1@mymanageddomain.mycompany.com
Password	Enter admin user password on the Azure or Microsoft Entra ID portal.
Host Name	Enter the DnsName generated in the procedure, Step 1: Obtain a certificate for secure LDAP (see Configure Microsoft Entra ID to support LDAP).
Port	Enter the port used to connect to the Active Directory server using LDAPS. The value is 636.
Root Domain Naming Context	Enter the Root Domain Naming Context from the domain configured on Microsoft Entra ID. For example, mymanageddomain.mycompany.com DC=mymanageddomain,DC=mycompany,DC=com
Use SSL	Select Use SSL and upload the certificate that ends in .CER that you created in Step 2: Export the secure LDAP certificate (see Configure Microsoft Entra ID to support LDAP) .

Synchronize Microsoft Entra ID users to Identity as a Service