Windows Azure Active Directory Connector for FIM 2010 R2 Technical Reference
For feedback, click here.
The objective of this document is to provide you with the reference information that is required to deploy the Windows Azure Active Directory (AAD) connector for Microsoft® Forefront® Identity Manager (FIM) 2010 R2.
Overview of the AAD Connector
The AAD connector enables you to connect to one or multiple AAD directories from FIM2010. AAD is the infrastructure backend for Office 365 and other cloud services from Microsoft.
The connector is available as a download from the Microsoft Download Center.
From a high level perspective, the following features are supported by the current release of the connector:
FIM 2010 R2 hotfix 4.1.3496.0 or later (2906832)
Connect to data source
Windows Azure Active Directory
The Password Hash Sync feature available in DirSync is not supported with FIM2010 and the AAD Connector.
The following operations are supported:
This connector does not support any password management scenarios
The schema is fixed in the AAD connector and it is not possible to add additional objects and attributes.
Connected Data Source Requirements
In order to manage objects using a connector, you need to make sure that all requirements of the connected data source are fulfilled. This includes tasks such as opening the required network ports and granting the necessary permissions. The objective of this section is to provide an overview of the requirements of a connected data source to perform the desired operations.
Connected Data Source Permissions
When you configure the connector, in the Connectivity section, you need to provide the credentials of an account that is a Global Administrator of the AAD tenant you wish to synchronize with. This account can be either a managed (i.e. username/password) or federated identity.
When you change the password associated with this AAD administrator account, you must also update the AAD connector in FIM 2010 to provide the new password.
Ports and Protocols
The AAD Connector communicates with AAD using web services. For additional information which addresses are used by AAD and Office 365, please refer to Office 365 URLs and IP address ranges.
Before you can start with the installation of a connector, you need to make sure that the deployment prerequisites are satisfied. The objective of this section is to give you an overview of what these prerequisites are and to provide you with the required information to install and configure your AAD connector.
The following features must be installed on your FIM 2010 server:
Microsoft .NET 4.0 Framework
FIM Synchronization Service (FIM2010 R2 hotfix 4.1.3493.0, or later)
In addition to installing the following must be true:
Active Directory Synchronization is activated
Activate Directory Synchronization
To activate directory synchronization, follow these steps:
If you are an Office 365 customer:
Log into the Office 365 Admin Portal
Navigate to Users & Groups > Active Directory synchronization Set Up
Click the "Activate" button
If you are an Azure customer:
Log into the Windows Azure AD portal
Navigate to Active Directory > Directory Integration
Under Directory Sync, change the slider setting to Activated
The service account used by the FIM Synchronization service must have write permission to the following registry key:
Connector Installation and Configuration
This section provides an overview of the AAD connector installation and configuration.
You need to activate directory synchronization before you can install this connector.
The AAD connector is a standalone setup package you can download from the Microsoft Download Center.
After running the setup package, the connector is installed at the following location:
%Program Files%\Microsoft Forefront Identity Manager\2010\Synchronization Service\Extensions
You configure your AAD connector by using the Management Agent Designer.
In the following sections, you will find configuration details for some of the designer’s configuration pages.
To automate the connector configuration in a lab environment, see the Windows Azure Active Directory Connector for FIM 2010 R2 Quick Start Guide.
Create Management Agent
On this dialog page, you provide the name of your connector.
On the Connectivity page, you must specify the username and password of a global administrator in AAD.
These credentials must be provided in the following format:
You can provide credentials for any valid administrator account in your company’s AAD tenant, or you may create a special account dedicated to this use.
Select Object Types
On the Select Object Types page, leave the device object unselected.
This object type was introduced with Windows Server 2012R2 but FIM2010R2 does not have support for the new attributes types introduced.
Configure Attribute Flows
For a complete list of attribute flows, see: List of Attributes that are Synced by the Windows Azure Active Directory Sync Tool.
Customers that have verified a domain can synchronize up to 300,000 objects.
To synchronize more than 300,000 objects, you will need to contact Technical Support.
Objects that have been synchronized from your on-premises Active Directory service will appear immediately in the Global Address List (GAL), but it may take up to 24 hours before they appear in the Offline Address Book (OAB) and in Microsoft Lync Online.
Error encountered during synchronization will be sent via email to your company’s technical notification contact.
For information on how to enable logging to troubleshoot the connector, see the How to Enable ETW Tracing for FIM 2010 R2 Connectors