Skip to main content

Configuring Customer Plans for Microsoft Online

Overview

The Microsoft Online service is highly configurable. This article covers the options available to cope with different identity models that may be in use across your Microsoft 365 tenants. Ensure that a connection to your Microsoft PartnerCenter has been created before attempting to create a customer plan.

Atria currently supports the following identity related configuration options:

  1. Stand-Alone Azure AD (Cloud Only Microsoft 365 Users) - the simplest and default configuration.
  2. Microsoft Active Directory Federation Services (ADFS) - where one or more domains within a tenant are configured for authentication via an external federation service.
  3. Microsoft Azure Active Directory Connect (AAD Connect) - where Microsoft Azure AD Connect is configured to synchronise users between Active Directory and Azure Active Directory.
  4. Third party Identity Services such as Citrix Netscaler or Okta - mostly operate in a similar way to ADFS.

If there is anything outside of the above that you use for user management in Office 365 that binds to users and makes them Immutable - Please reach out for confirmation from us about supportability.

What are Customer Plans?

A Customer Plan is a customizable configuration within a Microsoft Online service setup, allowing organizations to tailor identity and user management settings based on each customer’s specific requirements. The plan is designed to ensure smooth, efficient user management and authentication across various Microsoft 365 environments, especially when multiple identity models are in use.

Customer Plans help streamline identity management for Microsoft 365 services by providing pre-defined configurations. This is crucial for IT administrators managing multiple tenants, as each plan encapsulates the rules and synchronization processes specific to the customer’s identity architecture, whether it be cloud-only, hybrid, or ADFS-supported.

Curating Customer Plans & Policies

There are up to 8 different configurations that should cover the scenarios you may encounter.

Each Customer Plan contains a Sync Policy and optionally an ADFS policy. Our recommendation is to create a short list of standard Customer Plans with the base configurations you require, and then override these for individual customers as needed.

For example, if each customer has their own ADFS/OKTA deployment then you might have one Generic "ADFS Standard" Customer plan which is used for all ADFS customers, and a specific ADFS Policy for each customer, when the customer is provisioned within Atria, you would create a new ADFS Policy for the customer, then override the Customer Plan "ADFS Policy" setting.

The flow diagram below can be used to determine the configuration you need to apply when onboarding a customer.

Configuring ADFS Policy for Microsoft Online Service

These will then be used to create the customer plans.

Customer Plan / ConfigurationEnd Customer Scenario
Azure AD Connect + ADFS + Azure MasterA Customer with a physical On-Premise Domain Controller with AAD Connect + ADFS
Azure AD Connect + ADFS + Atria MasterA Customer consuming on-premise shared services with AD Connect + ADFS
Azure AD Connect + Azure AD MasterA Customer with a Private Domain with Azure AD Connect
Azure AD Connect + Atria MasterA Customer with the Legacy O365 Service, or has a AAD Connect service pointed at the Shared Directory
ADFS + Azure AD MasterA Customer with an External ADFS Application such as Okta or Citrix Netscaler
ADFS + Atria MasterA Customer who has Microsoft ADFS with the Shared Directory
Default Policy + Azure AD MasterA Cloud Only Customer who is being on-boarded to Atria for the first time
Default Policy + Atria MasterA Customer that existed in Atria with services or identity, but has moved to Microsoft 365

Creating a Customer Plan

New Customer Plan

  1. When you are ready to create a Customer plan, head to Configuration > System Manager > Service Deployment
  2. Ensure the Service Filter is set to Top Environment Services and open Azure AD.
  3. Click Customer Plans.
  4. Enter a Display Name (e.g. "Default Policy + Azure AD Master") and hit Create.
  5. Click Apply Changes.

Configuring a Customer Plan

  1. Change the Service Filter to Active Directory Location Services and chose the desired location.
  2. Open Azure AD and Click Customer Plans.
  3. Enable the plan and click the green arrow to open the configuration.
  4. Click Apply Changes and Save.
note

Further information about the specific configuration options can be found below the image.

MSOL Service Provisioning

The Atria "Sync Policy"

Sync Policies are a configuration option presented when configuring a Customer Plan. Atria has 2 default Sync Policies built in: Atria Master and AzureAD Master. These policies are setup to change the Master Directory setting within Atria.

Atria has a process which synchronises user accounts from Azure AD into Atria. The Master Directory setting determines the priority for any conflicts. The setting only has an impact when users are being synchronised into Atria.

For example, if a User exists in Atria with the surname "Wilson" and the same user exists in Azure AD with the surname "Willson" - then the Master Directory Setting will be used to decide which of these values should take precedence when the synchronisation process runs.

For Cloud Only customers who don't consume on-premise services from yourself, it's safe to assume that Azure AD is likely the best source of truth for user properties. In this case, set the Sync Policy to AzureAD Master.

If the customer consumes on-premises services from you, or if Azure AD accounts have been manually created without a full set of information, Atria will likely already have the most valid and up-to-date information. In this case, set the Sync Policy to Atria Master

info

this configuration setting only applies to User Properties such as Phone and Address, not mail delivery or system "Impacting" properties such as Proxy Addresses or Primary Email Addresses. These will always be taken directly from Microsoft 365 if the user is Mail Enabled.

You can create further Sync Policies and customise them by navigating to Services > Microsoft Online > Sync Policies.

For more information on the sync process and associated configuration settings, refer to: Synchronising user accounts between Azure AD and Atria

The Atria "ADFS Policy"

The ADFS Policy is used to store configuration settings related to ADFS. Atria stores this in a policy document, allowing configuration to be re-used across customers.

With ADFS being configured, Atria will handle creating/updating of the user in Active Directory and then apply changes directly in Azure AD. Once completed, the user accounts are correctly linked and the user can subsequently logon to any M365 service and be authenticated via ADFS.

Further information on configuring the ADFS Policy can be found here: Configuration for ADFS

In this guide, we configure Microsoft ADFS, but this will be similar for other Identity Providers such as OKTA.

Q&A

What is ADFS?

ADFS is Microsoft Active Directory Federation Services. This is a Single Sign On solution provided by Microsoft to authenticate users against Active Directory for Applications that can't use the typical Windows Authentication.

This enables Microsoft 365 (and other applications) to use Active Directory for User authentication - This means that Users do not need to have a password in Azure Active Directory. With this solution, you can enable third party tools such as Okta, Duo or Citrix NetScaler to enforce Multi-Factor Authentication against Active Directory Authentication attempts.

Can I change between Sync Policies?

Yes - Sync Policies can be changed on the fly, this will then mean for each future Synchronization or in the case of Azure AD Connect and ADFS, if this is enabled or disabled, user provisioning processes will differ depending on the requirement(s) of the solution selected. For example, if you are using Azure AD Connect to synchronise users into Azure AD, then Atria will not attempt to provision users into Azure AD.

I have a scenario that isn't listed - Can I get assistance on this?

If you have a scenario you don't think falls into these boxes, or need further advice based on the scenario your customer is in, please reach out to our consulting and support team.