Sean Wallbridge
One BIG feature of Server 2012 R2 Essentials (either the full on Essentials install or the Essentials role) is the built-in ability to integrate your local Windows user accounts with your Office 365 accounts. To be clear, this is not exactly the same as the full on “DirSync” abilities that Microsoft offers admins who want to set up one-way or even two-way account (Active Directory) sync with Office 365. This is also not “single sign on”, think of it as “same sign on”, it is a simple password sync affair whereby a password change made at the Windows level will cause the password to “bubble up” to the user’s Office 365 account. There is some information that Windows “sees” back from Office 365 such as a list of the Distribution Groups the user is a member of in Office 365. The really nice thing about this feature is that it is very simple to implement; there is none of the complexity associated with DirSync and the other available sync tools.
So, what do you need to know in order to implement the link between Essentials and Office 365? It’s pretty simple; first, you need to have your Office 365 domain set up and in place (Essentials does have tools to walk you through the Office 365 tenancy setup but I think you are better off to have this in place, first as Office 365 has evolved a lot since the “setup” tools were baked into Server 2012 R2 Essentials). Second, you should enable the STRONG password policy in Essentials as it will be enabled by the O365 connector anyway. Best bet is to alert your users ahead of time and get everyone’s password set before you enable the O365 link.
Once you have the password policy in place and everyone sorted you can go through the process of making establishing the link. You do all of the following steps from the Essentials Dashboard:
NOTE: The User name must be an O365 login for an account with administrator rights inside your O365 tenancy!
And as you can see, the Wizard definitely switches on the Strong password policy (this displays even if you have the Strong policy already enabled).
After you restart the dashboard you’ll see there is now a link enabled to Office 365. Clicking on it will display information similar to the following:
Clicking on Users will display something similar to the following:
I’m now going to enable Sam Beagle’s account for password sync with O365 by right-clicking on her account:
The above screen is important as there is a BIG difference between CREATING an account (new account in O365) and ASSIGNING an account in O365 (linking to Windows account)! I’m going to ASSIGN an account :
The message in the above about Windows prompting Sam to change her password the next time she logs in to Windows can be overridden. I had actually previously setup password sync to O365 on my server and had Sam set up and there was no prompt the first time through as I created her account and linked to O365 all at once. If you have already put the strong password policy in place and DON’T want user to have to change their password again you can go into Active Directory Users and Computers (ADUC) on the server, open the account and UNCHECK the “User must change password at next logon” box to stop the forced password change.
That’s it! Password sync is in place and there is some info that flows back to Essentials from O365:
The above is an example of info flowing back to Essentials from O365.
I think this is a great tool/feature that helps to simplify both your life as an admin and the user’s lives as there is one less password to remember and one less place you have to go to change passwords. Sweet!