Architecture
Core Architecture
Azure/EntraID and Activate
8 min
activate can be hosted on premises , in a customer managed cloud , or in a hybrid configuration the platform is designed for flexibility and integrates tightly with identity, access, and security systems to support both traditional and modern enterprise environments hosting overview on premises hosting all components are installed within the customer’s on premises infrastructure this model provides full control over configuration, network security, and system integration it is typically used where direct integration with on premises active directory and exchange is required strict data residency or compliance policies exist cloud connectivity is restricted or not permitted cloud hosting activate can also be deployed to a dedicated virtual machine in a customer managed cloud environment such as azure or aws this allows organisations to benefit from cloud scalability while maintaining control of their environment to ensure reliable integration with identity systems, cloud hosted activate servers must have secure and low latency connectivity to active directory, microsoft entra id and related services hybrid deployments most enterprise environments use a hybrid model — combining {{active directory}} with {{microsoft entra id}} through {{microsoft entra connect}} this approach aligns with microsoft’s recommended best practice for identity management and allows activate to manage both on premises and cloud based resources in a unified manner activate requires membership of the {{active directory}} domain or {{microsoft entra id}} tenant it manages, whether hosted on premises or in the cloud integration with microsoft 365 and azure activate integrates directly with {{microsoft entra id}} and {{azure}} to provision, manage, and synchronise user and service data integration is achieved through a combination of microsoft graph and remote powershell new functionality is continually added as microsoft extends the graph api microsoft graph api – preferred for modern, secure, and high performance integration remote powershell – used where graph does not yet support required functionality virtual ldap connector – provides ldap style access to {{microsoft entra id}} through graph (introduced in v7 1 1) over time, activate is transitioning all microsoft integrations to graph api in line with microsoft’s roadmap supported microsoft modules the following activate modules integrate with microsoft 365 and azure to automate provisioning and access management each requires activate to be registered in the azure tenant as an application registration true 330,331 left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type the exact configuration depends on the organisation’s microsoft 365 and azure integration model group and directory management activate supports group and access management for both on premises and cloud based environments where hybrid identity is used, the recommended approach is to manage groups locally and synchronise changes to {{azure}} via {{microsoft entra connect}} this approach simplifies management and troubleshooting reduces dependency on remote apis maintains consistency between on premises and cloud directories the exception is the microsoft teams manager module, which manages microsoft teams and their associated azure groups directly via graph azure group types microsoft supports several types of groups in {{azure}} the following table summarises their common uses and management options (refer to https //docs microsoft com/en us/graph/api/resources/groups overview?view=graph rest 1 0 for details ) true 132,132,132,132,133 left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type recommendations manage traditional distribution groups on premises and synchronise via {{microsoft entra connect}} where possible use microsoft 365 groups instead of legacy distribution groups for collaboration and email where required, activate supports management of azure only distribution groups via remote powershell avoid removing the final on premises exchange server if {{microsoft entra id}} synchronisation is in use maintenance and updates {{azure}} and {{microsoft entra id}} continue to evolve at a rapid pace to ensure continued compatibility with microsoft api changes and security updates, we recommended that organisations apply the latest activate update every 6–9 months