Getting email addresses from here to there and back again
Active Directory is ever increasingly becoming the center-piece technology on which corporate identity strategies depend on. Orbiting Active Directory identities are the needs to provision those identities along with the applications that then consume those same identities to provide access and services.
The art of successful provisioning is highly contingent on determining the best source of information for the provisioning process to access. In some cases however, elements of that information are not known until well after the root provisioning has occurred. Such is the case when you provision a new Active Directory account and then provision that same Active Directory account with an Exchange mailbox.
Most organizations will depend on Microsoft Exchange to evaluate and then determine how to generate proxy addresses for the mailbox created. This is done with the policies created for recipient policies.
Microsoft Exchange does handle address creation in very customizable and flexible ways. This is a very useful solution to handling collision, leveraging unique domains based on geographical location and other customizable policy scenarios. Conversely, the provisioning engine is frequently used to create an email address, but in account creation, it is not necessarily the best time to do so.
The problem arises that the source of the original information used to provision that original Active Directory account does not have knowledge of this new address and should for its own business needs, in fact have it. For this, we introduce bi-directional synchronization of data. A perfect example is the HRIS system that would eventually want to know the affiliated email address of the employee in question that is recently provisioned.
In the act of provisioning, the HRIS or other authoritative source is used for creating and then updating AD user objects. The same source may also be used to determine termed staff and take appropriate action against the AD user object to ensure the account is properly disabled. This is generally one-way activity with the destination of the mapped data going to Active Directory.
To properly make use of our Synchronize solution, an inverse task is created whereby Active Directory is established as your authoritative source and your HRIS (or other system) is your destination of data and the email address as established by the Exchange address policies is then mapped into an existing field waiting to be updated.
With ongoing scheduled bi-synchronization updates, the HRIS system will properly reflect the address changes even if the recipient policies change.
You will quickly realize that Synchronize then not only has the ability to onboard new hires and keep the data accurate, but also you can then leverage Active Directory to drive further provisioning against systems that use database oriented identity stores.
Jonathan Blackwell
View ProfileSince 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.