Enterprise Mobility and Security Blog

RSS

Howdy folks,

It's a great day here in Redmond – The sun is out, it's not raining and we have some cool new identity synchronization features available in preview!

Preview Self Service Password Reset writeback to Windows Server AD using DirSync

First, we've added a preview of DirSync password writeback for Self Service Password Reset. This preview capability allows customers who rely on federation or password hash sync to use Azure AD Premium to reset on-premises passwords in Windows Server Active Directory.

Preview Multi-forest identity synchronization using Azure AD Sync (AAD Sync)

Additionally, we've also released a preview of our new AAD Sync. AAD Sync is our newly created "one sync service to rule them all". In this first preview, we are using AAD Sync to enable synchronization from multi-forest Windows Server AD Deployments, a capability that all of our largest customers have been asking for. Over time (6-8 months), Azure AD Synch will replace DirSync and be included for all AAD, Office 365 and other Microsoft cloud service customers. It will enable simple synchronization like DirSync does today, but also have a set of much more advanced capabilities, for instance, support for combinations of directories (AD, LDAP, SQL, and others) and the ability to remap and swizzle existing on-premises attributes. AAD Premium customers will also use it for writeback scenarios like Self Service Group Management.

Using the AAD Sync preview you will be able to:

  • Onboard your multi-forest Active Directory deployment to AAD
  • Advanced provisioning, mapping and filtering rules for objects and attributes, including support for syncing a very minimal set of user attributes (only 7!)
  • Configuring multiple on-premises Exchange organizations to map to a single AAD tenant (as recently announced at the MEC conference)

Getting the new DirSync tool

You can access the updated DirSync with Password Reset writeback here. Once installed, you can configure the password reset writeback agent by opening an elevated DirSync configuration shell and running the Enable-OnlinePasswordWriteback commandlet. Want more details? We'll have a writeback installation guide coming next week, so stay tuned!

Getting the AADSync service

You can join the Azure Active Directory Sync Services preview here. The AADSync preview will then be added to your Microsoft Connect account. Through this you will be able to download the most recent version, get information on known issues and updates, as well as provide feedback.

The installation is an easy 3-step process and is similar to DirSync.

Step 1

After you run the installer you will first you need to provide your AAD credentials and click "Next" to continue.

Step 2

Add each of your AD forests, this is done by entering Active Directory Domain Services credentials for each forest and clicking on "Add Forest". Once a forest is added, AADSync will detect what services the forest contains, e.g. Exchange and Lync, and create an initial default configuration which will work for most customers. The configured forest will be added to the list. The forest can also be removed by clicking on the X next to the forest name. Once you are done adding all your forests you will need to click "Next" to continue.

Fig 1: AADSync add AD forests

 

Step 3

AADSync will now collect additional information on your multi-forest environment. This configuration helps AADSync understand how to map a user represented in more than one forest and how to uniquely identify each user. If you using one forest you can leave the default configuration options and click "Next".

Fig 2: AADSync Multi forest configuration

Post Installation

That is it! Your initial configuration is complete, at this point you can begin synchronizing your users with Azure Active Directory. You can also use the AADSync advanced UI to:

  • Filter out objects you don't want to synchronize to AAD

Fig 3: AADSync OU filters

  • Change the attribute mapping or set transformations between AAD and Windows Server AD users.

Fig 4: AADSync attribute mapping

  • View which attributes are consumed by each Microsoft Online service and control their synchronization. For example, if you do not use SharePoint online it will be possible to remove the entire group of attributes.

Fig 5: AADSync attribute selection by service

Let us know what you think! Whether it's a feature you love, something you think we are missing, questions, or even if it's an experience that you just don't like, you can reach out to us through the AADSync Microsoft connect preview or the Windows Azure AD Forum.

Best regards,

Alex Simons (twitter: Alex_A_Simons)

Director of Program Management

Active Directory