As described here we are pleased to announce the new synchronization function in D365 version 2.9. We completely rebuilt the sync process and added rules for automatic user assignment to specific OU´s.
Since D365 needs to deal with (ten)thousands of users in an AAD D365 uses an cache layer to deliver a good user experience and performance. So changes which are made outside of D365 - like in the Office 365 portal, via PowerShell or another App - may not be visible immediately in D365.
D365 syncs changes in a specific time interval automatically. With the Sync feature an Admin can manually start a (full) synchronization from Azure Active Directory into D365 at any time, f.e. when he made changes by himself in the O365 portal and wants to manage new objects in D365 now.
In the menu there´s a new Sync function visible just for portal admins. This opens a page with two sections: "User sync options" and "Start sync" - more about that below (click to enlarge the screenshot).
By clicking the Sync-Button the full synchronization starts.
Info: We removed the multiple Sync buttons used in the previous D365 versions in the "administrator dashboard" to simplify the whole process of updating because most portal admins clicked all buttons anyway.
The "old" separate buttons no longer exist, they are combined in one "Sync" button.
What is synced and how often?
The following graphics shows the components of Office 365 and D365 and the flow of data. D365 and O365 get their data like users, licenses and security groups directly from AAD. For extended data like distribution lists, shared mailboxes, Alias etc. data needs to be requested from other interfaces like from Exchange. So D365 collects data from different sources and combines them in one single-to-use portal.
The D365 cache layer needs to be updated from time to time.
In D365 there are two ways of synchronization (as mentioned in the introduction):
a) Automatically by a task (Sync-Job) which syncs all users and licenses periodically. This tasks usually runs all 4 hours (by default, this can be individually defined). So if you wait up to 4 hours new users show up automatically in D365.
b) Manually in the D365 portal with the "Sync" function to enforce the update now and to sync all data used in D365 like domains, distribution groups and so on.
In the current versions of D365 the behavior of the automatic task and the manual Sync-functions work slightly different. The automatic tasks syncs all users and licenses (because these information change more often than f.e. domains or groups). The manual task additionally syncs all other objects like domains and groups. Both Sync-Tasks understand simple rules for automatic assignment of users to one specific OU (see below).
New User Assignment to an OU
New users don´t show up in D365 for OU-Admins since they don´t belong to any OU in D365.
Thy can be manually assigned by portal admins in the administration-function "assign user".
In previous versions this menu was called "assign ou".
Users are selected by marking the checkbox, choosing the desired OU from the dropdown and clicking "Assign OU".
After the assignment these users show up immediately in the OU-Admin´s users list (if their domain also corresponds to the ones of the OU-Admin).
Change the OU of an existing user
Of course existing users´s OU can be changed - in the "users" list when clicking "Edit" you can change the OU to another OU (if your admin user is assigned to more than one OU) and save the user object. That´s it.
Manually or Automatically
If new users are added in an organization very often the process of OU-assignment can be an arduous task - because a portal admin has to do the assignment manually. So the idea is that (if that happens from time to time) a D365 "portal admin" defines manually what users belong to which OU.
For such scenarios where users are changing periodically (f.e. at franchisers, in educations, etc.) the automatic OU-assignment was built into the D365 Sync function.
Automatic Assignment to an OU
If the users have special properties set, D365 supports "rules" for an automatic assignment of users into an OU. This works if the OU name is found in the user properties User location, Country, Department or if the user belongs to a security group with the same name. This is our recommended scenario if new users are created often (and are synchronized).
So a portal admin can define and save these settings (before a Sync-Job is started) on the Sync page in the section "User sync options":
D365 can compare user properties (which are usually synced from AD to AAD if you use Hybrid-scenarios) with the existing OU´s in D365. If the user properties string matches with an OU, the user will be assigned to that (found) OU automatically. The order is defined by the priority, so D365 applies comparison of property 1 before 2 and so on.
Rules are applied by priority: (none), 1 to 4
How the form works: The priority for the comparison can be set in the dropdowns next to the user property. (none) means that D365 does not use this property to compare it with OU´s (which is default for all properties). The numbers define the priority for the compare-operation. Upper/Lowercase characters are inappreciable, so "austria" equals "Austria" or "AUSTRIA" and strings will be trimmed, so " Belgium" equals "Belgium" and "Italy " equals "Italy" or "italy" etc.
F.e. (corresponding with the settings in the screenshot above) If a new user "Max" has his usage location set to "Austria" (which is besides a requirement to give him a license in O365) and the sync starts, D365 checks if there is also an OU with the name "Austria". If yes, "Max" will be assigned to OU "Austria".
If not then the next rule - in our sample the property Country is applied. If there´s still no positive comparison, D365 checks the third rule Department against the OU´s. If any OU name is found in one of these three properties, this user "Max" will be automatically assigned to that OU.
Security Groups are an extended function: If the user belongs to any security group and the option ""(the rule) is set D365 compares all OU´s with the membership of the user. If an OU with the same name as the group name is found, the automatic assignment takes place. So if f.e. "Max" is member of security groups with the names "Sales", "Marketing" and "Vienna" and there is an OU in D365 with the name "Marketing" Max will automatically assigned to that OU. You don´t have influence in the order, the groups are sorted (here: Marketing, Sales, Vienna) and the first found group wins.
If the compare-operations are negative the user remains unassigned - as new user in D365 - and can be manually assigned in the "assign user" page later by a portal admin.
Additionally there are some options. By default the option "import only new users" is set (default). This means only users which are not existing by now in D365 will be added with the automatic rules set. Existing users stay untouched with their OU-assignment (whether it´s set or not).
When ticking "overwrite existing users", users in D365 who already may have an OU-assignment can be overwritten by the automatic import rules. F.e. if user "Max" was set to OU "Vienna" before and there´s a rule (with the dropdown) set and the overwrite option is on the User will be assigned to OU "Austria" (if that one is in one of his user properties and an OU with that name exists). "Max" is switched from "Vienna" to "Austria" by the Sync-operation and the rules and options set.
So this option is to "correct" OU-assignments for existing users in D365 if you think that it´s useful to update users (which maybe come from an AD-synchronization) dependent on their user properties.
To make it clear: Users and all user properties (Names, UPN, etc.) are always updated in all Sync-actions, regardless of OU-settings described here. These functions described here are only used for automatic OU-assignments.
Start the Sync
Using Sync is easy: Simply click the "Sync" button. The action starts and shows the progress in the same page even while loading data from the O365 interfaces.
You can see the result immediately by scrolling down. After all processes are finished you get a report with sections which show the details. The red message informs about the number of users assigned to an OU out of the D365 licensed package (here 4 useres are assigned in a D365 500 user version, so 496 users more can be assigned to an OU).
Each user´s status is listed.
So Sync can be used easily - with one click and it´s so powerful to automatically update all AAD objects in D365 and automatically assign users to special OU´s - if you want so.
Enjoy the new D365 portal!
See here for an overview of other new functions in D365 version 2.9!