Azure AD Connect Update Saves Time, Errors During Account Maintenance
A move to Microsoft’s Office 365 is supposed to make IT’s workload easier to manage – and that’s usually exactly what it does. However, there was one inefficiency the cloud solution was previously unable to correct. As soon as Microsoft released a pair of new features in Azure AD Connect that seemed to address this, members of Arraya’s Microsoft Collaboration team headed for our demo lab to try it out.
During a company’s termination process, IT may attempt to move an email account from a terminated employee and temporarily assign it to his or her manager. The issue was that an SMTP address could only exist in one account at a time. So, if IT made that full switch on premises and then attempted to sync to the cloud, it would unleash a chain of error messages when DirSync was launched. The change wouldn’t take and IT would be stuck.
In order to properly execute this, IT had to first remove the SMTP address from the terminated user’s account and launch DirSync to remove that address from the employee’s account in Office 365. Only after the sync was completed could IT add that SMTP address to the appropriate manager or supervisor as a secondary address. A second DirSync would need to be executed to reflect this change in the business’ Office 365 deployment.
These two syncs couldn’t be performed concurrently. This left IT with two choices:
1) Move on to other tasks during the process and risk leaving the task unfinished should some type of fire pop up.
2) Stick to the task at hand, which could mean two or more hours where a staffer left other duties and projects unattended to wait while the necessary syncs were performed.
Besides that, many of the IT staffers tasked with maintaining employee accounts lacked the credentials to execute a DirSync. Before these staffers could complete their assignment, permissions would need to be altered to allow them to do something that should be fairly routine. Giving more employees access to DirSync is itself a hazard as DirSync mistakes can have major consequences.
While reading up on some of the new features contained within Azure AD Connect, one member of Arraya’s Microsoft Collaboration team noticed something very interesting: two features that work together by quarantining an attribute if it is a duplicate of an existing attribute, instead of simply failing the entire process. The features are called DuplicateProxyAddressResiliency and DuplicateUPNResiliency. He passed word along to the rest of the team and soon he and another team member were hard at work in Arraya’s demo environment to see if this feature would solve IT’s account management headaches described above.
To start, they set up a couple of test accounts in our demo lab. These would play the role of manager and terminated employee, respectively.
Next, our demo lab’s Azure AD Connect was upgraded to the latest version. By doing this, it ensured Azure AD Connects resiliency features would come into play. With these features at their disposal, our team would be able to accurately judge whether or not these features would be the solution they predicted.
From there, the pair moved the SMTP address from the test employee account to the test manager account. Then they performed the necessary syncs. Once the move and the syncs had been completed, our Microsoft Collaboration team members analyzed the results.
The new Azure AD Connect features did make a huge difference in account management. With the quarantine feature in place, the cumbersome, time-consuming old process was no more. Instead of nearly three hours, this process had been slashed to an average of 30 minutes total.
Under the new method, IT was able to remove an address from one account and add it to another, all on prem. Then, it came time to launch DirSync. Two syncs were still necessary to achieve the desired result. This first time through, DirSync would delete the address from the original account. A second DirSync would add it to the new account. Unlike the old arrangement, this could be executed error-free.
An added bonus of the new feature is that it also eliminates the need to reassign DirSync permissions to the folks handling maintenance. The next time DirSync is launched, it automatically recognizes the necessary movements and sorts them out itself. Once again, it does this without triggering a string of error messages.