Scenario
- Your users were originally configured in the Cloud.
- You did NOT set up SSO with ADFS
- You currently have two password policies to manage (in the Cloud and in your local Domain)
- Your users have two passwords to keep track of; 1 for Office 365 and 1 for their domain login
This can be a mess to manage….
As of June 2013 DirSync (Office 365 Directory Synchronization tool) added “password sync” to its list of features. This enables local Active Directory user passwords to be synced or matched to Office 365. With DirSync configured, the source of Authority becomes Active Directory and users are managed and mastered “on-premises”. There is now only ONE password policy to manage and only ONE password that users need to remember as well.
How is all this accomplished?
DirSync + SMTP Matching (the process of matching an on-premises user to a cloud identity using the Primary SMTP address)
Here’s how to do it
- Prepare your Active Directory OU’s
- Identify the OU’s where most of your existing Office 365 users reside OR create new OU’s and place all Office 365 users inside. The idea being that once you switch on DirSync you only want to sync relevant objects to the Cloud that will be licensed or used as resources.
- DirSync will allow you to filter by OU or User for synchronization but OU filtering is by far the easiest to accomplish.
- DirSync will sync all Users, Groups and Mail Enabled Contacts if they are present.
This Power Shell script will capture your local AD users which you can use to compare against existing Office 365 identities:
Get-ADUser -SearchBase “OU=Users,DC=Company,DC=local” -Filter * -Properties * | Select-Object -Property Name,SamAccountName,EmailAddress | Sort-Object -Property Name | Export-Csv -path C:Users.csv
2. Review your existing Office 365 Users
- You will need to compile a list of current Office 365 users and their respective UPN’s
- Each user in AD that will be Soft Matched to Office 365 will need to have the same email address and UPN configured to prepare for synchronization
- The UPN needs to be the routable domain name as is configured in O365 for each user
- If your Local AD is configured with internal suffix IE> .local or .intranet then simply add the alternate UPN suffix
NOTE: if your company cannot change the UPN suffix (is bound to the use of the non-routable domain name) then please check out this article for configuring Alternate Login ID’s
Example:
If Office 365 user John Smith is identified as [email protected] then the local AD account for user John Smith must also be configured to use [email protected] email address if it is not present in user properties
This Power Shell script will capture your existing Office 365 users names and UPN’s which you will need to use to compare against the local AD list from step 1
Get-MsolUser | select-object -property userprincipalname,displayname,islicensed | export-csv -path c:Office365_users.csv
3. Enable AD Synchronization and download Dirsync
- Log into Microsoft Online Portal
- Select Users and Groups
- Select Active Directory Synchronization: Set up (below image)
- Select Activate (could take up to 24 hours to complete)
- Download Dirsync from Option 4
4. Install DirSync
- Must be installed on a domain joined system that has access to all Domain Controllers
- Can be installed on a Domain Controller
- Must be installed on 64bit system (Windows 2008 or higher)
- Can be a virtual machine
This is a good article describing how to install Dirsync
NOTE: If you opt to install it on a Domain Controller pay close attention to step 6 in this article
- De-select the “Start Configuration Wizard Now” checkbox
- Log-off (not restart) from your current session
- Launch the “Directory Sync Configuration” application and proceed as below
**IMPORTANT – Deselect the “Synchronize your directories now” box once Dirsync has finished installing. You first need to configure Dirsync for OU and/or User filtering depending on how you have set up your AD OU structure mentioned in Step 1
5. Configure Dirsync OU and/or User filtering so that only relevant objects are synced to Office 365
- On the server where you installed DirSync copy miisclient.exe or make a shortcut to the desktop
- C:Program FilesCommon FilesMicrosoft Office Servers15.0Synchronization ServiceUIShellmiisclient.exe
- C:Program FilesWindows Azure Active Directory SyncSYNCBUSSynchronization ServiceUIShellDirSyncConfigShell.psc1
- Open miisclient and configure the OU and/or User filtering for your Domain
NOTE: If you are using the latest version of DirSync the DirSyncConfigShell.psc1 is no longer available. In order to run the “start-onlinecoexistencesync” between Office 365 and on Premises AD you will need to open PowerShell in Admin mode then import-module Dirsync. Once imported you will be able to execute the synchronization.
6. Launch a full synchronization from the miisclient.exe
- At this point you are ready to kick off a Full Import from On Premise to O365 which will “soft match” existing users and change the source authority from O365 to On Premise AD. You can use the miisclient GUI or powershell with the imported Dirsync module as stated above.
- Verify the update process was successful via Dirsync Operations window (look at Windows Azure Active Directory Connector Full Import Sync)
- Also verify in Windows Event Logs and ensure that the passwords have been properly synchronized as well. Event 656 for change request and 657 for change result.
- Verify in the O365 Admin console under Users and Groups that the previous state for users “in cloud” has now changed to “Synced by Active Directory”
- Lastly Filter for Unlicensed Users and assign licenses in Office 365 Administration Portal if any new users were synchronized
Voila…Less to manage and one place to manage it!