Legend
HR: Human Ressource
IAM: Identity Access Management
AD: Active Directory
AADC: Azure Active Directoy Connect
Simplified description of the environment
- The Human Resources [HR] system provides identities to the Identity Access Management [IAM] system.
- The IAM system uses these identities to create user accounts, which are made available to the various IT systems (Active Directory, SAP, …).
- Read Only Active Directory, for the AD -> AADC synchronization.
- Productive Active Directory (Domain for Federated Authentication)
- AADC synchronizes Active Directoy objects from the local (Read Only) Active Directory into the Azure Active Directory.
An error caused a different data status between the Read Only Active Directory domain and the productive Active Directory domain. The license analysis showed these differences in the user accounts. After cleaning up the error and reconciling the data, Microsoft 365 licenses became free.