More Fun with IDM provisioning for Exchange

Posted on September 28, 2017 by dannanto

So, after talking to my dev manager back at my office, I went back again to talk with the MS Tech folks to see if they could answer a few more questions.  I ended up talking with a guy named Phillippe Signoret, a Program manager for Active Directory (phsignor@microsoft.com).  Here is what I found out.

  1. Is Azure AD a mirror copy of the on prem AD? No.  Azure AD will have additional attributes that are specific to the cloud environment.  However, all attributes that are being Synced from the on prem AD environment will be the same.
  2. Does Azure AD sync back to the On Prem AD? Mostly No. There are a few things that are synced back, particularly around groups.  But aside from that, attributes only flow one way.
  3. Can we run scripts to update both AzureAD and on Prem AD to keep both in sync if we want to verify that a particular attribute is the same?   No.  Azure AD Connect will mark one environment as the master or owner of that data. So once that happens, it can only be updated from that environment.  So, for example, we couldn’t run “modifyProxyAddress” on an account in the cloud and on prem.  The on prem command would succeed, however, the remote command would fail because it knows that on prem is the owner of the data.
  4. Understanding our environment, how would he recommend we move forward (see previous posts)? Once I described how our IDM environment works, and that existing powershell scripts update more than just simple creation of mailboxes, he recommended that we try as much as possible to run our scripts on the on prem AD environment, and then let AAD Connect sync them to the cloud.  He thought that if we run into issues not having an on prem exchange environment, we might be able to just apply the schema updates for Exchange to our AD environment, and that would let us update the attributes and have them flow to the cloud.  He wasn’t 100% certain of this and said we would have to test to see if we could still run Exchange commands with only the schema updates.  He also said that there may be some commands that can only be run with an active exchange environment, but those could be run remotely. So we would have to know when to run on prem and when to run remotely depending on the command and what it would do.  But he stressed several times that the data should flow from On Prem to Azure AD.  He said that was the approach he would strongly recommend.

Overall, it was a great high level design discussion.  It is a good high level start, but sounds like we have a lot of investigating to do still….

About dannanto

I grew up in Gaithersburg, MD.
This entry was posted in Microsoft Ignite 2017, Uncategorized and tagged , , , . Bookmark the permalink.

Leave a comment