Table of Contents Introduction... 2 Azure ADSync Requirements/Prerequisites:... 2 Software Requirements... 2 Hardware Requirements... 2 Service Accounts for Azure AD Sync Tool... 3 On Premises Service Account to connect to AD DS:... 3 Office 365 Service Account:... 13 Azure AD Sync Installation... 15 Azure AD Sync Filtering Types... 24 OU Based Filtering... 24 Domain Based Filtering... 29 Attribute Based Filtering... 31 Inbound Filtering... 32 Outbound Filtering... 35 Azure AD Synchronization using PowerShell... 36 Azure AD Full Synchronization... 36 Azure AD Delta Synchronization... 36 Azure AD Password Synchronization... 37 Verifying Manual Synchronization... 37 Change Default Sync time of Azure AD Sync... 38 Default Synchronization... 38
Introduction This guide will walk you thru step by step to install and configure Azure AD Sync tool to synchronize on prem identities with office 365. You can download the most recent version of Azure AD Sync from Microsoft Website. Azure Active Directory Sync is the new synchronization service that allow customers to do the following: Synchronize multi-forest Active Directory environments without needing the complete feature set of Forefront Identity Manager 2010 R2. Advanced provisioning, mapping and filtering rules for objects and attributes, including support for syncing a very minimal set of user attributes (only 7!) Configuring multiple on-premises Exchange organizations to map to a single Azure Active Directory tenant More details on Azure AD Sync tool can be found on Technet Azure ADSync Requirements/Prerequisites: Software Requirements Windows Server 2008, 2008R2, 2012, 2012R2.Net framework 4.5 installed PowerShell (preferably PS3 or better) An account with local administrator privileges on your computer to install Azure AD Sync. Azure AD Sync requires a SQL Server database to store identity data. By default a SQL Express LocalDB (a light version of SQL Server) is installed and the service account for the service is created on the local machine. SQL Server Express has a 10GB size limit that enables you to manage approximately 100.000 objects. Hardware Requirements Microsoft recommends to use the hardware based number of objects you want to synchronize with Office 365. Below are the recommended hardware requirements for Azure AD Sync tool from Microsoft based on number of objects. Ref: https://msdn.microsoft.com/en-us/library/azure/jj151831.aspx?f=255&mspperror=- 2147217396
Service Accounts for Azure AD Sync Tool We need 2 service accounts for Azure AD Sync installation as mentioned below. 1. Local Active Directory user account 2. Office 365 user account (Global Admin Rights) On Premises Service Account to connect to AD DS: On Prem service account is required to read the user information from local active directory. Additional permissions are required for Password Right Back and other optional features of Azure AD Sync tool. To create a service account on local active directory > logon to any writable Domain controller and follow the steps as mentioned below. With an admin account, create a user account in AD for the AAD Sync service account.
Once the active directory account is created, login to Azure AD Sync server and add the newly created AD account to local admin groups on the AAD Sync server.
Log off the AAD Sync server and login to the Domain Controller to assign appropriate permissions to the AAD Sync Service Account. o On Prem service account required Replicating Directory Changes and Replicating Directory Changes All permissions in local active directory. To assign these permissions make sure that Advanced Features are enabled for the domain
Configure Reset Password and Change Password extended rights for the AAD Sync service account in Windows 2012 R2. To assign appropriate permissions Right Click on Domain name > Properties > Security.
Additional rights that are required for the service account to use the write back feature. Object Type Data source Attribute Contact proxyaddresses Write Group proxyaddresses Write User/InetOrgPerson msexcharchivestatus Permission / Access Right Write msexchblockedsendershash Write msexchsaferecipientshash msexchsafesendershash Write Write msexchucvoicemailsettings Write Inheritance The child objects only The child objects only The child objects only The child objects only The child objects only The child objects only The child objects only
msexchuserholdpolicies Write proxyaddresses Write The child objects only The child objects only Office 365 Service Account: Office 365 Service accounts is used to read & write the user information to office 365 Active directory (Azure Active Directory). Office 365 account needs to be a global admin and password expiry should be set to NeverExpire as best practice. Create a user account on Office 365 and assign global admin rights to the account
Set Password to never expire using the PS Cmdlet Set-MsOlUser -UserPrincipalName syncaccount@contoso.com -PasswordNeverExpires $True
Now we re setup with prerequisites of Azure AD Sync tool and ready to start the installation of the tool. Azure AD Sync Installation To install Azure AD Sync tool, login to Sync server using the on prem local active directory service account. In our case, local active directory service account name is AAD@mstechtalk.com You can download the most recent version of Azure AD Sync using the following link of Microsoft Website. If there are 100,000 or less objects in AD to sync to Office 365 you can use SQL express, If more objects are needed then a full version of SQL is required. The minimum recommended hardware requirements for the synchronization server in relation to how many objects you have in your on-premises Active Directory can be found on Technet. It s recommended that you should use a separate machine for Azure AD Sync tool installation. Azure AD Sync tool should not be installed and configured on Domain Controller and ADFS server as it s not recommended. Let s get started with the installation of Azure AD Sync tool. To start the installation process, launch the executable called MicrosoftAzureADConnectionTool.exe Once you run the executable, Click YES on User Account Control pop up to start the process.
Windows Azure AD Sync setup will being, specify the path to install the tool. In our case, we re using the default installation path. Once you click on install, Azure AD Sync will start installing components like SQL Express, Connectors etc.
After the installation of required components is completed, you ll be prompted for below screen to provide your Azure AD Credentials. This needs to be your office 365 Global Admin credentials. We re using AzureAD@UCTechTalk.onmicrosoft.com as a service account which we have already created on Office 365.
After connecting with Office 365 using Global Admin Credentials, the next screen will be presented to enter your on prem active directory account credentials. In our case, We ve already setup a service account in our local active directory and we will use the same account here as shown below.
After providing the credentials, click on Add Forest and Active Directory forest will be added as shown below. Repeat the same steps to add multiple forests.
Next Screen will be presented for User Matching, You can uniquely identify your users based on criteria defined here. We re using the default settings. Next screen will be presented to choose the Optional Features and the new features that comes with Azure AD Sync tool.
Once you re done with all the information and tool is able to connect with both on prem AD and Office 365 using the credentials provided during the configuration click on Configure to start the configuration
Once the configuration is completed, Click on Finish and the Wizard begins the process of synchronizing on prem identities with Office 365.
To verify that the users have been synchronized with Office 365, login to Office 365 > Users > Active Users and verify the last sync time and Status. By Default, Azure AD Sync tool Synchronized with office 365 after every 3 Hours. We can change this time at any time.
Azure AD Sync tool is now installed. It s time to configure the filtering options to allow only the users to sync with office 365 that we want to sync. Azure AD Sync Filtering Types Azure AD Sync tool support three types of filtering and you can choose the type of filtering based on your requirements. OU Based Filtering Domain Based Filtering Attribute Based Filtering You can enable filtering in Azure AD Sync at any time. If you have already run the default configurations of directory synchronization and then configured the filtering, the objects that are filtered out are no longer synchronized to Azure AD. As a result, any objects in Azure AD that were previously synchronized but were then filtered are deleted in Azure AD. If objects were inadvertently deleted because of a filtering error, you can re-create the objects in Azure AD by removing your filtering configurations, and then synchronize your directories again. OU Based Filtering With organizational based filtering, you can explicitly specify which OU s can synchronize with office 365. In our case I ve only synchronized 2 OUs with office 365 Users & Admin Users. To setup OU filtering follow the steps. Log in to the Sync server using the local active directory service account for Azure AD Sync. In our case we re using AAD@mstechtalk.com as service account and I ve logged in to the server using AAD@mstechtalk.com. Browse to C:\Program Files\Microsoft Azure AD Sync\UIShell and run MIISClient
After running the client, Click on Connectors to modify the connectors for filtering
Select on prem AD Connector and go to the properties > Configure Directory Partition > Containers. On prem connector type will always be Active Directory Domain Services
Unchecked the OU s which you don t want to synchronize. By default all OU s will be selected.
Click Ok and close the MIISClient. OU filtering has been set. Domain Based Filtering At times, you need to work on multiple domains for large organization or with multiple business units. Scanerio s comes when one of your business units move to office 365 and rest of the business units remains on their existing systems. Requirments like synchronizing users with only specific UPN/Domain can be achieved using Domain Based filtering. Using domain based filtering, you can specify which users can synchronize with office 365 based on their domain name. Steps to setup domain based filtering are as below. Run MIISClient > Connectors > On Prem Connector > Properties
Go to Configure Directory Partitions > Select Directory Partition and select the domains which you want to synchronize with office 365. In our case, We ve 2 domains installed in our lab (mstechtalk.com and contoso.mstechtalk.com) and we re only synchronizing mstechtalk.com users with office 365. All other partitions and domains are unchecked.
We can apply all 3 type of filtering to synchronize the required users. Sometimes domain filtering does not clear up your Run Profile for other domains and you need to manually remove your run profile to complete the domain filtering. Attribute Based Filtering Attribute based filtering is used to synchronize on prem users with office 365 based on attribute field values. There are several ways to configure filtering based on attributes. Configuration on inbound from AD is recommended since these configuration settings will be kept even after an upgrade to a
newer version. Configuration on outbound to AAD is supported, but these settings will not be kept after an upgrade to a newer version and should only be used when it is required to look at the combined object in the metaverse to determine filtering. Inbound Filtering To setup inbound filtering, go to Synchronization Rules Editor on sync server. You can find the Synchronization Rules Editor in start menu on Windows Server 2012 R2. Make sure that Inbound Rule type is selected on the left side and click on Add New Rule
Select Connected Systems (Source Forest), CS Object Type as user because we re doing filtering based on users.
Name field represents the name of the rule, Connected System is the source such as the Active Directory forest. The Connected System Object Type is the type of AD object like user, groups, contacts etc. Link Type is the action which you want your rule to perform. It has 3 values or actions like Join, StickyJoin or Provisioned. Join action will merge or update the object. Provisioned action will create the object. Link Type option will be superseded by Join rule configured in a later step. Click Next. As we re synchronizing those users with office 365 who has company field value of either Ms Tech Talk or Null. We do not need to configure anything in Scoping Filter and Join Rules. (This needs to be configured in more details based on your filtering). On the transformation screen, Add the value as IIF(IsNullOrEmpty([company]),NULL,IIF([company]<> MS Tech Talk, DoNotSync,NULL)) and click on ADD button.
It is recommended to use Inbound Filtering. Outbound filtering is not recommended. More information on attribute based filtering can be found on Technet. Outbound Filtering To perform outboud filtering, run Synchronization Rules Editor Make Sure Rule type Outbound is selected. Click on Add Rule on the right hand side and provide the parameters for Connected Systems, CS Object Type and define the rules based on your rule. Outbound filtering is recommended and used in Resource Forest / Account Forest topology. It is recommended to perform Full Sync after configuring filtering Couple of examples on attribute based filtering can be found on David s blog here and here.
Azure AD Synchronization using PowerShell As we re done with the installation of Azure AD Sync tool and had setup the filtering to fulfill the requirements of user synchronization but at times you need to run/force manual sync to synchronize with office 365 and now it s time to learn as an administrator how you can do so. Azure AD Full Synchronization We ve a utility called DirectorySyncClientCmd.exe which executes the sequence of actions to synchronize on prem identities with office 365. To run a full synchronization browse to C:\Program Files\Microsoft Azure AD Sync\Bin from windows powershell and run the cmdlet.\directorysyncclientcmd.exe Initial as shown below. Initial will perform a full synchronization. It s recommended that you perform a full synchronization after making a major change in your Azure AD Sync configuration like enabling password synchronization for user. Azure AD Delta Synchronization To perform the delta synchronization with Office 365, we need the same executable to perform delta synchronization of users from on prem to office 365. By default Azure AD Sync tool performs delta sync after every 3 hours. Later in this article we ll learn on how we can change the default sync time of the tool. To perform the delta synchronization we use the.\directorysyncclientcmd.exe executable with Delta keyword as shown below.
Azure AD Password Synchronization Password Sync was one of those features which helped a lot of enterprises to manage their users password policies and change management from local active directory. Password Synchronization enables users to log into their Office 365 and other Microsoft online services like Intune, CRM etc using the same password as they use to log into their on-premises infrastructure. It is important to note that this feature does not provide a Single Sign-On solution because there is no token sharing in the Password Sync process. This feature is also referred as Same Sign-On. Active Directory Domain Services that are configured for FIPS are not compatible with the Password Sync feature. During Password Synchronization Plain text version of a user s password is neither exposed to the password sync tool nor to Azure AD or any of the associated services. Azure AD Sync tool synchronize the user s password in the form of hash. When you ve password synchronization enabled then password complexity policy and password expiry policy on office 365 will no longer be valid and on prem policies will be applicable. To perform a Password Synchronization, We need to run the Password Synchronization with Office 365 using Azure AD Sync script. You can download this script from Technet. More details on password synchronization can be found on Technet. Verifying Manual Synchronization To verify the Full and Delta Synchronization, Log in to Office 365 Portal and Browse to users > Active Users and check the last sync time. You can also check the MIISClient for last sync time and status of sync.
To verify the password synchronization is completed successfully, Go to Event Viewer > Application Logs and look for Event ID 656 and 657 as shown below. If you want to read the other Parts in this series, then please go to: Change Default Sync time of Azure AD Sync Default Synchronization By default Azure AD Sync tool synchronize with office 365 after every 3 hours just like Dir Sync tool. Dir Sync determines the time to synchronize with office 365 using
Microsoft.Online.DirSync.Scheduler.exe.config file located in C:\Program Files\Microsoft Online Directory Sync but this has been changed with the new Azure AD Sync tool and now we have Windows Tasks Scheduler to determine / modify the time to sync with Office 365. By Default, Azure AD Sync schedule runs after every 3 hours executed by a schedule tasks. This scheduled task actually runs DirectorySyncClientCmd.exe in the backend and perform delta sync. To modify the default synchronization time, we need to perform following steps. Log on to Sync server using on prem Sync service account. In our case, we re using AAD@mstechtalk.com as service account. Go to start menu and search for Windows Tasks Scheduler In windows tasks scheduler Library, you can notice that a task with the name of Azure AD Sync Scheduler is defined to triggered after every 3 Hours.
We can t modify the task if it s enabled. To modify the scheduler Right Click on Task > Click Disable to disable the task as shown below After disabling the schedule, double click on task and go to Triggers as shown below
Select the Trigger and click on Edit to edit the schedule trigger. Currently you can see the trigger is defined to run after every 3 hours and it s set to run for Indefinitely.
From the drop down menu of Repeat task every Select the time after which you want to trigger Azure AD sync with office 365. In our case I ve modified the time to 10 minutes.
Click Ok to close the Trigger editor. Click on Ok to Azure AD Sync Scheduler Properties as well to complete the process.
When you click on Azure AD Sync Scheduler Properties, It will prompt you to enter the Password of Microsoft account created during the installation and configuration but we can replace that account with our Azure AD Sync on prem service account. Enter your on prem Azure AD Sync service account credentials and hit Ok.
After modifying the trigger settings, you can see that you have successfully modified the default sync time of Azure AD Sync tool to 10 minutes. Last action that we need to perform after changing the default sync time is to enable the scheduler by Right Clicking on the scheduler and Click Enable.