Delegate365 changelog 8.5-Sync with Security Group
Wednesday, October 30, 2019
Delegate365 version 8.5 comes with an updated sync operation for the option "Sync with security group". This option allows to achieve a match between (specific) Office 365 security groups and Delegate365 OU´s. In short, this means that the members of a Security Group control the assigned members of an OU, and after a sync, they are identical. See a description of this sync feature here.
To describe the "Sync with Security Group" functionality, here´s a demo. In our organization, there are branches in 3 locations: Seattle, New York, and London. We want to have users in some locations automatically assigned to OU´s in Delegate365. For that purpose, we are using Security Groups in Office 365 and add the users as members to these groups. So here´s the detailed scenario.
Sync with security group
In Administration / Sync rules menu, we turn on Sync with security group as shown below. This switch set to Yes hides the other settings below and enables the synchronization with Security Groups as the only method. When the switch is set to No, Admins can define alternative properties for the sync, but members stay in OU´s and get added, but not removed. So, for a full synchronization with security groups, the switch must be set to Yes.
Note: "Sync with security group" is the recommended sync option for working with Delegate365. It´s much faster than a sync with user properties and automatically removes users from OU´s.
These are the rules for the Sync with security group setting set to Yes:
- At the sync, Delegate365 compares the name of every Security Group with the name of an OU. If there´s a match, the members of that Security Group will become the members of the OU (see below). The comparison method checks if Security Group Display name "New York" = OU name "New York", but upper and lowercase are not be considered, so "New York" = "new york".
- Users that are not members of the Security Group, will be removed from the corresponding OU automatically. After the sync, Security Group members = OU members (see below).
- If there´s no match for a Security Group = OU, no automatic OU assignment happens.
- If a user is member of multiple Security Groups (and there exist corresponding OU´s), the alphabetically sorted last Security Group will be used for the OU assignment (see below).
- If the switch Create OU if not existing is set to Yes, all Security Groups will be created as OU´s in Delegate365. So, be aware that this might not be the desired result for using Sync with security groups, every Security Group will be existing as OU in Delegate365.
So, here´s the demo scenario in a test tenant.
OU´s in Delegate365
In Delegate365, there exist 3 OU´s: Seattle, New York and London. We will not use London here, but the first two OU´s, just to keep it simple but to illustrate that, of course, Admins can manage multiple OU´s with different aspects.
There are currently no users assigned to any of these OU´s. It´s important that the OU´s have the same name as the security groups we want to sync. In our sample, it´s Seattle and New York only.
Security Groups in Office 365
In Office 365, there might exist several other security groups, but we don´t want to use all of them in Delegate365 for any OU assignments. The Office Portal shows theses security groups:
We are interested in 2 security groups that shall be used for the OU assignment in Delegate365: Seattle and New York.
- In security group Seattle, there are 2 members: AlexW and DebrahB
- In security group New York, there are 2 members: IrvinS and PattiF
So, the members of these two groups shall be synced to Delegate365 OU´s.
Admins often use the Office 365 admin portal or tools like PowerShell or AAD Connect to modify users and groups outside of Delegate365, so I use the admin portal, too. Of course, these operations can happen within Delegate635 as well.
Assign the OU´s to the Admin
Ensure that the current Admin can manage the OU´s and domains, as here. In this sample, the Admin can manage Seattle, New York and London and the domain of the demo tenant. If you do not see users, pls. have a look at Troubleshooting Delegate365.
Currently, there are no users in these OU´s, the users list is empty.
Run a sync
Let´s run the synchronization with that setup in menu Administration / Sync operations.
Check the result
After the sync is completed, check the Users list. We should see the automatically new assigned users: 2 in Seattle, and 2 in New York, as here.
AlexW and DebraB are in OU Seattle, IrvinS and Patti are in OU New York.
Test the sync with changed group members
After the initial sync worked properly, we test again with different members in security group Seattle: DebraW is removed and HenriettaM is added as here:
So, Seattle now has AlexW and HenriettaM as members. Let´s run the sync again in menu Administration / Sync operations.
After the sync, the users list shows the new OU members. We see the new members in OU Seattle: AlexW and HenriettaM, while DebraB was removed.
So, the sync did update the OU memberships as expected.
Test the sync with multiple group members
What, if a user is member of multiple security groups and the Sync with groups function runs?
So, here IrvinS is assigned as member of New York AND Seattle (and some other groups) in the Office portal.
In Delegate365, IrvinS is currently assigned to OU New York. We run the next sync in Delegate365.
After the sync, IrvinS has changed from OU New York to OU Seattle.
This is because the Delegate365 sync sorts all groups by name and the last group wins.
As the rules at the beginning state, Sync with Security Group ensures that all current members of a Security Group are equal to the OU assignments in Delegate365, if there´s a matching OU name.
If the Delegate365 license quota is exceeded through automatic OU assignments
To clarify the Delegate365 licensing with automatic OU assignments: Delegate365 must be licensed for all users that are managed within the solution. Relevant are the users that are visible in the Users list. See Delegate365 license information for details. If more users shall be assigned to an OU, Delegate365 stops doing the OU assignment if the Delegate365 license quota is exceeded.
To demonstrate that, we have set the Delegate365 licenses to 5 while there are already 4 users added. The licenses can be checked anytime with the warning icon in the menu bar as here.
To simulate the behavior, I added 1 more member to security group Seattle (DiegoS) and 2 more members to New York (DiegoS and EmilyB) as here.
So, in total there are now 6 uniqe users to sync (AlexW, IrvinS and DiegoS are in both groups). The next sync is started.
After the sync has completed, the result looks as here: EmilyB has been added to OU New York. DiegoS has not been assigned to any OU since the Delegate365 license quota did not allow the operation.
To complete that sample, I remove EmilyB from security group New York and run the sync again.
After the sync, EmilyB is removed from Delegate365, but DiegoS came in in OU Seattle (the last group).
This sample illustrates the behavior when working with the "Sync with security group" option. We recommend to use that sync option in future.