Workplace integrates many IdP solutions, including Microsoft Azure AD, Okta, Harbor, G Suite, OneLogin and Connect by Azuronaut. We encourage you to visit our Integration Directory for a full list of IdP solutions that we partner with. We recommend Microsoft Azure AD as a viable alternative to the current AD Sync solution. You may also follow steps as described here to complete the migration. What if I'm not ready to migrate to a cloud provider?
Should you prefer not to migrate to a cloud provider at this moment, we would encourage you to update your AD Sync support software to the newly released version (v16) as described, which will continue to function until 12 August 2021.
As the Workplace Active Directory Sync (also called AD Sync hereafter) product is being deprecated, we've worked together with the Microsoft team to present this guide to help you migrate to Microsoft Azure Active Directory.
There are two main scenarios that you may encounter when integrating Workplace with Azure Active Directory:
- Active Directory on premises alone
- Active Directory on premises and an existing Azure AD tenant (included with Office 365/Microsoft 365). Please refer to Integrate Azure Active Directory automatic provisioning with Workplace.
Follow these steps if you're unsure:
Integrate your on-premises Active Directory with Azure Active Directory
If your organisation does not have an Azure tenant, you will need to create one.
More information: Quickstart: Set up a tenant
Azure AD Connect
It's a Microsoft tool designed to meet and accomplish your hybrid identity goals. It provides the following features:
- Password hash synchronisation - A sign-in method that synchronises a hash of user's on-premises AD password with Azure AD.
- Pass-through authentication - A sign-in method that allows Azure AD users to authenticate against your on-premises Active Directory, but doesn't require the additional infrastructure of a federated environment.
- Federated authentication - Federation management is an optional part of Azure AD Connect and can be used to configure a hybrid environment using an on-premises AD FS infrastructure. It also provides AD FS management capabilities such as certificate renewal and additional AD FS server deployments.
- Synchronisation - Responsible for creating users, groups and other objects, as well as making sure that identity information for your on-premises users and groups is consistent between on-premises Active Directory and Azure AD. This synchronisation can also include password hashes.
- Health monitoring - Azure AD Connect Health can provide robust monitoring and provide a central location in the Azure portal to view this activity.
The Azure Active Directory Connect synchronisation services (Azure AD Connect sync) are a main component of Azure AD Connect. It takes care of all the operations that are related to synchronising identity data between your on-premises environment and Azure AD. Azure AD Connect sync is the successor of DirSync, Azure AD Sync and Forefront Identity Manager with the Azure Active Directory Connector configured.Azure AD Connect cloud provisioning
Azure AD Connect cloud provisioning is a new Microsoft agent designed to meet and accomplish your hybrid identity goals for synchronisation of users, groups and contacts to Azure AD. It can be used alongside Azure AD Connect sync or alone.How are they different?
With Azure AD Connect cloud provisioning, provisioning from on-premises Active Directory to Azure AD is orchestrated in Microsoft Online Services. An organisation only needs to deploy, in their on-premises and IaaS-hosted environment, a lightweight agent that acts as a bridge between Azure AD and on-premises Active Directory. The provisioning configuration is stored in Azure AD and managed as part of the service.
Integrate Azure Active Directory automatic provisioning with Workplace
If your organisation does not possess either Azure Active Directory Premium P1 or P2 licensing for all users who will be provisioned, we recommend using attribute-based scoping rather than group-based assignment.
Group-based assignment of users
If you don't already have applicable groups, you can use Azure Active Directory's dynamic groups feature to create a group where only users who meet specified conditions are added as members. Dynamic group membership reduces the administrative overhead of adding and removing users.
More information: Dynamic membership rules for groups in Azure Active Directory
Whether with an existing group or an Azure AD dynamic group, assigning a group of users to the Azure AD enterprise application is as simple as:
- Go to the Workplace enterprise application in the Azure portal, click "Users and groups" and add the group(s)
- After adding Workplace administrator credentials; on the provisioning blade of the Workplace enterprise application, ensure that the "Sync only assigned users and groups" option is set under Scope.
Attribute-based scoping of users
Instead of group-based assignment of users to the Workplace enterprise application, the other option that does not require Azure AD Premium licensing is to use "Sync all users and groups" in combination with attribute-based scoping filters.
A scoping filter allows the Azure Active Directory provisioning service to include or exclude any users who have attribute values matching one or more specified conditions. For example, when provisioning users from Azure AD to an SaaS application (i.e. Workplace) used by a sales team, you can specify that only users with a "Department" attribute of "Sales" should be in scope for provisioning.
Scoping filters can be configured in the enterprise application's Provisioning tab in the Mappings section. Scoping filters can be used as your only method of controlling which users are provisioned into Workplace, or in combination with the group-based assignment feature detailed above.
More information: Attribute-based application provisioning with scoping filters
Sample steps to set up attribute-based application provisioning with scoping filters:
Important: If you're using "Attribute-based scoping of users" for provisioning make sure that you also go to the Properties Panel of the later SSO configuration and use the toggle to set the "User assignment required?" to No.
If this option is set to "No", then any users who navigate to the application deep-link URL or application URL directly will be granted access.
If this option is set to yes, then users must first be assigned to this application before access is enabled. This could only be achieved by having either all users assigned or by using group-based filtering for assignment or manually adding the users.
Creating and configuring the enterprise application/third-party integration
You will need system administrator credentials from Workplace and either application administrator, cloud application administrator, application owner or global administrator roles in Azure.
Follow these sample steps to set up user provisioning:
After testing and saving your Workplace system administrator credentials in the enterprise app's provisioning configuration, you will need to navigate away from the enterprise application or reload the page in your browser before you try and start the provisioning; otherwise the start of the provisioning process will fail.
After some time, you will see the following screen:
Extra: Configure the SSO using Azure as identity provider
You can also set up SSO using the same enterprise application in Azure.
Step-by-step setup of SSO on both Azure AD and Workplace:
SSO URLs correspondence:
Identifier (entity URL)
Reply URL (assertion cast service)
Single sign-on (SSO) setup in Workplace
Name of the SSO provider
Your custom name for the setup
SAML issuer URL
Azure AD identifier
SAML logout URL (optional)
Make sure you add the corresponding domains to the SSO. This domains must be verified in Workplace.:
Once the SSO has been configured, you will need to define the authentication method for your users. This can only be SSO or you can have a mix of authentication methods (have some users log in with password and other with SSO).