Bill Fiddes Learning and Development Specialist Rob Latino Program Manager in Office 365 Support
Learning & Development Specialist Customer Support Services Been with Microsoft for 7 years Professionally in the computer industry for 10 years Focus on Customer Support Readiness for Azure Active Directory and Office 365 Identity Wife and three children living in Maple Valley, WA
Directory Synchronization in Office 365 01 What is Azure Active Directory? 06 Hard and Soft User ID Matching 02 Directory Synchronization Overview 07 Configuring Alternate User ID 03 Directory Synchronization Scenarios 08 Configure Filtering 04 Directory Synchronization Tool Comparison 09 Azure Active Directory Subscriptions 05 Source of Authority
This is for admins who want to do more advanced configuration options with directory synchronization Changing source of authority Mapping existing cloud users to local users Signing in with something other than UPN Syncing some objects instead of all objects Extra value with Azure Active Directory subscriptions
Microsoft Virtual Academy Free online learning tailored for IT Pros and Developers Over 2M registered users Up-to-date, relevant training on variety of Microsoft products Earn while you learn! Get 50 MVA Points for this event!
01 What is Azure Active Directory?
Azure Active Directory provides identity management and access control capabilities for cloud services such as Office 365. Azure AD capabilities include a cloud-based store for directory data and a core set of identity services, including user logon processes, authentication services, and Federation Services. The identity services that are included with Azure AD easily integrate with your on-premises Active Directory deployments and fully support third-party identity providers.
02 Directory Synchronization Overview
Directory Synchronization Overview Synchronize your directory to the Microsoft Cloud Services Synchronizes users, passwords, security groups, distribution lists, contacts, and conference rooms. Enables unified Global Address List with Exchange Online Enables Exchange Hybrid and synchronizes some Exchange Online attributes back to on-premises Synchronize passwords back to on-premises Synchronization occurs every 3 hours
Directory Synchronization Overview - continued Synchronize from single or multiple forests Directory Quota limits Up to 50k objects with no verified domain Up to 500k objects with a verified domain Unlimited if you have Azure Active Directory Basic or Premium subscription Lots of new features coming soon
03 Directory Synchronization Scenarios
Directory Synchronization Scenarios Directory Sync Scenario-Used to synchronize on-premises directory objects (users, groups, contacts) to the cloud to help reduce administrative overhead. Directory synchronization is also referred to as directory sync. Once directory sync has been set up, administrators can manage directory objects from your on-premises Active Directory and those changes will be synchronized to your tenant. In this scenario, your users will use different user name and passwords to access your cloud and on-premises resources. Directory Sync with Password Sync Scenario Used when you want to enable your users to sign in to Azure AD and other services using the same user name and password as they use to log onto your corporate network and resources. Password sync is a feature of the Directory Sync tool.
Directory Synchronization Scenarios - continued Directory Sync with Single Sign-On Scenario-Used to provide users with the most seamless authentication experience as they access Microsoft cloud services while logged on to the corporate network. In order to set up single sign-on, organizations need to deploy a security token service on-premises, such as Active Directory Federation Services (AD FS). Once it has been set up, users can use their Active Directory corporate credentials (user name and password) to access the services in the cloud and their existing on-premises resources.
04 Directory Synchronization Tool Comparison
Directory Synchronization Tool Comparison Azure Active Directory Sync Tool (DirSync) First appliance for Directory Synchronization to Azure AD Supports only single forest synchronization Password write back will remain in preview and not supported Azure Active Directory Sync Services (AAD Sync) Newest appliance and will eventually replace Directory Synchronization to Azure AD Supports single and multi-forest synchronization Password-write Many new features coming soon Azure Active Directory Connect Includes Azure Active Directory Sync Services (AAD Sync) Will also assist you to set up AD FS Will also assist you to set up your Web Application Proxy
Directory Synchronization Tool Comparison On-Premises to Cloud Synchronization Feature (DirSync) (AAD Sync) Connect to single on-premises AD forest X X Connect to multiple on-premises AD forests X Connect to single on-premises LDAP directory (no AD at all) CS Connect to multiple on-premises LDAP directories CS Connect to on-premises AD and on-premises LDAP directories CS Connect to custom systems (i.e. SQL, Oracle, MySQL, etc.). CS Synchronize customer defined attributes (directory extensions) CS Password Hash Sync for single on-premises AD forest X X Password Hash Sync for multiple on-premises AD forests X Cloud to On-Premises Synchronization Feature (DirSync) (AAD Sync) Write-back of devices X CS Attribute write back (for Exchange hybrid deployment ) X X Write-back of users, groups objects CS Write-back of passwords (from SSPR and password change) Preview X Write-back of customer defined attributes (directory extensions) CS
Directory Synchronization Tool Comparison Set-up and Installation Feature (DirSync) (AAD Sync) Supports installation on a Domain Controller X X Supports installation using SQL Express X X Step-up from DirSync to AADSync X Localization Windows Server languages X CS Support for Windows Server 2008 and Windows Server 2008 R2 X X Support for Windows Server 2012 and Windows Server 2012 R2 X X Filtering and Configuration Feature (DirSync) (AAD Sync) Filter on Domains and Organizational Units X X Filter on attribute values on objects X X Allow minimal set of attributes to be synchronized "MinSync" X Allow different service templates to be applied for attribute flows X Allow removing attributes from flowing from AD to AAD X Allow advanced customization for attribute flows X
05 Source of Authority
Sourceof Authority There are three scenarios where you may change the source of authority for an object when you activate, deactivate, or reactivatedirectory synchronization from within any account portal or with Windows PowerShell. Source of authority is transferred after you perform the first synchronization. Activate: When you activate directory synchronization and then synchronize directories, the source of authority for any cloud object that is matched to an on-premises object is transferred from the cloud to your on-premises Active Directory. Activating directory synchronization is a requirement for an Exchange hybrid deployment, an Active Directory Federation Services 2.0 (AD FS 2.0)/single sign-on (SSO), and the staged Exchange migration scenarios.
Sourceof Authority - continued Deactivate: When you deactivate directory synchronization, the source of authority is transferred from the on-premises Active Directory to the cloud. Deactivating directory synchronization is a requirement if you want to transfer all user, group, contact, and mailbox management using Windows PowerShell and account portal tools to the cloud. For example, some organizations that used the staged Exchange migration tools to move their mailboxes to the cloud and no longer want to manage objects from on-premises can deactivate directory synchronization. Reactivate:When you reactivate directory synchronization, the source of authority is transferred from the cloud back to your on-premises Active Directory (where it previously resided).
06 Hard and Soft User ID Matching
Hard and Soft User ID Matching Hard matching - GUID match logic.when you reactivate directory synchronization, objects in the on-premises Active Directory are matched with objects in the cloud according to previous directory synchronization GUID (objectguid objectguid) on the cloud objects. When such a match is found, the directory synchronization process makes a GUID match and overwrites the target object data in the cloud objects with the data from the corresponding on-premises objects.
Hard and Soft User ID Matching - continued Soft Matching - SMTP match logic.if directory synchronization does not find a GUID match in the cloud, a process called SMTP match is used. In this process, directory synchronization matches corresponding objects, according to the primary SMTP address. If a target (cloud) object s primary SMTP address matches a primary SMTP address of an object in the on-premises organization, the data for the onpremises object is used to overwrite the data for the corresponding cloud object.
07 Configure Alternate User ID
Configuring Alternate User ID Alternate User ID is a feature that was introduced in Active Directory Federation Services (AD FS) in Windows Server 2012 R2 Update 1. Alternate login ID facilitates logon to AD FS by using an administratively defined user attribute. After it is configured, AD FS will prefer to locate the user account by the defined attribute first instead of by the UPN. Users will still be able to log on by using previously allowed methods. You can also use alternate login ID without single sign-on (SSO) and AD FS by using cloud-managed sign-in and directory synchronization.
08 Configure Filtering
Configure Filtering Organizational-unit (OU) based based: You can use this filtering type to manage the properties of the SourceAD Management Agent in the Directory Synchronization tool. This filtering type enables you to select which OUs are allowed to synchronize to the cloud. Domain-based based: You can use this filtering type to manage the properties of the SourceAD Management Agent in the directory synchronization tool. This type enables you to select which domains are allowed to synchronize to the cloud User-attribute attribute based based: You can use this filtering method to specify attribute-based filters for user objects. This enables you to control which objects should not be synchronized to the cloud
09 Azure Active Directory Subscriptions
Azure Active Directory Subscriptions Built on top of a large set of free capabilities in Microsoft Azure Active Directory, Active Directory Premium and Azure Active Directory Basic editions provide a set of more advanced features to help empower enterprises with more demanding identity and access management needs. Azure AD Premium Trial available for 30 days Sync up to 500k objects Features Free Basic Premium Sync unlimited objects X X Forefront Identity Manager (FIM) server licenses For syncing between onpremises databases and/or directories and Azure AD Self-service password change for cloud users X X X Self-service password reset for cloud users X X Azure AD Sync bi-directional synchronization (Coming Soon) Write-back of devices (Coming Soon) X Write-back of users, groups objects (Coming Soon) X Write-back of customer defined attributes (directory extensions) X Password reset with write-back to on-premises directories (Coming Soon) X X Password change write-back to on-premises directories (Coming Soon) X X X X X
Configuration resources Feature DirSync AAD Sync Enable Directory Synchronization Can be enabled using the Office 365 admin center http://technet.microsoft.com/en-us/library/dn144766.aspx Password Hash Sync Password Write-back Alternate Login ID Filtering Soft Matching http://support.microsoft.com/kb/2641663 http://technet.microsoft.com/enus/library/dn246918.aspx http://msdn.microsoft.com/enus/library/azure/dn835016.aspx http://msdn.microsoft.com/enus/library/azure/dn688249.aspx http://msdn.microsoft.com/enus/library/azure/dn835016.aspx http://social.technet.microsoft.com/wiki/conte nts/articles/24096.dirsync-using-alternatelogin-ids-with-azure-active-directory.aspx http://msdn.microsoft.com/enus/library/jj710171.aspx http://msdn.microsoft.com/enus/library/azure/dn801051.aspx Hard Matching http://blogs.technet.com/b/praveenkumar/archive/2014/04/12/how-to-do-hard-match-in-dirsync.aspx
Directory Synchronization in Office 365 01 What is Azure Active Directory? 06 Hard and Soft User ID Matching 02 Directory Synchronization Overview 07 Configuring Alternate User ID 03 Directory Synchronization Scenarios 08 Configure Filtering 04 Directory Synchronization Tool Comparison 09 Azure Active Directory Subscriptions 05 Source of Authority