As more and more customers move to Office 365 and leverage the power of Windows Azure there is a growing need to understand identity management and how to properly link multiple online services to a single Azure AD instance. As a bit of a background, Windows Azure AD is the primary directory that provides access to all online services including Office 365, Azure, Windows Intune and Microsoft Dynamics. By default when you sign up for an online service such as Office 365 an Azure AD "bucket" is created to service that tenant. The Azure AD can then be populated in multiple ways:
- Manual creation using Cloud Identities
- Bulk creation by uploading CSV files
- Directory Synchronization
For most enterprises the final option above is the optimal solution because it allows for organizations to manage a single on-premises Active Directory identity for each user. Those identities are then synchronized via the Directory Synchronization server to the Azure AD.
As I mentioned earlier in this post you can think of the Azure Active Directory as the primary source for all Microsoft Online services. The goal would be to have a single Azure AD instance that services all of your various online product groups. In this optimal environment the Directory Synchronization till would be installed on-premises to sync Active Directory objects to the Azure AD, then that single instance in Azure would service all of the various online services as depicted below.
However, if the various services aren't linked together properly you can end up with a scenario where multiple Azure AD instances are created resulting in multiple directories to manage that are not linked.
There are many issues with the scenario depicted above. First thing to note is that the Directory Synchronization tool can only have one instance on-premises so there is no way in the example above to install DirSync to provision the Azure AD instance supporting Office 365 and then have a second DirSync server serving a separate Azure AD supporting Azure. This is why it is critical for customers to understand how to link Microsoft Online services so a single instance of Azure AD can be used to service multiple online services. This streamlines the management process and allows you to manage all user identities from their local Active Directory and have all changes synchronize to the single Azure AD instance that services all Microsoft online services.
There are generally two scenarios for customers, the first is for customers who start with Office 365 and wants to add Azure. For this process a colleague of mine has posted step-by-step instructions on how to link the new Azure instance to the Existing Office 365, Adding an Azure subscription to your Office 365 account. The second is for customers who start with Azure and want to add Office 365. For this process you can follow the blog posting, Creating and managing multiple windows Azure Active Directories.
Now that we understand how to link different Microsoft cloud offerings we can dive into how to synchronize your on-premises Active Directory environment to the Azure Active Directory.
Syncing Active Directory with Windows Azure Active Directory
The Directory Synchronization tool is a free tool provided by Microsoft that allows the one-way sync from on-premises to the Azure AD. Prior to deploying the tool it is highly recommended that the local Active Directory be reviewed and prepared for Directory Synchronization, for more information see the blog post Plan for Directory Synchronization for Office 365. Most environments have old user objects or accounts with non-valid characters. An example I see in the field quite a bit is administrative accounts starting with a non-standard character such as '#'. This makes sense on-premises in certain cases where customers want to isolate out administrative accounts, however from a Cloud perspective the '#' is seen as a coding variable and therefor noted as an invalid character for Directory Synchronization. The best rule of thumb is a clean Active Directory leads to a happy cloud.
The rest of this blog assumes you have gone through the AD remediation and prep phase. Now that this has been completed we are going to deploy the Directory Sync tool provided in Office 365. Remember now that you have linked your Office 365 and Azure tenants when you synchronize your AD to Office 365 the users will also be available in Azure.
Before deploying the tool let's take a look at the Office 365 tenant. When logging into the portal you'll notice there is a significant amount of information including the service overview with information about overall service health, status of service requests, lists of inactive users and a drill down snapshot of each platforms current health with detailed information if issues exist. There is also a Quick Link section to the right with common admin shortcuts such as password resets, adding users, and assigning licenses to users and downloading software.
The first step in identity provisioning with Directory Synchronization is enabling the service in the portal. This is identical to the way it was done previously. First select Users and Groups from the left hand menu, then click Set Up next to Active Directory synchronization.
From the next page click Activate under step 3 to enable Directory Synchronization in the tenant:
If you prefer PowerShell you can enable Directory Synchronization using the following CmdLets:
Connect-MSOLservice -Credential $cred
Set-MsolDirSyncEnabled -EnableDirSync $True
To check and see if DirSync has been enabled run the following CmdLet:
Remember it may take time for Directory Synchronization to be fully enabled so check back until the value changes to True. Once this is done we are ready to deploy Directory Synchronization.
Prior to installing the Directory Sync tool you need to install .NET 3.5 which can be installed as a Feature. To install it open Server Manager and click Add roles and Features
On the first page select Role-Based or Feature-based installation and click Next:
On the next page select the server you want to install the Feature and click Next:
On the Roles page you can simply click Next without clicking any Roles. On the Select Features page, check the box for .NET Framework 3.5 features and click Next:
Click Install on the final confirmation page to finish the installation:
Once you have your .NET Framework installed it is time to download the tool.
- First log into the portal at http://portal.microsoftonline.com
- Click Users and Groups from the menu on the left
- Select Set-Up next to the Active Directory Synchronization link at the top of the page
- Scroll down to step four and click download
- Once you have the file downloaded go to the folder, right click the file and select Run as Administrator
- During the installation select all of the defaults
On the final page check the box Start Configuration Wizard Now and click Finish:
At the first screen enter your global admin credentials and click Next. Generally speaking you want to create a service account in Office 365 for this purpose and set its password to never expire, but for the purposes of the demo I am just going to use my account.
On the next page enter the credentials of an Enterprise Admin account. Now, this account is different than the previous account. It doesn't actually get stored in the tool. The Configuration Wizard uses the Enterprise Admin credentials to create the directory synchronization service account, MSOL_AD_Sync. The Configuration Wizard creates the service account as a domain account with directory replication permissions on your local Active Directory, with a randomly generated complex password that never expires.
On the next screen check the box* to Enable Exchange Hybrid Mode and click Next. Finally, you can choose to sync the directories immediately:
*this is assuming you plan on using Exchange Hybrid as part of your Office 365 migration. Enabling this option enables the Directory Synchronization tool to write-back certain attributes from Office 365 to Active Directory. This allows additional support for features like cloud archives for on-premises mailboxes, off-board mailboxes from the cloud to on-premises Exchange servers and have on-premises filtering software take advantage of user made safe and blocked senders in the cloud.
Below is a table of the attributes that are added to write-back when hybrid mode is enabled:
Exchange "full fidelity" feature
Filtering Coexistence: Writes back on-premises filtering and online safe and blocked sender data from clients.
Online Archive: Enables customers to archive mail in Microsoft Online.
Enable Mailbox: Off-boards an online mailbox back to on-premises Exchange.
Enable Unified Messaging (UM) – Online voice mail: This new attribute is used only for UM-Microsoft Lync Server 2010 integration to indicate to Lync Server 2010 on-premises that the user has voice mail in online services.
The final screen will ask if you want to enable Password Synchronization, this is a relatively new feature that hashes the local AD password and puts a copy of that password into Azure AD. This provides 'same sign on' functionality which should not be confused to single-sign on which is a feature of Active Directory Federated Services (AD FS). For more information on Password Sync and ADFS check out these links:
Assuming you chose to sync your directories immediately you can verify the process by doing one of two things. You can look in the event viewer for application level messages or you can open up the MIISClient. The MIISClient is located in the following path:
C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell
Once there, double click MIISClient to run the app. When you first launch it you will see the status and can drill into the details of each step of the sync:
The most important thing for you to take away from this post is the process of planning and deploying a properly designed identity management solution for your Microsoft investment is critical to the success of your business. Without proper design considerations around how to link your various cloud offerings and how to properly deploy and configure the Directory Synchronization tool your identity management solution may become unmanageable. The takeaways from this post are:
- Planning how to connect multiple Microsoft cloud services is key to manageability
- Proper deployment and configuration of the Directory Synchronization tool allow for single-source management across offerings