Synchronization via LDAPS

This is an advanced option that can be used if the default synchronization through the Synchronization via AAD Sync App doesn't meet all your needs, for example, if you need to synchronize "Shared Mailboxes" or if you want to perform profile mapping based on the data.

Requirements

Requires a valid license for Microsoft 365 and Azure Active Directory, including Azure AD Domain Services (AD DS). Additional licensing may be required.
Requires Configured Secure LDAP for the domain managed by Azure AD Domain Services (including a valid or self-signed certificate as a pfx file). Microsoft describes how to configure this at https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-configure-ldaps.

Implementation via DirSync/LDAPS

Implementing Retarus AAD Sync via LDAPS requires only a few steps:

1. Enable LDAPS access for Microsoft Azure Active Directory

Log in to your Microsoft account via https://portal.azure.com
Go to Azure AD Domain Services, choose Secure LDAP in the settings, and complete the configuration, including your pfx file.
Your IPs must be allowed for port 636 in the aadds-nsg inbound rules Network security group.
To perform an LDAPS query, the admin user must be part of the AAD DC Administrator Group.

2. Perform the LDAP query

For the LDAP query auth user in the Dirsync XML credential section, you can use the bind distinguished name or just the user name.
Example

CODE

<Credential Name="ad_export"
  Description="Connection to Azure ActiveDirectory Server"
  UserId="Your Ldap User" Password="YOUR PASSWORD"
  EnableSSL="false" Compression="OFF" UseDefaultCredentials="false"
  ProxyCredentialName="" Retries="0" HTTPVersion="HTTP11"
  AdditionalOptionName=""
/>

The userID can be either
"CN=Your Ldap User,OU=AADDC Users,DC=subdomain,DC=yourdomain,DC=com"
or just
"Your Ldap user"

Optional: You can use any tool like “Softerra LDAP Browser” on your external Secure LDAP-IP to get an overview of the directory structure. The important part is stored in OU=AADDC Users.
To allow a successful authentication, the AuthType="NONE" needs to be used in the Servers section of the config.

CODE

<Servers>
  <Server Name=”ad_server” Description=”Default AD server”
  ServerAddress=”ldaps.domain.com” Port=”636” PageSize=”1000”
  CredentialName=”ad_export” AuthType=”NONE”
  UseDefaultCredentials=”false” />
</Serv

3. Set up and configure Retarus DirSync

To use the data for Retarus Email Security (e.g., profile mapping, usage for email signature/disclaimer etc.), the DirSync has to be set up (Retarus Implementation engineer) and configured appropriately.

Architecture

The AAD sync via LDAPS is based on the Retarus DirSync service running in your local environment (on-premise). The service uses a secure LDAP connection to access your Azure Active Directory in the cloud, request the required user data (see below), and create a map file that is transferred to Retarus via upload to a dedicated SFTP file share. For details regarding the Retarus DirSync service, please refer to DirSync Client for Windows.

Synchronization data

The sync via DirSync/LDAPS allows to synchronize the following data:

Domains
Email addresses
Alias email addresses
Groups
Shared Mailboxes

The solution allows to:

filter by attributes
use profile mapping
use data for Signature/Disclaimer feature
use User-Based Routing

Please consider the following examples of data that is not being synchronized, because the data is related to Microsoft Exchange and therefore not included/available via Azure Active Directory. Nevertheless, it is possible to get the data using PowerShell; examples are mentioned below:

Group owners defined in Microsoft 365 are not transferred. Group addresses themselves are synchronized (as described above) and treated the same way as other user addresses. Powershell command to retrieve the data:
Get-UnifiedGroup -Identity "Consulting" | Get-UnifiedGroupLinks -LinkType Owner | Select PrimarySmtpAddress
Dynamic distribution groups cannot be synchronized. You may of course manually add these addresses to the Retarus DirFilter Allowlist in order to make sure that emails to those recipient addresses are accepted - or use Powershell to retrieve the data:
Get-EXORecipient -Filter "RecipientType -eq 'DynamicDistributionGroup'" | select PrimarySmtpAddress
Mail-enabled public folders cannot be synchronized. You may of course manually add these addresses to the Retarus DirFilter Allowlist in order to make sure that emails to those recipient addresses are accepted – or use Powershell to retrieve the data:
Get-EXORecipient -Filter "RecipientType -eq 'PublicFolder'" | select PrimarySmtpAddress