cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Guidelines for Active Directory before sync

Taen keren
Steel Contributor

‎Jun 25 2018 10:57 PM - edited ‎Jun 25 2018 10:58 PM

‎Jun 25 2018 10:57 PM - edited ‎Jun 25 2018 10:58 PM

Guidelines for Active Directory before sync

Hello 

 

There's a lot of guidelines for various O365 workloads and Tenant settings - but havn't found any for "Designing an AD structure" guidelines  regarding AD Connect and the use of filtering  - 

 

Is your (complete) AD synced to AAD (service accounts etc etc. ? -

or did you create a specific OU where you have 'categorized' your users in security groups and used the filtering before sync?

 

- what are the 'recommendations' from MS ?   

 

Labels:
1,416 Views
0 Likes
5 Replies
Reply
5 Replies
Vasil Michev

‎Jun 26 2018 12:17 AM

‎Jun 26 2018 12:17 AM

Re: Guidelines for Active Directory before sync

Filtering is an optional feature, which you should only use when needed. There's negligible security impact of syncing your objects to Azure AD, and adjusting the OUs/objects to sync will hardly remedy any bad decisions implemented back when the AD was designed.

 

You can think of the default configuration as Microsoft's recommendation, as mentioned here: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-conf...

 

Spoiler
The default configuration takes all objects in all domains in the configured forests. In general, this is the recommended configuration. Users using Office 365 workloads, such as Exchange Online and Skype for Business, benefit from a complete Global Address List so they can send email and call everyone. With the default configuration, they would have the same experience that they would have with an on-premises implementation of Exchange or Lync.
0 Likes
Reply
Taen keren

‎Jun 26 2018 12:32 AM

‎Jun 26 2018 12:32 AM

Re: Guidelines for Active Directory before sync

Hi Vasil 

Thanks for your reply :) 

So when MS guidelines says "Categorize your users" and "Use groups and group-based licensing" - and we have the AD administration "on prem" only - what to do then?  .... the complete AD synced out - are 'just' to have the global address List available or am I missing something?.

0 Likes
Reply
Vasil Michev

‎Jun 26 2018 10:44 AM

‎Jun 26 2018 10:44 AM

Re: Guidelines for Active Directory before sync

It's up to you really, I've seen organizations going either way. We certainly have more than enough settings to configure filtering now, so you can use it if you thinks it's best for your particular org. The closest think I could find to a "recommendation" is in the article I linked above :)

0 Likes
Reply
Dean Gross

‎Jun 26 2018 11:39 AM

‎Jun 26 2018 11:39 AM

Re: Guidelines for Active Directory before sync

Some reasons to not sync service accounts include:

1. they provide an additional risk to the organization if they get compromised in the cloud.

2. they show up in Delve and other places, which can be confusing/ugly

 

1 Like
Reply
Taen keren

‎Jun 26 2018 11:43 AM

‎Jun 26 2018 11:43 AM

Re: Guidelines for Active Directory before sync

Hi Dean

My point exactly ;) could’t agree more ;)
1 Like
Reply