So, this is something I wanted to blog about a few months ago but it got pushed to the bottom of the list of things to do (As usual!).
Anyway… during the early adopter testing of the Office 365 service we had a number of customers who had deployed what was termed “Exchange Rich Coexistence” or “Hybrid” as it is termed now. At the time (12 months ago now!) the documentation to get this up and running was fairly patchy and it took quite a bit of trial and error to get things working as people wanted. However, most customers managed to get things working after 4 weeks or so and were able to begin testing…
Then came the problem… we had talked most of our customers through deploying DIRSYNC at around the same time (within a few days of each other), imagine our confusion when they all stopped working at pretty much the same time! Lots of red errors in the event logs… this was one of the errors from my test lab…
OK, so its pretty clear that we have an authentication problem, but which credentials, our terra-firma or cloud? and how do I fix it?
Well, it turns out that the the problem is pretty predictable… its caused by the 90 day password expiry policy applied to all Office 365 managed accounts, this will happen repeatedly every 90 days. In the case of our early adopters they all hit this within 2 days of each other because everyone was so keen to get up and running that they pretty much all installed DIRSYNC as soon as we made the code available!
Luckily we have a couple of ways around this…
- Establish an operations process every 90 days to change the password and reconfigure DIRSYNC
- Create a service account for DIRSYNC and disable password expiry
For this blog I will concentrate on option 2 and how to reconfigure DIRSYNC after you have created a new account.
Note: If you can create this managed account before setting up DIRSYNC for the first time, then you wont have to visit it again!
Creating an Office 365 service account for DIRSYNC…
The first thing we need to do is to create an Office 365 managed account to use for DIRSYNC. I find it easiest to do this in the GUI.
- Login to https://portal.microsoftonline.com as a tenant Administrator
- Under the Management menu, click on Users
- Click on New, then select User from the drop down
- Enter the appropriate details for the new user account and click next
- Assign the new account “Global Administrator” rights
- Complete the user creation process (You do not need to assign this user an Office 365 License!)
- Make a note of the temporary account password
- Start IE in “InPrivate” mode and browse to https://portal.microsoftonline.com
- Login with your new DISRYNC service account
- On first login Office 365 will prompt you to change the password
- Verify that you can logon to the Office 365 portal with your new account
Re-configuring DIRSYNC to use the new Office 365 service account…
Before we can complete this section, we are going to need a few bits of information…
- Local Active Directory Enterprise Administrator Account details and password
- DIRSYNC service account details and password in Office 365
- Logon to your DIRSYNC server
- Open Start –> All Programs > Microsoft Online Services –> Directory Synchronization : Directory Sync Configuration
- Click Next at the welcome screen
- Enter your new DIRSYNC service account details into the Microsoft Online Services Administrator Credentials box
- Click Next (DIRSYNC will validate your credentials)
- Enter your existing Enterprise Administrator Credentials into the Active Directory Enterprise Administrator Credentials box
- Click Next (DIRSYNC will validate your credentials)
- Enable the "Rich Coexistence” checkbox if you are deploying in “Hybrid” and want AD write-back
- Click Next
- DRSYNC Will re-configure itself to use the new account
- Ensure that the Synchronize directories now checkbox is checked and click “Finish”
- Start Event Viewer and open the Application Log
- Look for Directory Synchronisation Events 1 – 4 (4 means its finished “Export has completed”)
OK, so now we have a new account dedicated for DIRSYNC, but its password is still going to expire in 90 days…
Disabling password expiry on your Office 365 DIRSYNC service account…
Now, before we go through these steps it is important to realise that disabling your DIRSYNC service account password expiry has some obvious security risks involved. This is a powerful account with full rights to your tenant, if it gets compromised then so does your entire tenant! Make sure that you fully understand these risks before continuing and discuss appropriately with your security team.
OK, so assuming you have decided to go ahead this is what we will need…
Install the Microsoft Online Sign-In Assistant
- Microsoft Online Services Sign-In Assistant 32-bit
- Microsoft Online Services Sign-In Assistant 64-bit
Install the Microsoft Online Services Module for PowerShell
- Microsoft Online Services Module for Windows PowerShell 32-bit
- Microsoft Online Services Module for Windows PowerShell 64-bit
Launch a PowerShell Window and run the following commands…
Once connected we have access to some new MSOL Remote PowerShell cmdlets. We are going to make use of the get-msoluser and set-msoluser cmdlets.
Firstly, lets take a look at our DIRSYNC service account as it was originally created
- get-msoluser –userprincipalname firstname.lastname@example.org | fl
As you can see from the output, PasswordNeverExpires is to to False, this means that our service account user will inherit the standard 90 day password expiry policy. To change this we need to issue the following command…
- Set-MsolUser -UserPrincipalName email@example.com -PasswordNeverExpires $true
If we then repeat the earlier command, we can see that now PasswordNeverExpires is now set to True
OK, so now we are done! DIRSYNC will no longer require that your account password is changed every 90 days.
This is a more interesting topic than I had originally, thought, the actual process to configure a service account without password expiry is relatively quick and simple, however there are significant security implications from having an Office 365 account that never requires its password to be changed with such high access rights.
For me what this configuration does is to put the control back into the hands of the Administrator – you now have control over when you change your service account password. My experience with fixed password expiry on service accounts is that eventually the password will expire when the person responsible for that service is on leave or away sick and nobody else knows what to do – this is a recipe for further disaster.
I would recommend combining this solution for disabling password expiry with an operations process to change the password regularly. This process should be documented clearly and executed regularly to meet your security policies. This approach gives you the flexibility of being able to choose your own account password change policy, without the risk of the password expiring and stopping your directory sync process from working.