Sharepoint security: Managing Sharepoint online Access via on-prem AD security groups

Hello everyone

I have a questions about security best practices for SPO. Our strategy is to manage MS online services through our on-premise infrastructure (so mail related management is done on-premise, user management is done via on-premise, ....) which is synced through dirsync/adSync.

There are a few possibilities. Or you do everything on-premise which means great control but also a lot of requests (this can be automated of course) or you manage all in the cloud but this is non-compliant with our strategy. A third option, which I'm trying to figure out, is to setup AD On-premise groups for the first few levels in a site-collection (because these will contain 50K+ users) and try to auto-populate them (via FIM, dynamic Distribution list ?, other options?), have them synced by dirsync and from then start managing sites and teams via SPO.

Can somebody share his experience concerning this topic?

Thanks alot

Jan

PS: Not sure if this is the correct f

September 6th, 2015 12:05pm

Your intension and plan it very clear. If you have already sync your AD with Microsoft Online, you can use the same users and group to manage your sharepoint online without any issues.
Free Windows Admin Tool Kit Click here and download it now
September 7th, 2015 2:48am

Hi

Thanks already you for your reply. I'm wondering if there are any best practices on the topic because it will involve both on-prem and cloud groups, maybe there are better techniques like Azure AD groups, governance, automation?

I'm just trying to be sure that I'm selecting the best approach as this is a greenfield situation and will be used for 50K+ users.

Any pointer appreciated!

Jan

September 7th, 2015 2:56am

Hi Jan,

In general, we only need to deploy DirSync with Office 365 (Windows Azure AD). Here is a demo about Synchronization between Active Directory and SharePoint Online for your reference:

http://sharepoint.protiviti.com/blog/Lists/Posts/Post.aspx?ID=142

http://www.trustsharepoint.com/2014/12/identity-synchronization-between-active.html

And a post with similar requirement for your reference:

https://community.office365.com/en-us/f/613/t/237015

Best Regards,

Dean Wang

Free Windows Admin Tool Kit Click here and download it now
September 8th, 2015 2:45am

Hi Jan,

Just add some additional information:

SecurityEnabledGroup objects are filtered if:

  • isCriticalSystemObject = TRUE
  • mail is present AND DisplayName isn't present
  • Group has more than 15,000 immediate members

http://social.technet.microsoft.com/wiki/contents/articles/19901.dirsync-list-of-attributes-that-are-synced-by-the-azure-active-directory-sync-tool.aspx

As you have 50K+ users in your AD, please note that security groups with size larger than 15K will not be synced to Office 365. In case you need to manage permission with AD security groups, please consider this limit.

Thanks,
Reken Liu

September 13th, 2015 11:17pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics