Windows Azure Active Directory Connector for FIM 2010 R2 Technical Reference

  • Article

Tip

For feedback, click here.

The objective of this document is to provide you with the reference information that is required to deploy the Windows Azure Active Directory (AAD) connector for Microsoft® Forefront® Identity Manager (FIM) 2010 R2.

Overview of the AAD Connector

The AAD connector enables you to connect to one or multiple AAD directories from FIM2010. AAD is the infrastructure backend for Office 365 and other cloud services from Microsoft.

The connector is available as a download from the Microsoft Download Center.

From a high level perspective, the following features are supported by the current release of the connector:

Requirement Support

FIM version

FIM 2010 R2 hotfix 4.1.3496.0 or later (2906832)

Connect to data source

Windows Azure Active Directory

Scenario
  • Object Lifecycle Management

  • Group Management

Note

The Password Hash Sync feature available in DirSync is not supported with FIM2010 and the AAD Connector.

Operations

The following operations are supported:

  • Full import

  • Delta import

  • Export

Note

This connector does not support any password management scenarios

Schema

The schema is fixed in the AAD connector and it is not possible to add additional objects and attributes.

Connected Data Source Requirements

In order to manage objects using a connector, you need to make sure that all requirements of the connected data source are fulfilled. This includes tasks such as opening the required network ports and granting the necessary permissions. The objective of this section is to provide an overview of the requirements of a connected data source to perform the desired operations.

Connected Data Source Permissions

When you configure the connector, in the Connectivity section, you need to provide the credentials of an account that is a Global Administrator of the AAD tenant you wish to synchronize with. This account can be either a managed (i.e. username/password) or federated identity.

Important

When you change the password associated with this AAD administrator account, you must also update the AAD connector in FIM 2010 to provide the new password.

Ports and Protocols

The AAD Connector communicates with AAD using web services. For additional information which addresses are used by AAD and Office 365, please refer to Office 365 URLs and IP address ranges.

Connector Deployment

Before you can start with the installation of a connector, you need to make sure that the deployment prerequisites are satisfied. The objective of this section is to give you an overview of what these prerequisites are and to provide you with the required information to install and configure your AAD connector.

Deployment Prerequisites

The following features must be installed on your FIM 2010 server:

  1. Microsoft .NET 4.0 Framework

  2. FIM Synchronization Service (FIM2010 R2 hotfix 4.1.3493.0, or later)

  3. Microsoft Online Services Sign-In Assistant

In addition to installing the following must be true:

  1. Active Directory Synchronization is activated

  2. Configure Registry

Activate Directory Synchronization

To activate directory synchronization, follow these steps:

If you are an Office 365 customer:

  1. Log into the Office 365 Admin Portal

  2. Navigate to Users & Groups > Active Directory synchronization Set Up

  3. Click the "Activate" button

If you are an Azure customer:

  1. Log into the Windows Azure AD portal

  2. Navigate to Active Directory > Directory Integration

  3. Under Directory Sync, change the slider setting to Activated

Configure Registry

The service account used by the FIM Synchronization service must have write permission to the following registry key:
HKLM\Software\Microsoft\MSOLCoExistence

Connector Installation and Configuration

This section provides an overview of the AAD connector installation and configuration.

Important

You need to activate directory synchronization before you can install this connector.

Connector Installation

The AAD connector is a standalone setup package you can download from the Microsoft Download Center.
After running the setup package, the connector is installed at the following location:
%Program Files%\Microsoft Forefront Identity Manager\2010\Synchronization Service\Extensions

Connector Configuration

You configure your AAD connector by using the Management Agent Designer.
In the following sections, you will find configuration details for some of the designer’s configuration pages.

Note

To automate the connector configuration in a lab environment, see the Windows Azure Active Directory Connector for FIM 2010 R2 Quick Start Guide.

Create Management Agent

On this dialog page, you provide the name of your connector.

Create management agent

Connectivity

On the Connectivity page, you must specify the username and password of a global administrator in AAD.
These credentials must be provided in the following format:
someone@example.com

You can provide credentials for any valid administrator account in your company’s AAD tenant, or you may create a special account dedicated to this use.

Connectivity

Select Object Types

On the Select Object Types page, leave the device object unselected.
This object type was introduced with Windows Server 2012R2 but FIM2010R2 does not have support for the new attributes types introduced.

Select Object Type

Configure Attribute Flows

For a complete list of attribute flows, see: List of Attributes that are Synced by the Windows Azure Active Directory Sync Tool.

Object Lifecycle

Customers that have verified a domain can synchronize up to 300,000 objects.
To synchronize more than 300,000 objects, you will need to contact Technical Support.

Objects that have been synchronized from your on-premises Active Directory service will appear immediately in the Global Address List (GAL), but it may take up to 24 hours before they appear in the Offline Address Book (OAB) and in Microsoft Lync Online.
Error encountered during synchronization will be sent via email to your company’s technical notification contact.

Troubleshooting

For information on how to enable logging to troubleshoot the connector, see the How to Enable ETW Tracing for FIM 2010 R2 Connectors

See Also

Concepts

Management Agents in FIM 2010 R2
Windows Azure Active Directory Connector for FIM 2010 R2 Quick Start Guide

Other Resources

FIM User Forum
FIM 2010 Management Agents from Partners
How to Enable ETW Tracing for FIM 2010 R2 Connectors