Background
Nerdio is tightly integrated with Office 365, which relies on Azure Active Directory (AAD). Nerdio Active Directory is regularly synchronized with AAD using the Azure ADConnect tool that is installed on DC01.
All Office 365, and other Microsoft Cloud services, rely on AAD for identity information. Users (the identity objects) are independent of Office 365 service (e.g. Exchange Online). A user in AAD may or may not have an Office 365 license assigned.
There are two types of users in AAD:
- "In Cloud" users – these users were created directly in the Office 365 admin portal and are not synchronized with Active Directory. In Cloud users have an object property called ImmutableID (not visible in admin portal, PowerShell only) that is null. In Cloud users often get created first during initial migration into Office 365 before there is a requirement to synchronize with an existing Active Directory. These users can be edited in Office 365 Admin Portal.
- "Synced with Active Directory" users – these objects are ones that were created in an on-premise AD and synced to AAD. The ImmutableID object property for these users is set to a unique ID generated based on the AD GUID. These objects cannot be modified directly in Office 365 Admin Portal and have to be managed in the AD where they were created and are being synched from.
Common on-boarding situation
It is very common for a new Nerdio customer to be already using Office 365. This typically means that the customer has "In Cloud" AAD users with Office 365 licenses assigned to them. When a new Nerdio account is provisioned and linked to an existing Office 365 tenant, any users that are added to Nerdio using Nerdio Admin Portal, will also be added to AAD as "Synced with Active Directory" and can only be modified in Nerdio. Existing "In Cloud" AAD users will be visible in the User’s module in NAP, but must be imported one at a time or in bulk to be synchronized with Nerdio AD and managed via NAP.
The table below shows how O365 user fields are mapped to Nerdio AD user fields:
Nerdio AD fields |
O365 fields |
City | City |
State | State |
Title | Title |
Street | StreetAddress |
Postal | PostalCode |
Office | Office |
UserUPN | UserPrincipalName |
DisplayName | DisplayName |
Faxnumber | Fax |
WorkNumber | PhoneNumber |
MobileNumber | MobilePhone |
FirstName | FirstName (if 'FirstName' is empty then the first word of 'DisplayName') |
LastName | LastName (if 'LastName' is empty then the second word of 'DisplayName') |
UserName | part of 'UserPrincipalName' preceding '@'; PrimaryEmail <- if primary proxy is not empty then the part of primary proxy following 'SMTP:', otherwise 'UserPrincipalName' (primary proxy is an element of 'ProxyAddresses' starting with 'SMTP:') |
AdditionEmail | parts of additional proxies following ':' (additional proxies are elements of 'ProxyAddresses' starting with 'smtp:') |
A brief FAQ about the Other Azure AD users section
Q: Which users are shown in Other Azure AD users section?
A: Users that are not synced with active directory on DC01.
Q: When is the Import button shown and not shown for a user?
A: Import button is shown for user if user is not synced, has a domain from account domains list, and is not an external user (does not have #EXT# in username).
Q: Which users are shown/not shown when "Show all users" settings is turned on/off.
A: When "Show all users" setting is turned off, we display only users available for import.
When importing a AAD user to Nerdio AD, NAP will create a matching user account in Nerdio AD and trigger a synchronization with Azure AD. This will perform an SMTP Match (aka soft-match) and will convert the existing "In Cloud" user in AAD to one that’s "Synced with Active Directory". At this point all changes to this user object must be performed in Nerdio and they will be automatically synced to Azure AD.
- When the user is imported the password is reset. The user will need to be notified of the new password and need to update all connected mobile devices to use the new password.
- IMPORTANT: The procedure above only applies if the existing user objects are "In Cloud". If users have been previously synced with another Active Directory and therefore marked as "Synced with Active Directory" in Office 365 Admin Portal then you should consult this article to turn these users to "In Cloud" status again before importing.
- In order to import a user from Office 365 into Nerdio the user's email address must be one of the ones listed in Onboard>Domains screen. Users that have @tenant.onmicrosoft.com domain cannot be imported since that's not a valid Active Directory domain.
- You will not be able to import Azure AD users that are assigned to one or more host pools. You must first unassign the host pool(s), import user and assign to host pool.
Domain federation
Once Nerdio AD and AAD users are matched the domain can be federated with Nerdio. Federating a domain enables ADFS for that domain, and makes Nerdio AD (DC01) authoritative for all authentication requests. When a user logs in to Office 365, if the domain portion of the username is one that’s federated, the authentication request will be forwarded to Nerdio ADFS services.
To federate a domain whose user objects were matched with Office 365, go to Onboard->Domains and select "Convert to federated" from action menu. The process will take a few minutes and once complete user authentication requests will be forward to https://adfsXXXX.nerdio.net (where XXXX is the Nerdio Account ID).
IMPORTANT: When importing users via Bulk User Add using a CSV file, NAP does not perform username uniqueness validation against Azure AD. Therefore, be careful to not add users that are already part of Azure AD (Office 365). Use the import AD user functionality on the Users module instead.
Comments (0 comments)