Workplace integrates many IdP solutions, including Microsoft Azure AD, Okta, Harbor, G Suite, OneLogin, and Connect by Azuronaut. We encourage you to visit our Integration Directory for a full list of IdP solutions we partner with. We recommend Microsoft Azure AD as a viable alternative to the current ADSync solution. And you may follow steps as described here to complete the migration. What if I’m not ready to migrate to a cloud provider?
Should you prefer not to migrate to a cloud provider at this moment, we would encourage you to update your ADSync support software to the newly released version (v16) as described, which will continue to function till August 5, 2021.
Since the Workplace Active Directory Sync (also called AD Sync hereafter) product is being deprecated, we've worked together with the Microsoft team to present this guide to help you migrate to Microsoft Azure Active Directory.
There are two main scenarios you may encounter when integrating Workplace with Azure Active Directory:
- Active Directory on premises alone
- Active Directory on premises and an existing Azure AD tenant (included with Office 365/Microsoft 365). Please refer to Integrate Azure Active Directory Automatic Provisioning with Workplace.
Follow these steps if you are not sure:
Integrate your On-Premises Active Directory with Azure Active Directory
If your organization does not have an Azure Tenant you will need to create one.
More information: Quickstart: Set up a tenant
Azure AD Connect
It's a Microsoft tool designed to meet and accomplish your hybrid identity goals. It provides the following features:
- Password hash synchronization - A sign-in method that synchronizes a hash of users on-premises AD password with Azure AD.
- Pass-through authentication - A sign-in method that allows Azure AD users to authenticate against your on-premises Active Directory, but doesn't require the additional infrastructure of a federated environment.
- Federated authentication - Federation management is an optional part of Azure AD Connect and can be used to configure a hybrid environment using an on-premises AD FS infrastructure. It also provides AD FS management capabilities such as certificate renewal and additional AD FS server deployments.
- Synchronization - Responsible for creating users, groups, and other objects, as well as making sure identity information for your on-premises users and groups is consistent between on-premises Active Directory and Azure AD. This synchronization can also includes password hashes.
- Health Monitoring - Azure AD Connect Health can provide robust monitoring and provide a central location in the Azure portal to view this activity.
The Azure Active Directory Connect synchronization services (Azure AD Connect sync) is a main component of Azure AD Connect. It takes care of all the operations that are related to synchronizing identity data between your on-premises environment and Azure AD. Azure AD Connect sync is the successor of DirSync, Azure AD Sync, and Forefront Identity Manager with the Azure Active Directory Connector configured.Azure AD Connect Cloud Provisioning
Azure AD Connect cloud provisioning is a new Microsoft agent designed to meet and accomplish your hybrid identity goals for synchronization of users, groups and contacts to Azure AD. It can be used alongside Azure AD Connect sync or alone.How are they different?
With Azure AD Connect cloud provisioning, provisioning from on-premises Active Directory to Azure AD is orchestrated in Microsoft Online Services. An organization only needs to deploy, in their on-premises and IaaS-hosted environment, a lightweight agent that acts as a bridge between Azure AD and on-premises Active Directory. The provisioning configuration is stored in Azure AD and managed as part of the service.
Integrate Azure Active Directory Automatic Provisioning with Workplace
If your organization does not possess either Azure Active Directory Premium P1 or P2 licensing for all users who will be provisioned, we recommend using attribute-based scoping rather than group-based assignment.
Group-based assignment of users
If you don't already have applicable groups, you can use Azure Active Directory's Dynamic Groups feature to create a group where only users meeting specified conditions are added as members. Dynamic group membership reduces the administrative overhead of adding and removing users.
More information: Dynamic membership rules for groups in Azure Active Directory
Whether with an existing group or an Azure AD Dynamic Group, assigning a group of users to the Azure AD Enterprise Application is as simple as:
- Go to the Workplace Enterprise Application in the Azure portal, click "Users and Groups" and add the group(s)
- After adding Workplace administrator credentials, on the provisioning blade of the Workplace Enterprise Application, ensure that the "Sync only assigned users and groups" option is set under Scope.
Attribute-based scoping of users
Instead of group-based assignment of users to the Workplace Enterprise App, the other option which does not require Azure AD Premium licensing is to use "Sync all users and groups" in combination with attribute-based scoping filters.
A scoping filter allows the Azure Active Directory provisioning service to include or exclude any users who have attribute values matching one or more specified conditions. For example, when provisioning users from Azure AD to a SaaS application (i.e. Workplace) used by a sales team, you can specify that only users with a "Department" attribute of "Sales" should be in scope for provisioning.
Scoping filters can be configured in the Enterprise Application's Provisioning tab in the Mappings section. Scoping filters can be used as your only method of controlling which users are provisioned into Workplace, or in combination with the group-based assignment feature detailed above.
More information: Attribute-based application provisioning with scoping filters
Sample steps to setup Attribute-based application provisioning with scoping filters:
Important: If you are using "Attribute-based scoping of users" for provisioning make sure you also go to the Properties Panel of the later SSO configuration and use the toggle to set the "User assignment required?" to No.
If this option is set to no, then any users who navigate to the application deep-link URL or application URL directly will be granted access.
If this option is set to yes, then users must first be assigned to this application before being able to access. This could only be achieved by having either all users assigned or by using group-based filtering for assignment or manually adding the users.
Creating and Configuring the Enterprise Application/Third Party Integration
You will need System Administrator credentials from Workplace and either Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator roles in Azure.
Follow these sample steps to setup user provisioning:
After testing and saving your Workplace System Administrator credentials in the Enterprise App's Provisioning configuration, you will need to navigate away from the Enterprise Application or reload the page in your browser before you try to start the provisioning, else the start of the provisioning process will fail.
After some time, you are going to see the following screen:
Extra: Configure the SSO using Azure as Identity Provider
Using the same Enterprise Application in Azure you can also set up SSO.
Step by step setup of SSO on both AzureAD and Workplace:
SSO URLs correspondence:
Identifier (Entity URL)
Reply URL (Assertion Cast Service)
Sign On URL
Single Sign-On (SSO) Setup in Workplace
Name of the SSO Provider
Your custom name for the Setup
SAML Issuer URL
Azure AD Identifier
SAML Logout URL (Optional)
Make sure you add the corresponding domains to the SSO. This domains must be verified in Workplace.:
Once the SSO is configured, you need to define the authentication method for your users. This can be only SSO or you can have a mix of authentication methods (have some users to login with password and other with SSO).