Office 365 Application: Understanding the Synchronization Process

This document describes the Users and Groups Synchronization flow when Microsoft Graph Office 365 Application is created in Passly.

Introduction

Office 365 Application synchronizes Passly Users and Groups with Azure Active Directory Tenant. When Azure App Registration is registered, verified and successfully saved in Passly, it is used for the Synchronization that consists of:

  • Export - synchronization of Users, Groups from Passly to Azure Active Directory;

  • Import - synchronization of Users, Groups from Azure Active Directory to Passly.

Office 365 Application provides one-time Import only. It is basically used for initial Users/Groups Import from Azure Active Directory to Passly and is always automatically disabled after Import is completed.

image-20230711-082605.png

Office 365 Application provides regular Export. It is used to synchronize changes made to Users/Groups in Passly to Azure Active Directory.

image-20230711-083417.png

When Users/Groups are synchronized via Office 365 Application the Application Sync Source is set for them in the Directory Manager. The Application Sync Source displays Office 365 Application’s Name that synchronizes these Users/Groups and Azure Active Directory tag.

image-20230707-134918.png

Group Synchronization

One-time Group Import

When Group Import is enabled, all Groups from Azure Active Directory Tenant are imported to Passly Organization except Groups that have the same Name as already existing Groups in Passly.

Group Export

When Group Export is enabled, all Groups from Passly Organization that are Local or have the Application Sync Source linked to the current Office 365 Application are synchronized with Azure Active Directory Tenant.

image-20230711-133239.png

The Group Export provides a range of settings that manage how Synchronization process works. During the Synchronization Passly checks some Group Properties like Type and Email. These Properties depend on whether the Group is Local or is synchronized with on-premises Active Directory via Passly Agent (DirSync, Ausi, etc.). The Groups that are synchronized with on-premises Active Directory have the Sync Source linked to the Passly Agent in the Directory Manager and Active Directory tag.

image-20230711-134348.png

 

Local Passly Group does not have any Type/Email.

Group synchronized with on-premises Active Directory has Type and Email provided via DirSync. They are stored as Group Attributes on a Group Details page.

image-20230711-135335.png

How Passly Group is synchronized with Office 365 Group

image-20230711-133320.png

Passly Group is synchronized with Office 365 Group only if Type and Email match. When this option is chosen a Group is synchronized by Name and only if Azure Active Group Type and Email match with Passly Group Type and Email. As far as Local Passly Group does not have any Type/Email, it is synchronized only by Name. A Passly Group that is synchronized with on-premises Active Directory and which Type/Email doesn’t match to the Azure Active Directory Group with the same Name is skipped from the Synchronization.

gr1.png

Passly Group is synchronized with Office 365 Group regardless of Type and Email. When this option is chosen the Group is synchronized by Name only, Type and Email are not involved in the Synchronization flow.

gr2.png

 

How Passly Group is synchronized when Type and Email don’t match

image-20230711-143303.png

If Passly Group is synchronized with Office 365 Group only if Type and Email match option is chosen and If don’t match create a new Group is checked the Passly Group that is synchronized with on-premises Active Directory and has Type/Email that doesn’t match to the Azure Active Directory Group with the same Name is not skipped from the Synchronization. A new Group with Passly Group Name, Type and Email is created in Azure Active Directory Tenant instead.

gr3.png

How Passly removes Group Duplicates in Office 365

image-20230712-081947.png

f Remove Group Duplicates in Office 365 option is checked Passly removes all the Groups from Azure Active Directory Tenant which have the same Name with the Azure Active Directory Group that is synchronized with Passly Group. It means if Passly Group is synchronized with Azure Active Directory Group and there are other Groups with the same Name in Azure, Passly removes them. All Groups having the same Name in Azure that are NOT synchronized with Passly Groups won’t be removed.

gr4.png

How Type and Email are mapped

Here is the Type Mapping Rules between a Passly Group and an Azure Active Directory Group.

Passly Group

Azure Active Directory Group

Local

Any

Security

Security

Distribution

Microsoft365

Only Microsoft 365 and Security groups can be managed through the Microsoft Graph groups API. For more info please see .

 

Membership Synchronization

When Group Import and/or Group Export are enabled, Group Membership Import and/or Export are enabled as well.

For all the Groups that were imported to Passly from Azure Active Directory the Membership is imported as well.

For all the Groups that are exported from Passly to Azure Active Directory the Membership is exported. Passly exports a Group Membership as is to Azure Active Directory. Passly becomes a “source of truth” for the Group Membership Export. It basically means that if a Passly Group is synchronized with an Azure Active Directory Group and there are some User/Group Members in the Azure Active Directory Group that are not Members of the Passly Group, they will be removed from the Group Membership in Azure. And if a Passly Group is synchronized with an Azure Active Directory Group and there are some User/Group Members in Passly that are not Members of the Azure Active Directory Group, they will be added to the Group Membership in Azure.

 

User Synchronization

One-time User Import

When User Import is enabled, all Users from the Azure Active Directory Tenant are imported to the Passly Organization except the Users that have the same Sync Source Name as already existing Users in Passly.

image-20230713-083459.png

For details on the User Sync Source Name, see the User Export chapter.

 

User Export

Users are always exported from Passly to Azure Active Directory by default. All Users from a Passly Organization are exported to Azure Active Directory if they were successfully mapped.

image-20230713-083518.png

How Users are mapped

When Users are synchronized from Passly to Azure Active Directory, they are mapped based on the selected Sync Source setting How should usernames be mapped?

image-20230713-084509.png

If Email Address is selected in How should usernames be mapped, the User is synchronized if his Email Address in Passly equals to the User Principal Name in Azure Active Directory.

us1.png

If Principal Name is selected in How should usernames be mapped, the User is synchronized if his Principal Name in Passly equals to the User Principal Name in Azure Active Directory. Note that Principal Name in Passly must contain the federated domain.

us2.png

If Principal Name with Organization Suffix is selected in How should usernames be mapped, the User is synchronized if the combination of his Principal Name and Organization Suffix equals to the User Principal Name in Azure Active Directory. The Organization Suffix is set on the Directory Manager → Organizations → Edit Organization page.

image-20230713-085211.png

us3.png

When the User was synchronized based on the selected Sync Source mapping criteria, the special microsoft365.Id Attribute is saved with the value of the Azure Active Directory User Object Id. After this Attribute added, the Users are mapped based on its value. The Attributes are located on the Directory Manager → Users → User Details page.

image-20230713-093022.png

How Users could use Single-Sign-On

A Passly User is able to use Office 365 Application Single-Sign-On when a special Attribute mso.syncSource was added for him during the Synchronization process. This Attribute contains the Immutable Id value of the User.

What is Immutable Id and how is it generated

Immutable Id is used to assert that a Passly User, a User in Azure Active Directory and a User in on-premises Active Directory are acting as the same Identity. Every User has its own unique Immutable Id. The Immutable Id could be found in the Azure Active Directory → Users → On-premises Immutable Id column.

image-20230713-100522.png

If a Passly User is/was synchronized with on-premises Active Directory, there is an Active Directory Data Attribute ObjectGUID. This Attribute is displayed on the Directory Manager → Users → User Details page. When the User is synchronized with Azure Active Directory, the Immutable Id is generated from ObjectGUID Attribute value.

image-20230713-100033.png

If a Passly User is Local and doesn’t have Active Directory Data Attribute ObjectGUID, when he is synchronized with an Azure Active Directory User, the Immutable Id from the Azure Active Directory User is saved to Passly (if such exists) or a new one is generated if there is no Immutable Id for the Azure Active Directory User created yet.

us4.png

Have more questions?

Contact us

Was this article helpful?
0 out of 0 found this helpful

Provide feedback for the Documentation team!

Browse this section