MIM, azure ad connect and automated licensing. How to optimize sync process?

Daniel Forsberg 11 Reputation points
2021-11-05T12:11:20.577+00:00

Hi,

I have a customer that uses MIM for provisioning.
They also use azure ad and sync is handled by azure ad connect.
On top of that we have configured group-based licensing and a script that monitor license count in order to remove/add licenses depending on group membership.
The script compares available licenses in azure with the membership of the on-premise group that controls each license.

This works quite well but as you can imagine the sync progress might take some time.
First changes in MIM syncs every 30 minute
Then azure ad connect syncs every 30 minute
The script that handles licenses runs every 15 minute.
And then group-based licensing is also evaluated periodically.

The time until a user actually gets a licens might take quite som time depending on what syncs when. And this is also true if you change the license for a user (switching group membership)
When changing license the user might end up without a license in between because each sync is run independently of each other.
In this scenario you will quite often see errors in group-based licensing like there's no licenses available (the license script hasn't run yet) or a false error of "conflicting licenses" even though the user has no license at all.

For example it would be nice if a azure ad connect delta sync could be triggered as soon as MIM creates the on-premise ad account or the license for an account is changed.
At the same time the script that monitor licenses could be triggered.
That would potentially save 30 minutes and also minimize the risk for a user ending upp without a license.

So how can one optimize this process?

Microsoft Identity Manager
Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
611 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,472 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Danny Zollner 9,521 Reputation points Microsoft Employee
    2021-11-05T15:42:22.073+00:00

    Azure AD Connect sync interval can't be changed lower than 30 minutes. There's only so much you can do to optimize when there are 4 or 5 different steps running on different intervals. This honestly probably needs a consultant rather than Q&A, but here are some questions to ask:

    1) What does MIM add here? Is it pulling from an LDAP or SQL source that could be connected directly to AAD Connect directly with custom config with generic LDAP/SQL connector? This needs a consultant to configure, FYI.

    2) What does the script do that group based licensing + dynamic groups in AAD cannot do?

    3) Is this a problem solely for new user creation and them gaining initial access, or is this also a problem more regularly with changes in access where licenses need to be added/removed?

    3a) If it's solely a new user creation / initial onboarding issue, what's an acceptable amount of time for it to take for a user to be created and gain any license assignments?
    3b) If it's also a problem for changes in access for existing users, what changes are used as the trigger for the license removals/additions? Group memberships, attributes on the users, etc..? Can these be moved to another more efficient process?

    0 comments
  2. Leo Erlandsson 1,656 Reputation points
    2021-11-08T10:55:43.403+00:00

    Hi,

    Try LithNet AutoSync to get "event based" syncs in MIM. It should speed up the MIM parts a lot.

    https://github.com/lithnet/miis-autosync

    Thoeretically, you could also trigger a manual sync of AAD Connect from an AutoSync script, even though I advice against it.

    Br,
    Leo

    0 comments