Active Directory replication in an OAuth2 setting

In a situation where the domain controller (and therefore the active directory) is located on an on-site machine and the WorkZone Content Server is installed and runs in an Azure environment, you must still be able to replicate the active directory structure from the on-site domain controller to the WorkZone database in the Azure environment.

WorkZone cloud and Active Directory synchronization diagam

Diagram notes

The customer has an on-premise setup that contains their Active Directory servers and data as well as clients. A WorkZone Content Server is also installed on the on-premise site in order to run the WorkZone Active Directory service for synchronization purposes.

The customer setup also includes synchronization with the Azure Active Directory as well as utilization of the Microsoft Office 365 suite in the Azure cloud environment with Azure Active Directory users.

The organizational structure as well as other WorkZone-relevant data from the Active Directory is published to the WorkZone public endpoint.

User authentication is performed in the customer’s Azure Active Directory, where an app registration is used for WorkZone Cloud to authenticate the users.

The customer has an on-premise setup that contains their Active Directory servers and data as well as clients. A WorkZone Active Directory is required on the on-premise site in order to synchronize organizational structure as well as access codes.

Customers connect to the public endpoint. The public endpoint only grants access to WorkZone services such as OData, WorkZone Client, and WorkZone Configurator, but does not grant access to internal cloud infrastructure such as virtual machines and other "hardware" based cloud services.

Differences between an On-site and WorkZone cloud Active Directory replication

Running this type of replication in an OAuth2 setting closely resembles running an Active Directory replication in an on-site setting with an on-site domain controller and network users using windows authentication but there are several important differences due to the capabilities of the Azure active directory and the two different environments.

These differences are:

The active directory replication must be set up to export the active directory structure from the on-site domain controller to the WorkZone database in the Azure environment. The export also creates an update task in the WorkZone database on the Azure environment.
The program used to export the Active Directory structure can be set up as a recurring windows task, replicating the active directory structure at a time which fits your organizations’ non-working hours, maintenance schedule and back-up timetable
A Windows service is installed when the WorkZone Content Server is installed in OAuth2 mode in the Azure environment.
The service is enabled and automatically started on the WorkZone Content Server and will execute the update task and update the WorkZone database with the active directory structure exported by the active directory replication on the on-site domain controller.