Office 365 Directory Synchronization
•Download as PPTX, PDF•
0 likes•433 views
Amit Vasu's presentation to a Toronto audience which included a discussion on the Azure Active Directory, sign-in model for 0365, directory synchronization tools, system requirements, and setting up the development environment.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Office 365 Directory Synchronization
Similar to Office 365 Directory Synchronization (20)
Recently uploaded
Recently uploaded (20)
Office 365 Directory Synchronization
- 1. June 5, 2015 1 Office 365 Directory Synchronization Amit Vasu Momentum Digital Solutions Inc.
- 2. June 5, 2015 2 Agenda O365 - DirSync Overview - Azure Active Directory DirSync Sync Tools Setting up DEV environment Demo
- 3. June 5, 2015 3 Microsoft Community Contributor (MCC) Senior SharePoint Consultant @amitvasuMCP – SP 2013 BLOG – www.amitvasu.comO365 - DirSync
- 4. June 5, 2015 4 Azure Active Directory- Overview
- 5. June 5, 2015 5 Provides a robust set of capabilities to manage users and groups Comes in three editions Free, Basic, Premium World’s largest cloud directory Identity and Access Management for the Cloud
- 6. June 5, 2015 6 Enable single sign-on to thousands of cloud applications from Windows, Mac, Android and iOS devices. Works with third party identity providers Simplify user access to any cloud app
- 7. June 5, 2015 7 Provides Multi-Factor Authentication Security monitoring and Alerts Machine learning based reports Protect sensitive data and applications
- 8. June 5, 2015 8 Sign-in Model for O365
- 9. June 5, 2015 9 Cloud Identity
- 10. June 5, 2015 10 Synchronized Identity
- 11. June 5, 2015 11 Federated Identity
- 12. June 5, 2015 12 Directory Synchronization - Overview
- 13. June 5, 2015 13 Synchronizes users, passwords, security groups, distribution lists, contacts, and conference rooms. Enables unified Global Address List with Exchange Online Support multiple sync scenarios i.e. DirSync, DirSync/Password, DirSync/SSO Identity and Access Management for the Cloud
- 14. June 5, 2015 14 Default every 3 hours. Can be modified by updating Microsoft.Online.DirSync.Scheduler.exe.Config Find the key: <add key="SyncTimeInterval" value="3:0:0" /> and replace value with your desired time. Restart the Windows Azure Active Directory Sync Service Synchronization interval
- 15. June 5, 2015 15 Up to 50k objects with no verified domain Increased to 300k objects with first verified domain Each tenant is only granted one increase Unlimited if you have Azure Active Directory Basic or Premium subscription Directory Quota Limit
- 16. June 5, 2015 16 Must be running version 6382.0000 or greater of the Directory Sync tool in order to enable the Password Sync feature Does not mean its SSO as there is not token sharing Passwords are synchronized every two minutes The synchronization of a password has no impact on currently logged on users. Password Sync
- 17. June 5, 2015 18 Location which is original source of Active Directory objects Azure AD requires a single source of authority for every object. By default, Azure AD directory objects are mastered in the cloud. Source of Authority
- 18. June 5, 2015 19 Three scenarios where source of authority may get changed for an object Activate Deactivate Reactivate* Changing Source of Authority
- 19. June 5, 2015 20 Directory Synchronization - Tools
- 20. June 5, 2015 21 Most commonly-known product is the Directory Sync tool (DirSync). Download link from the Office 365 portal. Directory Sync Relies on Forefront Identity Manager (FIM) for Synchronization.
- 21. June 5, 2015 22 Successor to DirSync and eventually will replace DirSync. Supports Multi-Forest Synchronization. Advanced provisioning, mapping and filtering rules for objects and attributes. Azure Active Directory Synchronization (AAD Sync)
- 22. June 5, 2015 23 At some point in the future AADConnect will be the single choice. Will also assist you to set up AD FS AADConnect will simplify the deployment and configuration of your end-to-end identity setup. COMPARE FEATURES: https://msdn.microsoft.com/en-us/library/azure/dn757582.aspx Azure Active Directory Connect
- 23. June 5, 2015 24 System Requirements
- 24. June 5, 2015 25 64-bit edition of Windows Server 2008 Standard, Enterprise, or Datacenter edition with SP1 or later Windows Server 2008 R2 Standard, Enterprise, or Datacenter edition with SP1 or later Windows Server 2012 Standard or Datacenter Windows Server 2012 R2 Standard or Datacenter Directory Synchronization Computer - OS
- 25. June 5, 2015 26 It must be joined to Active Directory. It must run the Microsoft .NET Framework 3.5 SP1 and the Microsoft .NET Framework 4.5.1 It must run Windows PowerShell It must be located in an access-controlled environment. Directory Synchronization Computer
- 26. June 5, 2015 27 Windows Server 2003 forest functional mode or higher 32-bit or 64-bit Windows Server 2003 Standard Edition or Enterprise Edition with Service Pack 1 (SP1) 32-bit or 64-bit edition of the Windows Server 2008 Standard or Enterprise, Windows Server 2008 R2 Standard or Enterprise, or Windows Server 2008 Datacenter or Windows Server 2008 R2 Datacenter. Windows Server 2012 Standard or Datacenter. Directory Synchronization – Domain Controller
- 27. June 5, 2015 28 You must have administrator permissions for the following: The computer running the Directory Sync tool. Your company’s local Active Directory. Your company’s Microsoft cloud service administrator account. Permissions
- 28. June 5, 2015 29 DirSync can be installed on Domain Controller Requires version 6553.0002 and newer Steps to install DirSync on a DC is exactly the same. Directory Synchronization on Domain Controller Just because you can does not mean you should. Follow the best practice and install DirSync on separate server.
- 29. June 5, 2015 30 DEMO: Setting up Directory Sync
- 30. June 5, 2015 31 Setting up Development Environment
- 31. June 5, 2015 32 Sign up for Azure free one month trial http://azure.microsoft.com/en-us/pricing/free-trial/ Create Domain Controller in Azure using the following HOL http://azure.microsoft.com/en-us/documentation/articles/active-directory- new-forest-virtual-machine/ Sign-up for Office 365 trial (30 day) https://portal.office.com/partner/partnersignup.aspx?type=Trial&id=3dd59a1 4-63ab-4c89-acce-c065ac672e46&msppid=2971477
- 32. • May 14th and 15th – 8am to 6pm PST (Pacific) • Steve Guggenheimer Keynote at 8am on May 14th • OPEN TO THE EVERYONE! • 5 TRACKS • IT Pro | Developer | Consumer | LATAM Track (Spanish) | Brazil Track (Portuguese) • REGISTER HERE: http://mvp.microsoft.com/en- us/virtualconference.aspx • MVP Home Page > Events > 2015 Microsoft MVP Virtual Conference
- 33. Thank You
Editor's Notes
- Azure AD directories let you centrally control access to applications and resources, easily add existing resources (cloud services or on-premises applications), and integrate applications you are developing. Because it is a comprehensive service, Azure AD provides different benefits to people in different roles within an organization. If you are a business decision maker, use Azure AD to achieve the promise of cloud applications and a mobile workforce with confidence that your governance requirements are being met. If you are a service provider, use Azure AD to easily address your identity and access needs, connecting your services to your customers’ existing identity solutions while also reaching Microsoft Azure and Office 365 customers. Azure AD can also address all of your back-office access needs, so whether in-house or outsourced, you can be confident the right people have the right access. If you are an IT professional, use Azure AD to increase your control and visibility of operations at "cloud speed." With Azure AD, you will know what people are using and empower them through self-service offerings.
- In this model a user is created and managed in Office 365 and stored in Azure Active Directory, and the password is verified by Azure Active Directory. Azure Active Directory is the cloud directory that is used by Office 365. There is no equivalent user account on-premises, and there is nothing that needs to be configured to use this other than to create users in the Office 365 admin center. Cloud Identity to Synchronized Identity. This transition is simply part of deploying the DirSync tool. You may have already created users in the cloud before doing this. If you switch from the Cloud Identity model to the Synchronized Identity model, DirSync and Azure Active Directory will try to match up any existing users. There are two ways that this user matching can happen. The first one occurs when the users in the cloud have previously been synchronized from an Active Directory source. In this case they will have a unique ImmutableId attribute and that will be the same when synchronization is turned on again. Users with the same ImmutableId will be matched and we refer to this as a “hard match.” The second way occurs when the users in the cloud do not have the ImmutableId attribute set. In this case we attempt a “soft match,” which looks at the email attributes of the user to find ones that are the same. If we find multiple users that match by email address, then you will get a sync error. If you want to be sure that users will match using soft-match capabilities, make sure their PrimarySMTP addresses are the same both in Office 365 and in the on-premises Active Directory. If all of your users are entered in the cloud but not in your Active Directory, you can use PowerShell to extract them and then you can import them into Active Directory so that soft match will work.
- In this model the user identity is managed in an on-premises server and the accounts and password hashes are synchronized to the cloud. The user enters the same password on-premises as they do in the cloud, and at sign-in the password is verified by Azure Active Directory. This model uses the Microsoft Azure Active Directory Sync Tool (DirSync). Synchronized Identity to Federated Identity. This transition is required if you deploy a federated identity provider, because synchronized identity is a prerequisite for federated identity. The user identities are the same in both synchronized identity and federated identity. Because of this, changing from the Synchronized Identity model to the Federated Identity model requires only the implementation of the federation services on-premises and enabling of federation in the Office 365 admin center. Switching from Synchronized Identity to Federated Identity is done on a per-domain basis. The operation both defines the identity provider that will be in charge of the user credential validation (often a password) and builds the federation trust between Azure Active Directory and the on-premises identity provider. When you switch to federated identity you may also disable password hash sync, although if you keep this enabled, it can provide a useful backup, as described in the next paragraph.
- This model requires a synchronized identity but with one change to that model: the user password is verified by the on-premises identity provider. This means that the password hash does not need to be synchronized to Azure Active Directory. This model uses Active Directory Federation Services (AD FS) or a third- party identity provider. Federated Identity to Synchronized Identity. You can convert a domain from the Federated Identity model to the Synchronized Identity model with the PowerShell command Convert-MsolDomainToStandard. Since the password sync option in DirSync is a recent addition, some customers will make this transition to take advantage of that and simplify their infrastructure. This transition can also be a useful backup in case there is a failure with the federated identity provider, because any failure with the federated identity provider—including the physical server, the power supply, or your Internet connectivity—will block users from being able to sign in.
- Synchronization is per user basis and in chronological order.
- In Azure AD environment, source of authority refers to the location which is original source of Active Directory objects Azure AD requires a single source of authority for every object. By default, Azure AD directory objects are mastered in the cloud. Once Directory Synchronization has been activated, the source of authority is transferred from the cloud to the on-premises Active Directory (after the first sync cycle has been completed). All subsequent changes to the cloud objects (exception of licensing) are mastered from the on-premises Active Directory and the corresponding cloud objects are read-only. Administrators cannot edit cloud objects if the source of authority is on-premises.
- Activate: When you activate directory synchronization and then synchronize directories, the source of authority for any cloud object that is matched to an on-premises object is transferred from the cloud to your on-premises Active Directory. NOTE: Activating directory synchronization is a requirement for an Exchange hybrid deployment, an Active Directory Federation Services 2.0 (AD FS 2.0)/single sign-on (SSO), and the staged Exchange migration scenarios. Deactivate: When you deactivate directory synchronization, the source of authority is transferred from the on-premises Active Directory to the cloud. *Reactivate: When you reactivate directory synchronization, the source of authority is transferred from the cloud back to your on-premises Active Directory (where it previously resided).
- For Directory Sync, the most commonly-known product is the Directory Sync tool (DirSync). This tool is the one offered from the Office 365 portal when you are setting up synchronization. DirSync relies on Forefront Identity Manager (FIM) for Synchronization.
- Azure AD Synch will replace DirSync and be included for all AAD, Office 365 and other Microsoft cloud service customers. Provides both a simplified deployment experience and advanced synchronization server. Advanced provisioning, mapping and filtering rules for objects and attributes, including support for syncing a very minimal set of user attributes (only 7!)
- Activate: When you activate directory synchronization and then synchronize directories, the source of authority for any cloud object that is matched to an on-premises object is transferred from the cloud to your on-premises Active Directory. NOTE: Activating directory synchronization is a requirement for an Exchange hybrid deployment, an Active Directory Federation Services 2.0 (AD FS 2.0)/single sign-on (SSO), and the staged Exchange migration scenarios. Deactivate: When you deactivate directory synchronization, the source of authority is transferred from the on-premises Active Directory to the cloud. *Reactivate: When you reactivate directory synchronization, the source of authority is transferred from the cloud back to your on-premises Active Directory (where it previously resided).
- It must run Windows Server as operating system. The following versions of the Windows Server operating system are supported:
- It must be joined to Active Directory. It must run the Microsoft .NET Framework 3.5 SP1 and the Microsoft .NET Framework 4.5.1 If you are running Windows Server 2008 or higher, the .NET Framework will already be installed It must run Windows PowerShell For Windows Server 2003, you need to download Windows PowerShell. For Windows Server 2008 or higher, you need to enable Windows PowerShell. It must be located in an access-controlled environment.
- Active Directory forest Windows Server 2003 forest functional mode or higher Domain controller 32-bit or 64-bit Windows Server 2003 Standard Edition or Enterprise Edition with Service Pack 1 (SP1) 32-bit or 64-bit edition of the Windows Server 2008 Standard or Enterprise, Windows Server 2008 R2 Standard or Enterprise, or Windows Server 2008 Datacenter or Windows Server 2008 R2 Datacenter. Windows Server 2012 Standard or Datacenter.
- To run the Directory Sync tool, you must have administrator permissions for the following: The computer running the Directory Sync tool. Your company’s local Active Directory. Your company’s Microsoft cloud service administrator account. To install the Directory Sync tool, you need enterprise admin rights during only the installation process. When you’ve installed the tool, a non-privileged Active Directory account will be required. This non-privileged account is created automatically when the Directory Sync tool is being installed.
- DirSync can be installed on Domain Controller Requires version 6553.0002 and newer Steps to install DirSync on a DC is exactly the same. Administrator installing the tool will need to log-off and log-on again after the Installation Wizard is complete and before the Configuration Wizard is run.
- To run the Directory Sync tool, you must have administrator permissions for the following: The computer running the Directory Sync tool. Your company’s local Active Directory. Your company’s Microsoft cloud service administrator account.