Synchronizing Atria with Microsoft Online
Overview
Once an Atria Customer has been “connected” to an Azure AD tenant, the sync function within Atria will retrieve all users and licenses from Azure AD and synchronize these with Atria. This function executes using configuration defined in a Sync Policy.
The core purpose of the sync process is to allow rapid on-boarding of users into Atria for:
- On-boarding of new customers who are already utilizing Microsoft services.
- Unifying control of customers who have identities in both Active Directory and Azure AD but until now have not been managed by Atria.
The Sync algorithm is designed to:
- Attempt to match users in Atria/Active Directory with users in Azure AD – this is performed by matching the UPN of the user.
- If there is no direct match, then it will match based on the front part of the username – disregarding the domain part of the username.
| Atria UPN | Azure AD Username | Match or no match |
|---|---|---|
| ella@automate101.com | ella@automate101.com | Match |
| ella@automate101.com | ella.williams@a101.onmicrosoft.com | No Match |
| ella@automate101.com | ella@a101.onmicrosoft.com | Match |
For example, if a user in Atria has the UPN ella@automate101.com, and the azure tenant does not have a corresponding user with the same UPN, it will subsequently match against a user which had the username ella@a101.onmicrosoft.com.
- Once users have been matched, Atria will identify any Licenses associated with the user and identify the most appropriate plan in Atria which contains the license. This will cater for all products and any assigned add-on products.
- Allow for changes that are made within Azure AD to be pulled back into Atria.
- As part of the sync process, a license optimization process is executed. For Direct providers, this will ensure that subscriptions have any spare licenses removed.
Depending on the volume of users, the sync can take some time to execute.
Manual Sync Process
The sync process is executed in two ways:
- From menu
Services > Microsoft Online > Azure AD Sync. - From the “Azure AD” service – clicking the Sync tenant button will commence the synchronization of the currently selected tenant. This is handled out of process and as users are synchronized details will be logged and available from the sync log.
Scheduled Sync Process
The sync is also scheduled to run on a nightly basis for all tenants. The job is scheduled to run on the Provisioning Server – the scheduled task is called “Azure AD User Sync” this is scheduled by default to commence at 2 am daily.
Creating Sync Policies
-
Navigate to
Services > Microsoft Online > Sync Policies. -
Hit
New Sync Policy.
The Sync policy is used to configure settings that change the behavior of the sync:
| Setting | Options | Description |
|---|---|---|
| Label | Free text | This is the name of the Sync Policy - this is what will be seen when selecting the sync policy for a customer. |
| Disabled Nightly Sync | On or Off | When set, tenants with this sync policy will be excluded from the nightly sync execution. |
| Nightly Sync Mode | Full or Differential | Used to control the type of synchronization. |
| Master Directory | 1 - Atria or 2 - Azure AD | Used to handle conflicts in data between AzureAD and Active Directory. Data in Azure AD takes precedence for subsequent synchronizations. |
| Create in Atria | On or Off | If a user in AAD is not found in Active Directory, Atria will create a matching user in AD. |
| UserFilter | Free text | Restricts the set of users returned from AzureAD. Defaults to synchronizing Member accounts, excluding Guest account types. |
| Unknown Location Handling | 1. Add Locations to Atria, 2. Set to Unassigned | Maps to an existing location or sets to unassigned if the location is not found in Atria. |
| Azure AD Connect Enabled | On or Off | When enabled, Atria will rely on Azure AD Connect to handle creation and update of user entities in Azure AD. |
| Sync User Deletions | On or Off | When enabled, Atria will remove the Microsoft Online Service from Atria when deletions are detected in Azure AD. |
| UPN Source Override | On or Off | Allows a different AD attribute for UPN source. Specifies the AD attribute to use or fallback options if the attribute is empty. |
| Unknown Department Handling | 1. Add Departments to Atria, 2. Set to Unassigned | Works like Unknown Location Handling. Adds departments to Atria or defaults to the unassigned location. |
| Password Settings | Four fields | Specifies the complexity of passwords generated for new Azure AD users. |
| Tenant Configuration Script | Off, Default, Custom Script | Executes a script during Azure AD service provisioning. Default script is used if set to Default. Custom scripts must be on the Microsoft server. |
Once you have saved the policy, navigate to Customer > Services > AzureAD to edit the Service Plan Configuration:
Full vs Differential Sync
A Full Sync will query Azure AD for all users, each user will then be compared with the corresponding user account in Atria. As most users change infrequently, this is a slow and inefficient process. The Differential Sync looks for changes that have been made in AzureAD since the last synchronisatio ran, this means that only the users that have changed are processed. This simplifies the process and reduces the time taken.
You can opt to force a Full Sync at any time from the Azure AD Service Customer Provisioning Interface.
AzureAD Connect
Azure AD Connect also known as Azure Active Directory Sync or DirSync is a tool provided by Microsoft to sync an Active Directory with a Microsoft 365 Tenancy. This enables properties and passwords to be kept in syncronisation across on-premises Active Directory and Azure AD. This is implemented with an agent installed onto a member server, which is then targeted at an OU on a Active Directory Domain. This is not part of Atria, it is provided by Microsoft.
The Atria Nightly sync Process, which is also known as "Azure AD Sync" is an Atria function that retrieves User Properties from Microsoft 365 and updates your local Active Directory. This can be used across multiple tenants and does not require multiple agents for multiple directories. This sync process runs nightly on the Atria Provisioning server. It performs a similar function to the Microsot Azure AD Connect service, but does not offer password synchronization from Azure AD.
| Feature | AzureAD Connect Enabled | AzureAD Connect Disabled |
|---|---|---|
| AD Attributes Synced | Yes | Yes |
| Two-Way Password Sync | Yes | No |
| Requires Dedicated Connect Server | Yes | No |
Default Sync Policies
Two default policies are delivered with Atria, the policy setting can be changed. In general, we would recommend Atria Master.
| Setting | Atria Master | Azure AD Master |
|---|---|---|
| CreateInAtria | True | True |
| MasterDirectory | 1 | 1 |
| UserFilter | usertype eq 'Member' | usertype eq 'Member' |
View the Sync Log
The Synchronization Log for a tenant can be viewed by selecting the menu
- Services > Microsoft Online > Azure AD Sync
Each synchronization run has a job record, this can be expanded to see the results. If any element could not be synchronized, this will be highlighted.
Accessing the Sync log from the Database
To view the synchronization log across all customers, a view exists in the OLM database that can be queried:
Select * from vw_AzureSyncLog
This view will show the last execution of the sync process for each customer.
- The CustomerID, CustomerName, CustomerLabel relate to the customer being synchronized
- The Label column shows the task that the process was executing
- The Message column will detail the problem
- The ProvisioningStatus column will highlight if a related object has a failed status.
- Use the MessageLabel column to find Errors (Where MessageLabel = ‘Error’)
- The JobStarted column shows the datetime the sync process started for that tenant
Make sure you read through this document and carry out your own tests to familiarise yourself with the process. If you already have users in Atria and in Azure AD, it’s important that you have the UPN linkage correct or running the sync may result in duplicate users being created in Atria.