Synchronize Microsoft Entra ID users to Identity as a Service
You must synchronize Microsoft Entra ID users to an Identity as a Service directory so that your users can log in to Microsoft Entra ID from Identity as a Service. Synchronization of users from Microsoft Entra ID supports synchronizing the Security ID value into IDaaS. The Security ID uniquely identifies users in a Microsoft Windows environment.
Synchronize Microsoft Entra ID users to Identity as a Service
Ensure that you have completed the prerequisites listed in Integrate Microsoft Entra ID with Identity as a Service.
Sync an on-premises AD with Microsoft Entra IDSync an on-premises AD with Microsoft Entra ID, if required for your organization.
Use the Microsoft Entra Connect tool available at https://www.microsoft.com/en-us/download/details.aspx?id=47594 to port users from On-premises AD into Microsoft Entra ID.
When configuring Microsoft Entra Connect to sync users into Microsoft Entra ID, you need to ensure to do the following in the Entra Connect Wizard:
Select Password-hash synchronization on the User sign-in page.
In the Azure AD sign-in configuration page, select the on-premise AD attribute that maps to UPN on Microsoft Entra ID from the User Principal Name drop-down list.
In the Uniquely identifying your users page, do the following:
Select Users are only represented once across all forests. This ensures that all users are created as individual objects in Azure AD.
Under Select how users should be identified with Azure AD, select A specific attribute and then select ObjectGUID from the drop-down list.
In the Optional features page, select Password synchronization and Password writeback.
Use PowerShell to run Entra Connect commands to initiate the sync operation between on-premises AD and Microsoft Entra ID.
Disable the scheduler by running the following command:
Set-ADSyncScheduler -SyncCycleEnabled $false
Initiate a full sync cycle by entering the following command:
Start-ADSyncSyncCycle -PolicyType Initial
Use the Azure AD Synchronization Services to confirm the synchronization operations. When the Services reports a Success status, go to the Azure AD portal at https://portal.azure.com to verify the changes.
Return to PowerShell and run the following command to re-enable the scheduler:
Set-ADSyncScheduler -SyncCycleEnabled $true
Note: If your On-premises AD user has a mail attribute that differs from the userPrincipalName attribute, the samAccountName attribute may change when synced to Microsoft Entra ID. You should review and resolve any issues before you Synchronize users with IDaaS. This could result in unexpected Identity as a Service userIDs.
Attention: When performing the AD Connect operation, each user is automatically assigned a Microsoft ImmutableID that allows O365 SAML authentication. The value is equal to the on-premise AD objectGUID. When synchronizing Microsoft Entra ID users with Identity as a Service, do not map objectGUID to O365 ImmutableID on the User Defined Attributes tab. Instead, manually copy the value from the results of the following Powershell command into each users O365 ImmutableID field and save it:
Get-MgUser -All -Property OnPremisesImmutableId,UserPrincipalName | Select OnPremisesImmutableId,UserPrincipalName
Open the Azure Portal in a Web browser and use it as a reference to configure the directory on Identity as a Service.
In Identity as a Service, go to Resources > Directories and click add (
) to create a directory. The Directories page appears.
Enter the following information in the Directories page:
| Directory credential | Value |
|
Directory name |
Enter the directory name from the Azure Portal. For example: mymanageddomain |
|
Username |
Enter the username of the user on the Azure portal that has admin privileges. For example: test1@mymanageddomain.mycompany.com |
|
Password |
Enter admin user password on the Azure or Microsoft Entra ID portal. |
|
Host Name |
Enter the DnsName generated in the procedure, Step 1: Obtain a certificate for secure LDAP (see Configure Microsoft Entra ID to support LDAP). |
|
Port |
Enter the port used to connect to the Active Directory server using LDAPS. The value is 636. |
|
Root Domain Naming Context |
Enter the Root Domain Naming Context from the domain configured on Microsoft Entra ID. For example, mymanageddomain.mycompany.com DC=mymanageddomain,DC=mycompany,DC=com |
|
Use SSL |
Select Use SSL and upload the certificate that ends in .CER that you created in Step 2: Export the secure LDAP certificate (see Configure Microsoft Entra ID to support LDAP) . |
Click Save. The SearchBases and Groups Filters page appears.
Click add () and type OU=AADDC Users in the SearchBases field so that the directory configuration can find and sync Microsoft Entra ID users.
Click Save. The Attributes Mapping page appears.
Under System Attributes, do the following:
In the Email field, type userPrincipalName.
Leave the other values at the default settings.
Under User Defined Attributes, do the following:
>Type objectGUID for the ImmutableID O365.
Attention: When performing the AD Connect operation, each user is automatically assigned a Microsoft ImmutableID that allows O365 SAML authentication. The value is equal to the on-premise AD objectGUID. When synchronizing Azure AD users with Identity as a Service, do not map objectGUID to O365 ImmutableID on the User Defined Attributes tab. Instead, manually copy the value from the results of the following Powershell command into each users O365 ImmutableID field and save it:
Get-MgUser -All -Property OnPremisesImmutableId,UserPrincipalName | Select OnPremisesImmutableId,UserPrincipalName
Type userPrincipalName for the UPN O365, or UPN AzureAD if you are integrating Microsoft Entra ID for OIDC. See Integrate Microsoft Entra ID OIDC with Identity as a Service with Identity as a Service for more information.
You should have created these user attributes as part of the prerequisite steps listed in Integrate Microsoft Entra ID with Identity as a Service or see Integrate Microsoft Entra ID OIDC with Identity as a Service.
Click Save. The Synchronization page appears.
From the Select a Directory Sync. Agent drop-down list, select the Gateway you created for Microsoft Entra ID.
Select the User Desynchronization Policy from the drop-down list. This policy determines what happens to user accounts in Identity as a Service that are no longer found in the directory or no longer match the filters. Options include:
Group removed from Identity as a Service to remove the group from IDaaS.
Group becomes a directory-localized Identity as a Service group to keep the group but change it to an unsynchronized group.
Click Save. The Directories page appears showing a list of configured directories.
Click the On-Demand Sync (
icon for the directory you created.
Go to Members > Users to see an updated list of users on Identity as a Service.
Note: Synchronization of users might take some time.
Click a User ID to see the Microsoft Entra ID groups associated with the user.