We are currently using CRM Online that is Cloud Managed Identity. All users were created and are currently managed in the cloud, and the account logins use our registered email domain (which is hosted at a different service provider). We plan to add SharePoint in the future, and I am planning our Directory Integration.
Again, the only resources using Azure AD are Dynamics CRM and SharePoint.
I am planning to use Directory Sync with Password Sync, and I plan to configure this using Azure AD Connect.
Our onsite (internal) AD Domain is XXXXXX.com (or) XXXXXX\UserName. This domain is not routable on the internet.
Our Email Domain is XX-XXXX.com
Questions:
I have determined that my options are to either add a UPN alias to the domain and switch selected or all users over to this, _OR_, define an Alternate Login ID Attribute.
Since all of the user accounts in the cloud are using the email address to log in, I am assuming that my best alternitive is to use the alternate attribute option defined as [mail] on our local AD when configuring the Directory Synchronization. I am leary of switching users UPN because that would also effect access to local resources and create unnecessary confusion. Am I correct in my understanding of this part of my planning?
My second concern is about the Security Groups in my local AD. If I choose the [Mail] attribute stated above to sync the users, do the Security Groups also use this method, or are they somehow treated differently? I don't see any way to change the UPN of a Security Group, but there is an Eamil field on the General tab. I would have to populate that with an address if that is the requirement.
Thanks in advance for your reccomendations and advice!
JC