Changes to hybrid write-back export attribute flow in FIM-based directory synchronization solutions

Those of you who are implementing multi-forest directory synchronization or advanced directory synchronization using Forefront Identity Manager (FIM) 2010 R2 and the Windows Azure Active Directory (AAD) Connector should be aware that recent builds of the Windows Azure Active Directory Sync tool, a.k.a. DirSync, have added an extra Export Attribute Flow (EAF) to the Active Directory Management Agent (ADMA).

This change has been introduced because of an issue with Exchange Online Hybrid and litigation hold.  If you have a FIM deployment synchronising on-premises identity to AAD for Office 365 (O365) for Exchange Online (EXO) you need to consider adding the EAF to your topology.

The EAF

Basically, you need a direct EAF that doesn’t flow nulls, i.e.:

  • Data source object type: user (or inetOrgPerson)
  • Data source attribute: msExchUserHoldPolicies
  • Metaverse object type: user (or person)
  • Metaverse attribute: cloudMSExchUserHoldPolicies
  • Type: Direct
  • Flow Nulls: False (blank in the UI)

The screen grab below illustrates the default DirSync configuration, although I appreciate that the text is pretty small given the restrictions of my CSS.

image

If you’re running a custom FIM implementation and an EXO hybrid topology you need to implement this flow.  I choose to configure all of my hybrid “write-back” EAFs as rules extension (advanced) flows, and control whether or not hybrid write-back is enabled via my XML configuration file (you might prefer a registry key), so my actual solution that I deploy with customers looks like this:

image

More information

I discuss the flows and the minimum permissions that need to be assigned in my post

Office 365 Exchange Hybrid DIRSYNC write-back attributes and permissions.  I have updated that post to reflect the new information in this post.  The reason for the change is litigation hold – basically, there is a need to bring the msExchUserHoldPolicies attribute value back to the on-premises Exchange infrastructure in hybrid deployments or off-boarding scenarios.

What is msExchUserHoldPolicies?

The msExchUserHoldPolicies attribute is added to the AD schema by either Exchange Server 2013 or Lync Server 2013.  If you do not have the attribute then you obviously don’t need to configure the flow, but you should reach out to an Exchange SME to see if it is an issue that you need to consider.  Most hybrid deployments have the Exchange 2013 schema, so it is likely you will have what’s needed to setup the flow and not have to worry about this.

Advertisements

About Paul Williams

IT consultant working for Microsoft specialising in Identity Management and Directory Services.
This entry was posted in Azure Active Directory, DirSync, FIM 2010 R2, Office 365 and tagged , , , , , , , , . Bookmark the permalink.

2 Responses to Changes to hybrid write-back export attribute flow in FIM-based directory synchronization solutions

  1. Pingback: Office 365 Exchange Hybrid DIRSYNC write-back attributes and permissions | Yet another identity management blog

  2. Pingback: (2014-03-21) GALSync, DIRSync And SSO With Office 365 Blog Posts From MSResource.NET « Jorge's Quest For Knowledge!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s