Nerdio is tightly integrated with Office 365, which relies on Azure Active Directory (AAD). Nerdio Active Directory is regularly synchronized with AAD using the Azure ADConnect tool that is installed on DC01.
All Office 365, and other Microsoft Cloud services, rely on AAD for identity information. Users (the identity objects) are independent of Office 365 service (e.g. Exchange Online). A user in AAD may or may not have an Office 365 license assigned.
There are two types of users in AAD:
- “In Cloud” users – these users were created directly in the Office 365 admin portal and are not synchronized with Active Directory. In Cloud users have an object property called ImmutableID (not visible in admin portal, PowerShell only) that is null. In Cloud users often get created first during initial migration into Office 365 before there is a requirement to synchronize with an existing Active Directory. These users can be edited in Office 365 Admin Portal.
- “Synched with Active Directory” users – these objects are ones that were created in an on-premise AD and synched to AAD. The ImmutableID object property for these users is set to a unique ID generated based on the AD GUID. These objects cannot be modified directly in Office 365 Admin Portal and have to be managed in the AD where they were created and are being synched from.
Common onboarding situation
It is very common for a new Nerdio customer to already be a user of Office 365. This typically means that users have “In Cloud” AAD accounts with Office 365 licenses assigned to them. When connecting Nerdio AD to an existing Office 365 tenant the users in Nerdio will be added to AAD as “Synched with Active Directory” and can only be modified in Nerdio.
Every new Nerdio accounts starts with a routable email domain (XXXX.nerdio.net – where XXXX is the Nerdio Account ID) and all new user accounts will have the PrincipalUsername and email address of username@XXXX.nerdio.net. These users will appear in AAD and will not conflict with the existing “In Cloud” users that have assigned Office 365 licenses since the PrincipalUsernames are different.
During the onboarding process, just prior to go-live, it is necessary to non-disruptively “merge” the two AAD user objects into one retaining all of the Office 365 content and settings. This is done by performing a procedure called “O365 SMTP Match” (aka soft-match). During this process, usernames and email addresses in Nerdio AD are set to match the already existing “In-Cloud” users in AAD and when the next synch runs the username@XXXX.nerdio.net user objects disappear from AAD, the existing “In-Cloud” users with assigned O365 licenses get converted to “Synched with Active Directory” and Nerdio can then be used to control the properties of these user objects.
IMPORTANT: The procedure below only applies if the existing user objects are “In Cloud”. If users have been previously synched with another Active Directory and therefore marked as “Synched with Active Directory” in Office 365 Admin Portal then you should consult with Nerdio onboarding engineer on how to proceed.
Performing SMTP match
There are two steps to performing a SMTP match in Nerdio Admin Portal:
- Go to Onboard->Domains in NAP and set the company.com domain to default. Check the box next to “Change existing user’s email address and username to the new domain.” and click Confirm. This will change all user objects from the current domain to the new domain but will retain all existing email addresses as aliases.
- Alternatively, you can go to Users and edit individual users one at a time. Change the user’s email domain using the drop down. Under “Show extended attributes” section UNCHECK “Check if email address existing in Exchange Online or Azure AD” and click Save. This will need to be done on a per-user basis.
Step 2: Perform O365 SMTP Match. This step is necessary only if you added users to NAP first and now want to match them to existing “In Cloud” mailboxes. Go to Onboard->Domains and click on the O365 SMTP Match button next to the domain that you want to match to. This will perform the following steps:
- Step through all user objects in Nerdio AD and identify those without an assigned O365 license
- For each of these objects, NAP will find the corresponding AAD “In-Cloud” user object and verify that there is an O365 license assigned to it
- Delete the AAD user object that does NOT have O365 license assigned to it to allow for the synchronization process to match the Nerdio AD user with the existing AAD “In-Cloud” user
- Perform Azure AD synchronization
Once the above steps are performed, refresh the user list under Users in NAP and verify that users are now showing an assigned Office 365 license.
|NERDIO SUPERHERO TIP
The only users that will be deleted are the ones that match the following criteria:
- User object in AAD is "Synced with Active Directory" not "In Cloud"
- User object in AAD has no assigned Office 365 license, which means it has no associated data in Office 365
- User object in AAD has a matching "In Cloud" user with an Office 365 license that has the same username but the @domain.com is in the domain that's being matched
If a user is “In Cloud” (meaning it was created in Office 365 originally) then it will not be deleted. If it's “Synced with Active Directory” (meaning it was created inside of Nerdio Admin Portal and was synced with Office 365) then it will only be deleted if there is a matching “in Cloud” user with the same username.
Once Nerdio AD and AAD users are matched the domain needs to be federated with Nerdio. Federating a domain enables ADFS for that domain, and makes the Nerdio AD (DC01) be authoritative for all authentication requests. When a user log into Office 365, if the domain portion of the username is one that’s federated the authentication request will be forwarded to Nerdio ADFS services.
To federate a domain whose user objects were matched with Office 365, go to Onboard->Domains and select “Convert to federated” from action menu. The process will take a few minutes and once complete user authentication requests will be forward to https://adfsXXXX.nerdio.net (where XXXX is the Nerdio Account ID).
IMPORTANT: When importing users with Bulk User Add using a CSV file NAP does not perform username uniqueness validation against Azure AD. If you are not ready to have the imported users automatically match to Azure AD users do not use the same username in the CSV file. Instead, import users using the routable XXXX.nerdio.net and then use one of the two methods mentioned above to change the domain part of the username when ready. For example, if email@example.com exists in Azure AD and you’re not ready for Nerdio AD to take over authentication use firstname.lastname@example.org instead during the Bulk User Import process.