Recommended usage

The following table lists IAM plugins connecting to MSAD and states the intended usage:

Plugin Name

Description

Recommended for Use-Case

Active Directory Connector

General purpose plugins used to connect to MSAD for several purposes.

Usually this is the only IAM plugin required to connect to MSAD.

  • Check user password
  • Change user password
  • Set user password by administrator
  • Check if user account exists
  • Check account state on MSAD
  • Read users' roles/groups
  • Read and write user profile data
  • Import accounts from MSAD into IAM database

Active Directory Password Repository

Used in flow-based authentication for password check and change.

  • Check password
  • Change password

Active Directory Password Policy (+ Connector)

Checks whether a password meets the requirements of the MSAD password policy.

  • Change password
  • Set password by administrator

As a rule-of-thumb the following setups are recommended.

When authenticating users with:

  • Username and Password only: MSAD can be used as sole authentication and persistence back-end (no IAM database needed).
  • 2 Factors: MSAD should only be used to check the password. Second factors should be checked using the IAM database.