HR-Driven Provisioning for Hybrid AD – Video Implementation Guide

HR-Driven Provisioning for Hybrid AD – Video Implementation Guide

Learn how to build an HR-driven provisioning solution for your AD & Microsoft Entra ID with our video implementation guide, and get your solution up & running for a typical scenario. Step-by-step you'll learn how to build a system that automates the joiner/mover/leaver lifecycle. There's no better end-to-end explanation and demonstration anywhere!

Hugh Simpson-Wells, Oxford Computer Training's Founder

12-month organizational subscription (up to 3 users), including 17 videos

All courses £349 / $499 / €429

plus VAT if applicable

HR-driven provisioning made easy – learn how to build a hybrid solution for your Active Directory and Microsoft Entra ID (formerly Azure Active Directory) with our video implementation guide

What’s the problem?

Many organizations have invested in Microsoft 365 (formerly Office 365) alongside their existing Active Directory estate, or are planning to do so. An integrated, automated HR-driven approach has clear advantages, but the apparent cost and complexity of implementing MIM (the Microsoft tool of choice for connecting legacy HR systems) can be off-putting.

What’s the solution?

This “Enabling the Cloud through Hybrid Identity” video implementation guide is based on the experience of hundreds of implementations. We focus on a common scenario in which there is a single source of truth (such as an HR system, or student enrolment system), a single Active Directory Forest, and a single Microsoft Entra ID (Azure AD) Tenant, and have produced a simple, step-by-step implementation guide.

Will it work for us?

This video implementation guide covers a common scenario in which there is a single source of truth (such as an HR system, or student enrolment system), a single Active Directory Forest, and a single Microsoft Entra ID (Azure AD) Tenant. While the content will be relevant for more complex scenarios, it may not be sufficient in all cases.

What if our scenario is more complex?

In the videos, we have assumed that an HR system can present a SQL Server table or view. You may have a system that is based on a different database, presents an API, or can only work with a transfer file.

If your scenario is basically of similar complexity to the one we use in the videos but has different connectivity requirements, we will – at our discretion – provide free support and advice on how to handle it as part of the subscription.

If your scenario is significantly more complex, we would suggest a consultative approach, for example as part of one of our TrainingPlus packages. We are happy to discuss your requirements in advance, or at any stage.

What’s included in the video implementation guide?

A 12-month subscription (which costs just £349 / $499 / €429) offers:

  • 8½ hours of course content in 17 videos
  • Step-by-step “how to” instructions, explanations, and demonstrations
  • Working code examples (in Visual Basic and C#)
  • 24/7 access for up to 3 users within an organization
  • At our discretion, one-to-one advice and assistance with your particular scenario

How will an HR-driven identity management system benefit your organization?

An HR-driven identity management system for hybrid AD has many benefits:

  • AD and Microsoft Entra ID identity information consistent with your source of truth (e.g. HR system), for example:
    • Authentication and authorization decisions are based on reliable data
    • Users provisioned, enabled/disabled, de-provisioned automatically
    • Licensing and security decisions based on accurate group memberships
  • More administrative control with less effort:
      • Reduced duplication of identity data entry
      • Effective enforcement of rules and policies in AD and Microsoft Entra ID
    • Automated handling of the joiner/mover/leaver process
    • Fewer orphaned accounts and rogue permissions
  • Improved Microsoft 365 user experience:
    • Same sign-on (same UPN and password) or true single sign-on
    • Seamless access from different devices within the corporate network or in the cloud

In this video, the first of 17, our CEO, Hugh Simpson-Wells explains more about the implementation guide and what you can expect from it:

Note: These videos were recorded before the Microsoft rebrand of Azure AD to Microsoft Entra ID and Azure AD Connect to Microsoft Entra Connect.  The video steps still work as described.

In this webinar recording, Hugh Simpson-Wells demonstrates how the Video Implementation Guide can help you build an automated joiner/mover/leaver lifecycle solution step-by-step.

This “Enabling the Cloud through Hybrid Identity” video implementation guide covers:

  • Automating provisioning of users, groups, and devices into Microsoft Entra ID based on AD
  • Selecting appropriate version and options for Microsoft Entra Connect, including authentication options such as SSO, password synchronization, and write-back to support Microsoft Entra ID SSPR
  • Importing authoritative HR data into Microsoft Identity Manager (MIM)
  • Creating rules extensions – implementing MIM involves writing some code so, to make things easier, we provide templates and examples for typical requirements such as:
    • Generating unique attributes such as account names and other important attributes for managing accounts in AD
    • Using MIM to provision users into AD based on the imported HR data
  • Operating MIM and Microsoft Entra ID, including some coverage of high availability and disaster recovery

17 short and accessible videos – view it, then do it!

Note: Since the videos were recorded, Microsoft has rebranded Azure AD to Microsoft Entra ID, Azure AD Connect to Microsoft Entra Connect, and Office 365 to Microsoft 365.  The videos are still valid and take you through the steps required.

  1. Introduction to the course (19 minutes)
  2. AD, Azure AD, and Hybrid AD (39 minutes)
  3. Preparing to install Azure AD Connect (10 minutes)
  4. Installing Azure AD Connect CloudSync (28 minutes)
  5. Testing the Azure AD Connect CloudSync implementation (10 minutes)
  6. About Microsoft Identity Manager (45 minutes)
  7. Installing MIM Sync (12 minutes)
  8. Creating the first (HR) MA (36 minutes)
  9. Creating our second (AD) MA and joining existing accounts (71 minutes)
  10. MIM extensions explained (25 minutes)
  11. A rules extension to enable/disable AD users (37 minutes)
  12. A rules extension to create unique names (28 minutes)
  13. A provisioning rules extension (48 minutes)
  14. Deprovisioning (31 minutes)
  15. Installing Azure AD Connect Classic (29 minutes)
  16. Azure AD Connect Classic options (43 minutes)
  17.  Operating MIM and Azure AD Connect Classic (36 minutes)

Our aim is to enable a small team, or possibly an individual, to implement Microsoft Identity Manager and Microsoft Entra Connect to support Microsoft 365 in a scenario involving a single source of truth (such as an HR system, or student enrolment system), a single Active Directory Forest, and a single Microsoft Entra ID Tenant.

The team is likely to be led by an IT administrator, supported by others with knowledge of (for example) the identity requirements of the organization, and experience developing code (using Visual Basic and Visual C#) – again, that knowledge could reside in one person. Not everyone on the IT team will necessarily need to view all the videos.

We assume a sound knowledge of Active Directory (single forest), and basic knowledge of Microsoft Entra ID, an appreciation of what a SQL database looks like, and an awareness of different authentication mechanisms – plus general IT knowledge.

A choice of training journeys…

You can watch the videos in whatever order you like and as many times as you like, but we have also designed three training journeys to meet different needs. We recommend that everyone views videos 1, 2, and 3, after which it should become obvious where to go next.

  • Journey 1 takes you through all the videos sequentially.
  • Journey 2 is for those who realize that they will need the features that are only provided by Azure AD Connect “Classic” (missing out Azure AD Cloud Sync).
  • Journey 3 is for those who realize that the simpler Azure AD Connect CloudSync is good enough for their purposes.

Additionally, whoever will write the code need only focus on videos 10 to 14.