samba - Jul 2020 - Azure Sync

> Le 9 juil. 2020 ? 19:26, Bernhard Dick via samba <samba at
lists.samba.org> a ?crit :
> 
> ?Hi,
> 
>> Am 02.07.2020 um 17:23 schrieb Martin Hauptmann via samba:
>> Sorry if I didn't find the right manual.
>> I would like to set up a new Domain Controller and connect it to an
existing Office 365 with Exchange in a way, AD-Users of a certain group can
login and not having to login to Office365.
>> My questions:
>> Can I map the existing Office365-Accounts to the new Domain?
> One thing I would take a look at, also after I've read the recent
answers, is the SAML interface for office365. I do not yet have a working
environment using this but it seems promising. Here you'd need to set up an
own IdP (for example using shibboleth) and connect this with the office365
users. I'm not sure how seemless this works but I think that there should be
an idp being able to authenticate the users via kerberos if they're already
logged in on a workstation.
> Here is some documentation on the Microsoft side for using an SAML Idp:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-saml-idp
. A mapping of existing users seems possible.
> However it seems that only adding someone to a group of allowed users is
not enough but you still need to create a user identity for everyone you want to
use O365 there.
An alternative SAML IdP to Shibboleth is Moonshot
(https://wiki.moonshot.ja.net/), *especially* if you want to integrate non-Web
applications (SSH, Java applications,...)

Disclaimer: I have not (yet) performed such a deployment.

Hi,

Something else that might be interesting: Azure AD Connect cloud 
provisioning.

https://docs.microsoft.com/en-us/azure/active-directory/cloud-provisioning/what-is-cloud-provisioning

It's something new, that I guess could be relevant for someone checking 
out Azure Sync options.

MJ

On 7/10/20 10:03 PM, Georges Martin via samba wrote:
> 
> 
>> Le 9 juil. 2020 ? 19:26, Bernhard Dick via samba <samba at
lists.samba.org> a ?crit :
>>
>> ?Hi,
>>
>>> Am 02.07.2020 um 17:23 schrieb Martin Hauptmann via samba:
>>> Sorry if I didn't find the right manual.
>>> I would like to set up a new Domain Controller and connect it to an
existing Office 365 with Exchange in a way, AD-Users of a certain group can
login and not having to login to Office365.
>>> My questions:
>>> Can I map the existing Office365-Accounts to the new Domain?
>> One thing I would take a look at, also after I've read the recent
answers, is the SAML interface for office365. I do not yet have a working
environment using this but it seems promising. Here you'd need to set up an
own IdP (for example using shibboleth) and connect this with the office365
users. I'm not sure how seemless this works but I think that there should be
an idp being able to authenticate the users via kerberos if they're already
logged in on a workstation.
>> Here is some documentation on the Microsoft side for using an SAML Idp:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-saml-idp
. A mapping of existing users seems possible.
>> However it seems that only adding someone to a group of allowed users
is not enough but you still need to create a user identity for everyone you want
to use O365 there.
> 
> An alternative SAML IdP to Shibboleth is Moonshot
(https://wiki.moonshot.ja.net/), *especially* if you want to integrate non-Web
applications (SSH, Java applications,...)
> 
> Disclaimer: I have not (yet) performed such a deployment.
>

Thank you to everyone. I will give it a try and give feedback when done. It will
be some more weeks I think.