Azure AD Integration
Microsoft provides a cloud-based identity platform called Azure Active Directory (AAD). Like Active Directory Domain Services (AD-DS), it provides several protocols and interfaces to interact with identity data, obtain logon tokens, and mechanisms to enforce access controls. Unlike AD-DS, it does not use the same technologies or protocols–rather using more modern technologies.
Because most enterprises have a rich set of practices developed to provision and manage their AD-DS, Microsoft provides tools to integrate and connect your on-premises AD-DS with your cloud-based AAD. This allows an enterprise to easily adopt AAD without creating new tools and practices for it.
There have been several tools over the years focused on synchronizing this data. We currently are leveraging the one called Azure AD Connect.
So the UW leverages the Microsoft sync tool to provide provisioning of users, groups, and contacts in Azure AD. This is not the only integration or practice that results in changes to Azure AD, but it is the predominant one.
What is Synchronized?
The AAD sync tools generally include all users, groups, and contact objects. This means that by default every user, group, and contact in your AD-DS is sent to your AAD.
We have configured out AAD sync to not send every group. This is because at this time, Azure AD does not include controls to protect the privacy of group membership. So the many groups which have membership privacy controls are not present in our Azure AD.
More details mapping what exactly what the AAD sync tools sync are available. Note that a few attributes are sync’d back to AD-DS (see table 2 in link above).
Once every 30 minutes, the Azure AD synchronization is triggered, unless it is still processing the last run. Runs generally take less than 10 minutes, but if we need to replace the tool, it can take 2-3 days to get into synchronicity. On busy days, it is not uncommon for this process to take several hours to complete.
Other Important Details
Microsoft enforces UPN and mail address uniqueness. So if there is already a user with firstname.lastname@example.org as either its UPN or mail value, then you can’t have that and your user account won’t get synchronized. This is rare and generally only happens in situations where there was a UW NetID name change or identity merger.
If a NETID AD object that has been sync’d to AAD is deleted or falls out of the criteria to be synchronized, then the corresponding AAD object is also deleted–put in a state called “soft delete”. Soft delete means that the object can still be recovered for 30 days by an AAD administrator (or if the AD-DS object re-appears), but is otherwise unusable.