IBM Security MaaS360

 View Only

Migrating from On Premise AD to Azure AD with IBM MaaS360

By Margaret Radford posted Thu September 09, 2021 06:18 PM

  

This third blog in the Integrating IBM MaaS360 with your Microsoft365 services  is focused on existing customers who are considering migrating from Cloud Extender User Authentication and User Visibility  with onprem Active  Directory (OPAD) to cloud integration with Azure AD (AAD).

First, let’s make sure we understand what User Authentication and User Visibility entails in MaaS360.

MaaS360 User Authentication and User Visibility

  1. User Authentication in MaaS360
    1. User Authentication is used for enrollment authentication, admin portal authentication, end user portal authentication, and resetting MaaS360 App pins when you are using any of the container apps such as Secure Mail, Secure Browser, or Secure Docs.
    2. User Authentication can be enabled in MaaS360 using:
      • Cloud Extender integration with OPAD or another onprem directory service through LDAP
      • Cloud to Cloud integration with AAD
      • SAML integration with an Identity Provider
    3. User Visibility in MaaS360
      • User Visibility is used to import Users and User Groups into MaaS360 which can be used for assigning policies, distributing content, and user attributes that can be used in policies and app configs.
        • Note: User Groups are not the only option for assignments and content distribution, Device Groups can also be used. Device Groups are not imported, they are created in MaaS360 using Advanced Search
      • User Visibility is enabled in MaaS360 using:
        • Cloud Extender integration with OPAD or another onprem directory service
        • Cloud to Cloud integration with AAD
        • While not part of OPAD and AAD user visibility modules, administrators can also:
          • Create local users and user groups manually in the Maas360 User Directory or Bulk import them using a csv file
          • SAML authentication will automatically create Local users in MaaS360. Groups would have to be created manually.

Important: Existing MaaS360 deployments can continue to use Cloud Extender with OPAD for User Authentication and User Visibility if OPAD will continue to serve as your Identity Source where new users and groups that are needed for user authentications and user groups are on OPAD.  In this scenario AD Connect is used to synchronize the users and groups between OPAD and AAD. Reasons for moving to AAD cloud integration replacing Cloud Extender OPAD are described below.

MaaS360 and Azure AD (AAD) integration concepts

Please review the full documentation here: https://www.ibm.com/docs/en/maas360?topic=setup-integrating-azure-ad-maas360

  • AAD and MaaS360 integration is cloud to cloud, a Cloud Extender component is not needed.
  • MaaS360 cloud to cloud integration with AAD supports User Authentication, User Visibility, and compliance updates for AAD Conditional Access.
  • AAD User Visibility is required for AAD Conditional Access compliance updates when using selected User Groups. Learn more about MaaS360 integration with AAD Conditional Access here.
  • You can choose to have all users imported from Azure AD or a specific set of users by selecting specific Azure AD User Groups.
  • For AAD conditional access compliance syncs, you can choose to have compliance updates for all users or a subset of users by selecting specific user groups.
  • MaaS360 supports Mixed Mode User Authentication in cases where a subset of users are on OPAD and another subset are on AAD.
  • Mixed Mode User Visibility is not recommended when the user records are duplicated across OPAD and AAD. This will result in an alternating merge of the user record each time the User Visibility full sync runs. The merge process is covered later in the blog.

Migration scenarios:

  • A hybrid (mixed mode) cutover where some users and groups will be managed in AAD and some will be managed in OPAD.
    • In this case, the Cloud Extender User Auth and User Vis can continue to be used.
  • A complete cutover to AAD as your Identity Source and Identity Provider.
    • In this case, the Cloud Extenders are decommissioned. But a hybrid scenario might be needed as you migrate users and groups to AAD.
  • OPAD continues as Identity Source and AAD is used for User Group based Conditional Access which requires AAD User Visibility
    • In this case, if all the users and groups will be synced between OPAD and AAD, you can continue to use Cloud Extender for OPAD User Authentication. But you will need to decommission the Cloud Extender for User Visibility and configure AAD User Visibility.

OPAD/LDAP Mixed Mode User Authentication scenarios

MaaS360 supports mixed mode user authentication if a company needs to support authentication from both OPAD and AAD.

  • Review the following documentation on Mixed Mode support. https://www.ibm.com/docs/en/maas360?topic=caaim-supporting-mixed-mode-azure-active-directory-aad-premises-active-directory-opad-scenarios

OPAD/LDAP User Visibility to Azure AD (AAD) user imports and merges

Let’s look how an AAD user is imported into MaaS360. This is important because if you are planning to have a mix of user sources (OPAD and AAD) or are migrating from one to the other by shutting off OPAD User Visibility, it’s important to understand how user records are created and how they will merge when you have multiple sources for the same username.

  • This is an example of a user record in AAD:

 

  • When the Margaret@Margartco.com is imported into MaaS360 using Azure AD User Visibility integration, this is what that same user looks like in MaaS360

  • Primary field mapping between Azure AD user and MaaS360 user record. 

Important: Maas360 uses the Username field to determine whether user records should be merged during a User Visibility import. In this example, there was a MaaS360 local user record for margaret@margaretco.com, but the usernames did not match so they were not merged on the import. Note the different User Sources (Local Directory, User Directory (AzureAD) This is a key concept because the user devices are tied to the user record. And in this case, the device would need to re-enrolled in order for it to be associated with the new Azure AD imported user record.

 

Migrating from OPAD Cloud Extender to AAD cloud integration considerations:

  • Make sure the username matches, otherwise records won’t merge
    • The user record is completely replaced in MaaS360 during user visibility sync when the username matches
  • Make sure UPN, email, domain match or configuration payloads could fail
    • Important: When a device is enrolled in MaaS360, the email, domain, and username are cached with the device record. The %username%, %email%, and  %domain% variables are used in configuration payloads to access email, app config settings, and more. You can alter the configuration settings with a combination of literals and variables to account for any changes between OPAD and AAD.
    • MaaS360 provides configuration settings and variables in MaaS360 MDM policies and MaaS360 Persona Policies that are used to access Email.
    • When moving from Cloud Extender OPAD integration to AAD integration, you need to make sure that the MaaS360 policy configuration uses the correct configuration settings for the user to access mail from their device. (UPN, email, domain)
      • See the Office365 migration blog here.
    • Make sure the user groups exist in AAD that you will use in MaaS360
      • Reimport groups through the AAD User Visibility configuration module
      • Groups with different sources (AAD and OPAD) do not merge
      • Important:If you are doing policy, document, app or rule assignments based on user groups,  see the User Group Visibility section of this blog.
        • If you are using assignments on Device Groups, that have selection conditions that use Manager User Groups or User Groups, also please see the User Group Visibility section. 
    • Any custom user attributes need to be remapped to the new user records and synced
    • User authentication can be mixed mode, but make sure domains match
    • If using mixed mode authentication, the Auth type associated with the user record is used to determine the authentic type. You can also override this in Setup > Settings> Basic Enrollment Settings. 
    • Mixed mode user visibility is supported but not recommended unless you have two separate subsets of users in AAD and OPAD. This is due to the merge operation that automatically occurs during user visibility sync when the usernames match for a MaaS360 User record.
    • When doing a full cutover from OPAD to AAD User Visibility, set up the AAD connection first, make sure you get the green checkmark indicating the integration is enabled, then disable OPAD AD User Visibility
    • Clean up users that still have Active Directory/LDAP User source in MaaS360 after Cloud Extender OPAD User visibility has been decommissioned and AAD User Visibility enabled, and users have merged
      • User Settings > Basic> Remove Users
      • Users > Directory More> Bulk Delete or Inactivate. (Use CSV for bulk delete)

 

User Visibility user group considerations when migrating from OPAD User to Azure AD User Groups

When switching from Cloud Extender OPAD to AAD User Visibility, if  you use OPAD user groups for app, policy, compliance rule or doc distribution, be aware that as the User Source changes from OPAD to AAD for the MaaS360 User Record, the users will be removed from the MaaS360 OPAD group, therefore losing their assignments based on user group evaluation times. OPAD and AAD User Groups do not merge. 
If you are using assignments on Device Groups that select User Groups or Managed User Groups in the Conditions, the above behavior also applies. 

Example of User Source in MaaS360 User Directory

Solution example for OPAD to Azure AD migration where OPAD groups with MaaS360 policy assignments and distributions lose users on migration to AAD:

Create a temporary MaaS360 device groups with the same assignments as the OPAD user group until the AAD groups are imported into MaaS360.

  1. Export devices belonging to the OPAD user group in question to a csv file
    • Go to Devices>Groups
    • Find your OPAD user group and select More> Devices
    • Use the Customize Columns in the lower right and add the Device ID.
    • Drag Device ID to the first position followed by Device Name
    • Export the file to a csv
  2. Go to Devices>Device Attributes> Manage Custom Attributes > Add Custom Attribute
    • Add a custom text attribute that you can use to identify different user group names for smart searches
  3. Go to Devices>Device Attributes
    • Review the instructions for adding the customer attribute to the csv file of devices that you downloaded from the OPAD User Groups
    • Select the file to upload that will mark the device records with the customer attribute value
  4. Create a temporary local device group based on the custom attribute using Devices > Advanced Search
  5. Give the device group identical distributions that the OPAD user group had
  6. After the user visibility source change is complete (OPAD to Azure AD) for your user records, add the Azure AD user group and give it the proper assignments, then decommission the temporary local device group or update the customer attribute using the csv workflow in Step #3.

0 comments
49 views

Permalink