Sep 03 2019
- last edited on
Jan 14 2022
Seen a lot of AD’s where everything in the on-prem AD are synced to AAD so +30.000 ‘objects’ are synced – even though only 2.000 employees in the company
Is there a “best practice” available somewhere how to “structure” the AD before installing AD Connect Sync to AAD – and Filtering is enabled?
Create an O365 OU
Create the various 'Security groups' in the 0365 OU
avoid nested groups
Sep 03 2019 07:58 AM
I doubt there are many organizations that have restructured AD just for the sake of configuring AAD Connect. Run the IDFix tool to clean up any errors, then simply use filters to get just the objects you want to sync.
Sep 03 2019 08:33 AM
Sep 26 2019 08:53 AMSolution
My number one recommendation to customers for preparing for AAD Connect is to look at your AD data like a SQL database owner. Don't let there be any junk, make sure all your attributes are programmatically verified (i.e., if there is a rule affecting an attribute, ensure all object conform to that rule. Ex: all users must have a Department set and normalized to one of the allowed values), and of course get rid of any conditions which must use OU filtering and replace them with attribute filtering. Example. Don't put all contractors in an OU, Azure doesn't have OUs, instead set an attribute on a user to define them as internal, external, contractor, seasonal, intern, etc. so you can tell who people are when they are all synchronized to Azure into the same OU. And of course, fix all IDFIX errors ahead of time.
I have used the following.
1. Reserve three extension attributes, they don't have to be the same as mine.
- Enter 'NoSync' if the user does not sync to Azure. Configure this in AAD Connect to not sync these object that meet this filter.
- Enter 'DoesNotMigrate' if the mailbox does not move to O365. Use this filtering when looking for mailboxes that are left on-premises. An example would be service accounts that have to be on-premises because they send too much email for throttling policies.
- Enter 'Postpone: <date>' if the mailbox cannot migrate until a future date
- Use for licensing. This can be a single entry, string of characters, or a bitwise number. Whatever you need for your environment. You can then set up AAD Connect transforms to put people in O365 licensing groups based on this information. Example: 'O365E5;TeamsConferencing;Visio;Project;NoYammer'
- Similar to Attribute2 but used for Admin group memberships
- Example: 'Azure:GlobalAdministrator', 'O365:HelpDesk,Compliance'. Etc, you get to define the names and associate those with scripts to put people in the proper role groups effectively controlling the membership of cloud groups with on-premises attributes.
I hope these ideas have helped.
Oct 11 2019 06:29 AM
@Taen keren, security best practices of course will say to separate your admin accounts to limit risk if one credential is somehow compromised. But then again, that is exactly why we also highly recommend forcing multi-factor authentication for all admin accounts. So, this is a decision for your organization to make. Require alternate credentials for on-premises versus cloud, or share a credential and enforce MFA on it. If admins are using the web-based GUI, it is not that difficult having multiple credentials, just a little pain. However, where it really gets difficult is automation via PowerShell scripting. There is no "good" way to enforce MFA and automate scripting because it requires you to store your password credential in a file which defeats the purpose of MFA.
So, I'm sorry, but I don't have an easy answer for you but I hope this explanation helps.