Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Synchronize LDAP with Azure AD

Microsoft

The requirement to synchronize a Generic LDAP system such as 389DirectoryServer/OpenLDAP, with Azure AD exist, although not often. However, guides on synchronization between LDAP and Azure AD are scarcely found and are difficult to configure in practice. So, I hope that better information related to this will be shared.

Let me share the synchronization configuration between LDAP and Azure AD that I succeeded.

First, I built an OpenLDAP server and created an account to synchronize. And I installed AzureAD Connect on the same server. Of course, it doesn't matter if the server is separated. Also, the AzureADConnect server does not need to be AD joined at all.

PyungraeCho_0-1631978483696.png


After component installation, stop installation at the sign-in selection phase.

PyungraeCho_1-1631978542179.png


When Azure AD Connect is run as LDAP mode via command, the Sign-In settings will only look like "Do not configure". That is, if OpenLDAP is used, PHS and PTA cannot be configured, and Federation must also be configured manually.

PyungraeCho_2-1631978590233.png

PyungraeCho_3-1631978609911.png

 

For reference, to manually create a Federation of Azure AD, the "Set-MsolDomainAuthentication" PowerShell command can be used.
Set-MsolDomainAuthentication (MSOnline) | Microsoft Docs


The Directory type was checked as LDAP(not AD), and the hostname and authentication method were selected. The authentication type can be changed if LDAP is configured with SSL/TSL.

PyungraeCho_4-1631978705701.png


During installation, '_distinguishedName' was specified in the "source anchor" configuration step. Unlike Active Directory, attribute such as objectGUID do not exist in OpenLDAP, so the source anchor must be specified.

PyungraeCho_5-1631978733522.png


At the last stage of installation, an error as shown in the figure is always checked and the installation work cannot be completed. It is an error that the 'JoinFilter' could not be configured while creating a sync rule.

PyungraeCho_6-1631978763745.png


I had to manually proceed with the remaining configuration. Make a note of the sync rule ID identified in the error at the last stage of wizard installation. In the picture above, it is identified as '37522~783d'.

Start the ‘Synchronization Service Manager’ tool, change the binding account, specify the location to sync to, and then perform "Full Import" to confirm that the account has been imported.

PyungraeCho_7-1631978818179.png

PyungraeCho_8-1631978836232.png

PyungraeCho_9-1631978857112.png


Manually create the erroneous sync rule in the last step when installing with the wizard.
There is a PowerShell script that creates a sync rule in the C:\ProgramData\AADConnet directory. Open this script, find the location where PowerShell starts and ends related to the ID recorded earlier, and copy them all.

PyungraeCho_10-1631978882953.pngAdd the following command right before "Add-ADSyncRule" among the copied PowerShell commands. Also, I added a provisioning item from OpenLDAP's mail value to the userPrincipalName value of metaverse, and used the source anchor information (_distinguishedName) specified in the join filter.
#################################################################
Add-ADSyncAttributeFlowMapping `
-SynchronizationRule $syncRule[0] `
-Source @('mail') `
-Destination 'userPrincipalName' `
-FlowType 'Direct' `
-ValueMergeType 'Update' `
-OutVariable syncRule

New-Object `
-TypeName 'Microsoft.IdentityManagement.PowerShell.ObjectModel.JoinCondition' `
-ArgumentList '_distinguishedName','sourceAnchor' `
-OutVariable condition0

Add-ADSyncJoinConditionGroup `
-SynchronizationRule $syncRule[0] `
-JoinConditions @($condition0[0]) `
-OutVariable syncRule
#################################################################

PyungraeCho_11-1631978913628.png


If the sync rule is normally created, it is checked in the ‘Synchronization Rules Editor’.

PyungraeCho_12-1631978935605.png


Perform "Full Sync" for LDAP in the Synchronization Service Manager and check the attribute information stored in the metaverse.

PyungraeCho_13-1631978967065.png

PyungraeCho_14-1631978995644.png


Create an outbound rule to synchronize information(Source) of the metaverse to Azure AD information (Target).

PyungraeCho_15-1631979037672.png

PyungraeCho_16-1631979051812.png

PyungraeCho_17-1631979070307.png

PyungraeCho_18-1631979084058.png


After performing "Export" synchronization to Azure AD, accounts synchronized in OpenLDAP finally are checked in the Azure portal.

PyungraeCho_19-1631979115421.png

PyungraeCho_20-1631979136025.png

PyungraeCho_21-1631979155407.png


If you know of an easier way than this or a way to complete the configuration normally in the wizard, please share.

7 Replies

@PyungraeCho 
Was your Azure AD tenant already pre-existing?  ...before you added the OpenLDAP instance?

I cannot find a way to add an on premise DC or LDAP to an existing AAD tenant.

I'm very interested.  We have an Azure AD tenant that is AAD only.  No on premise.  But we're finding that we would like to have an LDAP server for syncing data to AAD and other.


@jo-cpa 

It doesn't matter if the AAD Tenant is existing or new, as long as there is no conflicting custom domain name.

Wowza! This is an awesome write up. Thanks for sharing.
Thanks for sharing. Is this a supported way to sync users from openldap to Azure AD ? The sync works fine but the configuration wizard is in error state with the message: "It appears that you are resuming a scenario which was not completed previously during installation. Please uninstall and try again."

Hi.. There is also a way to modify the setting xml files used when configuring AAD Connect. This solves the configuration wizard's errors, but there is nothing that can be done in the configuration wizard. In fact, the only tools available for openldap synchronization management were "Synchronization Rule Editor" and "Synchronization Service Manager".

Hi,
I tried to follow this but my output doesn't come same with yours. After export to AAD no any user object sync to there. Could you please guide me for more step relate this post ?

Thank you.

@PyungraeCho When I do the Full Synchronization all the users remain in the Disconnector, I discovered that the mail attribute in the LDAP is "email" and in AAD it is Mail. How can I create a rule for the synchronization to work for me or how can I solve this?