Embed Size (px)
Citation preview
Table of Contents Introduction .................................................................................................................................................. 2
Azure ADSync Requirements/Prerequisites: ................................................................................................ 2
Software Requirements ............................................................................................................................ 2
Hardware Requirements ........................................................................................................................... 2
Service Accounts for Azure AD Sync Tool ..................................................................................................... 3
On Premises Service Account to connect to AD DS: ................................................................................. 3
Office 365 Service Account: .................................................................................................................... 13
Azure AD Sync Installation .......................................................................................................................... 15
Azure AD Sync Filtering Types ..................................................................................................................... 24
OU Based Filtering .................................................................................................................................. 24
Domain Based Filtering ........................................................................................................................... 29
Attribute Based Filtering ......................................................................................................................... 31
Inbound Filtering ................................................................................................................................. 32
Outbound Filtering .............................................................................................................................. 35
Azure AD Synchronization using PowerShell .............................................................................................. 36
Azure AD Full Synchronization ................................................................................................................ 36
Azure AD Delta Synchronization ............................................................................................................. 36
Azure AD Password Synchronization ...................................................................................................... 37
Verifying Manual Synchronization .......................................................................................................... 37
Change Default Sync time of Azure AD Sync .............................................................................................. 38
Default Synchronization .......................................................................................................................... 38
Introduction
This guide will walk you thru step by step to install and configure Azure AD Sync tool to
synchronize on prem identities with office 365. You can download the most recent version of
Azure AD Sync from Microsoft Website.
Azure Active Directory Sync is the new synchronization service that allow customers to do the
following:
Synchronize multi-forest Active Directory environments without needing the complete
feature set of Forefront Identity Manager 2010 R2.
Advanced provisioning, mapping and filtering rules for objects and attributes, including
support for syncing a very minimal set of user attributes (only 7!)
Configuring multiple on-premises Exchange organizations to map to a single Azure Active
Directory tenant
More details on Azure AD Sync tool can be found on Technet
Azure ADSync Requirements/Prerequisites:
Software Requirements
Windows Server 2008, 2008R2, 2012, 2012R2
.Net framework 4.5 installed
PowerShell (preferably PS3 or better)
An account with local administrator privileges on your computer to install Azure AD Sync.
Azure AD Sync requires a SQL Server database to store identity data. By default a SQL Express
LocalDB (a light version of SQL Server) is installed and the service account for the service is
created on the local machine. SQL Server Express has a 10GB size limit that enables you to
manage approximately 100.000 objects.
Hardware Requirements
Microsoft recommends to use the hardware based number of objects you want to synchronize
with Office 365. Below are the recommended hardware requirements for Azure AD Sync tool
from Microsoft based on number of objects.
Ref: https://msdn.microsoft.com/en-us/library/azure/jj151831.aspx?f=255&MSPPError=-
2147217396
Service Accounts for Azure AD Sync Tool
We need 2 service accounts for Azure AD Sync installation as mentioned below.
1. Local Active Directory user account
2. Office 365 user account (Global Admin Rights)
On Premises Service Account to connect to AD DS:
On Prem service account is required to read the user information from local active directory.
Additional permissions are required for Password Right Back and other optional features of Azure
AD Sync tool. To create a service account on local active directory –> logon to any writable
Domain controller and follow the steps as mentioned below.
With an admin account, create a user account in AD for the AAD Sync service account.
Once the active directory account is created, login to Azure AD Sync server and add the
newly created AD account to local admin groups on the AAD Sync server.
Log off the AAD Sync server and login to the Domain Controller to assign appropriate
permissions to the AAD Sync Service Account.
o On Prem service account required “Replicating Directory Changes” and
“Replicating Directory Changes All” permissions in local active directory. To
assign these permissions make sure that “Advanced Features” are enabled for the
domain
Configure “Reset Password” and “Change Password” extended rights for the AAD Sync
service account in Windows 2012 R2. To assign appropriate permissions Right Click on
Domain name –> Properties –> Security.
Additional rights that are required for the service account to use the write back
feature.
Object Type Data source Attribute Permission / Access
Right Inheritance
Contact proxyAddresses Write The child objects
only
Group proxyAddresses Write The child objects
only
User/InetOrgPerson msExchArchiveStatus Write The child objects
only
msExchBlockedSendersHash Write The child objects
only
msExchSafeRecipientsHash Write The child objects
only
msExchSafeSendersHash Write The child objects
only
msExchUCVoiceMailSettings Write The child objects
only
msExchUserHoldPolicies Write The child objects
only
proxyAddresses Write The child objects
only
Office 365 Service Account:
Office 365 Service accounts is used to read & write the user information to office 365 Active
directory (Azure Active Directory). Office 365 account needs to be a global admin and password
expiry should be set to “NeverExpire” as best practice.
Create a user account on Office 365 and assign global admin rights to the account
Set Password to never expire using the PS Cmdlet Set-MsOlUser -UserPrincipalName
[email protected] -PasswordNeverExpires $True
Now we’re setup with prerequisites of Azure AD Sync tool and ready to start the installation of
the tool.
Azure AD Sync Installation
To install Azure AD Sync tool, login to Sync server using the on prem local active directory
service account. In our case, local active directory service account name is
[email protected] You can download the most recent version of Azure AD Sync using the following link of
Microsoft Website.
If there are 100,000 or less objects in AD to sync to Office 365 you can use SQL express,
If more objects are needed then a full version of SQL is required.
The minimum recommended hardware requirements for the synchronization server in
relation to how many objects you have in your on-premises Active Directory can be found
on Technet.
It’s recommended that you should use a separate machine for Azure AD Sync tool installation.
Azure AD Sync tool should not be installed and configured on Domain Controller and ADFS server
as it’s not recommended.
Let’s get started with the installation of Azure AD Sync tool. To start the installation
process, launch the executable called MicrosoftAzureADConnectionTool.exe
Once you run the executable, Click YES on User Account Control pop up to start the
process.
Windows Azure AD Sync setup will being, specify the path to install the tool. In our
case, we’re using the default installation path.
Once you click on install, Azure AD Sync will start installing components like SQL
Express, Connectors etc.
After the installation of required components is completed, you’ll be prompted for below
screen to provide your Azure AD Credentials. This needs to be your office 365 Global
Admin credentials. We’re using [email protected] as a service
account which we have already created on Office 365.
After connecting with Office 365 using Global Admin Credentials, the next screen will be
presented to enter your on prem active directory account credentials. In our case, We’ve
already setup a service account in our local active directory and we will use the same
account here as shown below.
After providing the credentials, click on Add Forest and Active Directory forest will be
added as shown below. Repeat the same steps to add multiple forests.
Next Screen will be presented for User Matching, You can uniquely identify your users
based on criteria defined here. We’re using the default settings.
Next screen will be presented to choose the Optional Features and the new features that
comes with Azure AD Sync tool.
Once you’re done with all the information and tool is able to connect with both on prem
AD and Office 365 using the credentials provided during the configuration click on
Configure to start the configuration
Once the configuration is completed, Click on Finish and the Wizard begins the process
of synchronizing on prem identities with Office 365.
To verify that the users have been synchronized with Office 365, login to Office 365 –>
Users –> Active Users and verify the last sync time and Status.
By Default, Azure AD Sync tool Synchronized with office 365 after every 3 Hours. We can
change this time at any time.
Azure AD Sync tool is now installed. It’s time to configure the filtering options to allow only the
users to sync with office 365 that we want to sync.
Azure AD Sync Filtering Types
Azure AD Sync tool support three types of filtering and you can choose the type of filtering based
on your requirements.
OU Based Filtering Domain Based Filtering Attribute Based Filtering
You can enable filtering in Azure AD Sync at any time. If you have already run the default
configurations of directory synchronization and then configured the filtering, the objects that are
filtered out are no longer synchronized to Azure AD. As a result, any objects in Azure AD that
were previously synchronized but were then filtered are deleted in Azure AD. If objects were
inadvertently deleted because of a filtering error, you can re-create the objects in Azure AD by
removing your filtering configurations, and then synchronize your directories again.
OU Based Filtering
With organizational based filtering, you can explicitly specify which OU’s can synchronize with
office 365. In our case I’ve only synchronized 2 OUs with office 365 “Users” & “Admin Users”.
To setup OU filtering follow the steps .
Log in to the Sync server using the local active directory service account for Azure AD Sync. In our case we’re using [email protected] as service account and I’ve logged in to the server using [email protected].
Browse to “C:\Program Files\Microsoft Azure AD Sync\UIShell” and run “MIISClient”
After running the client, Click on “Connectors” to modify the connectors for filtering
Select on prem AD Connector and go to the properties –> Configure Directory Partition –> Containers. On prem connector type will always be “Active Directory Domain Services”
Unchecked the OU’s which you don’t want to synchronize. By default all OU’s will be selected.
Click Ok and close the MIISClient. OU filtering has been set.
Domain Based Filtering
At times, you need to work on multiple domains for large organization or with multiple business
units. Scanerio’s comes when one of your business units move to office 365 and rest of the business
units remains on their existing systems. Requirments like synchronizing users with only specific
UPN/Domain can be achieved using Domain Based filtering. Using domain based filtering, you
can specify which users can synchronize with office 365 based on their domain name. Steps to
setup domain based filtering are as below.
Run MIISClient –> Connectors –> On Prem Connector –> Properties
Go to Configure Directory Partitions –> Select Directory Partition and select the domains which you want to synchronize with office 365. In our case, We’ve 2 domains installed in our lab (mstechtalk.com and contoso.mstechtalk.com) and we’re only synchronizing mstechtalk.com users with office 365. All other partitions and domains are unchecked.
We can apply all 3 type of filtering to synchronize the required users. Sometimes domain
filtering does not clear up your Run Profile for other domains and you need to manually remove
your run profile to complete the domain filtering.
Attribute Based Filtering
Attribute based filtering is used to synchronize on prem users with office 365 based on attribute
field values.
There are several ways to configure filtering based on attributes. Configuration on inbound from
AD is recommended since these configuration settings will be kept even after an upgrade to a
newer version. Configuration on outbound to AAD is supported, but these settings will not be
kept after an upgrade to a newer version and should only be used when it is required to look at
the combined object in the metaverse to determine filtering.
Inbound Filtering
To setup inbound filtering, go to “Synchronization Rules Editor” on sync server. You can find the “Synchronization Rules Editor” in start menu on Windows Server 2012 R2.
Make sure that Inbound Rule type is selected on the left side and click on Add New Rule
Select Connected Systems (Source Forest), CS Object Type as user because we’re doing filtering based on users.
Name field represents the name of the rule, Connected System is the source such as the Active
Directory forest. The Connected System Object Type is the type of AD object like user, groups,
contacts etc. Link Type is the action which you want your rule to perform. It has 3 values or
actions like Join, StickyJoin or Provisioned. Join action will merge or update the object.
Provisioned action will create the object. Link Type option will be superseded by Join rule
configured in a later step.
Click Next. As we’re synchronizing those users with office 365 who has company field value of either Ms Tech Talk or Null. We do not need to configure anything in Scoping Filter and Join Rules. (This needs to be configured in more details based on your filtering).
On the transformation screen, Add the value as “IIF(IsNullOrEmpty([company]),NULL,IIF([company]<>”MS Tech Talk”,”DoNotSync”,NULL))” and click on ADD button.
It is recommended to use Inbound Filtering. Outbound filtering is not recommended. More
information on attribute based filtering can be found on Technet.
Outbound Filtering
To perform outboud filtering, run “Synchronization Rules Editor“ Make Sure Rule type “Outbound” is selected. Click on Add Rule on the right hand side and provide the parameters for Connected Systems, CS
Object Type and define the rules based on your rule.
Outbound filtering is recommended and used in Resource Forest / Account Forest topology. It is
recommended to perform Full Sync after configuring filtering
Couple of examples on attribute based filtering can be found on David’s blog here and here.
Azure AD Synchronization using PowerShell
As we’re done with the installation of Azure AD Sync tool and had setup the filtering to fulfill
the requirements of user synchronization but at times you need to run/force manual sync to
synchronize with office 365 and now it’s time to learn as an administrator how you can do so.
Azure AD Full Synchronization
We’ve a utility called DirectorySyncClientCmd.exe which executes the sequence of actions to
synchronize on prem identities with office 365.
To run a full synchronization browse to “C:\Program Files\Microsoft Azure AD Sync\Bin” from
windows powershell and run the cmdlet .\DirectorySyncClientCmd.exe Initial as shown below.
“Initial”will perform a full synchronization.
It’s recommended that you perform a full synchronization after making a major change in your
Azure AD Sync configuration like enabling password synchronization for user.
Azure AD Delta Synchronization
To perform the delta synchronization with Office 365, we need the same executable to perform
delta synchronization of users from on prem to office 365. By default Azure AD Sync tool
performs delta sync after every 3 hours. Later in this article we’ll learn on how we can change the
default sync time of the tool. To perform the delta synchronization we use the
.\DirectorySyncClientCmd.exe executable with Delta keyword as shown below.
Azure AD Password Synchronization
Password Sync was one of those features which helped a lot of enterprises to manage their users
password policies and change management from local active directory. Password Synchronization
enables users to log into their Office 365 and other Microsoft online services like Intune, CRM etc
using the same password as they use to log into their on-premises infrastructure. It is important to
note that this feature does not provide a Single Sign-On solution because there is no token sharing
in the Password Sync process. This feature is also referred as Same Sign-On.
Active Directory Domain Services that are configured for FIPS are not compatible with the
Password Sync feature. During Password Synchronization Plain text version of a user’s password
is neither exposed to the password sync tool nor to Azure AD or any of the associated services.
Azure AD Sync tool synchronize the user’s password in the form of hash.
When you’ve password synchronization enabled then password complexity policy and password
expiry policy on office 365 will no longer be valid and on prem policies will be applicable.
To perform a Password Synchronization, We need to run the Password Synchronization with
Office 365 using Azure AD Sync script. You can download this script from Technet.
More details on password synchronization can be found on Technet.
Verifying Manual Synchronization
To verify the Full and Delta Synchronization, Log in to Office 365 Portal and Browse to users –>
Active Users and check the last sync time. You can also check the MIISClient for last sync time
and status of sync.
To verify the password synchronization is completed successfully, Go to Event Viewer –>
Application Logs and look for Event ID 656 and 657 as shown below.
If you want to read the other Parts in this series, then please go to:
Change Default Sync time of Azure AD Sync
Default Synchronization
By default Azure AD Sync tool synchronize with office 365 after every 3 hours just like Dir Sync
tool. Dir Sync determines the time to synchronize with office 365 using
Microsoft.Online.DirSync.Scheduler.exe.config file located in “C:\Program Files\Microsoft
Online Directory Sync” but this has been changed with the new Azure AD Sync tool and now we
have Windows Tasks Scheduler to determine / modify the time to sync with Office 365.
By Default, Azure AD Sync schedule runs after every 3 hours executed by a schedule tasks. This
scheduled task actually runs DirectorySyncClientCmd.exe in the backend and perform delta
sync.
To modify the default synchronization time, we need to perform following steps.
Log on to Sync server using on prem Sync service account. In our case, we’re using
[email protected] as service account.
Go to start menu and search for Windows Tasks Scheduler
In windows tasks scheduler Library, you can notice that a task with the name of Azure AD
Sync Scheduler is defined to triggered after every 3 Hours.
We can’t modify the task if it’s enabled. To modify the scheduler Right Click on Task –>
Click Disable to disable the task as shown below
After disabling the schedule, double click on task and go to Triggers as shown below
Select the Trigger and click on Edit to edit the schedule trigger. Currently you can see the
trigger is defined to run after every 3 hours and it’s set to run for Indefinitely.
From the drop down menu of “Repeat task every” Select the time after which you want
to trigger Azure AD sync with office 365. In our case I’ve modified the time to 10 minutes.
Click Ok to close the Trigger editor. Click on Ok to Azure AD Sync Scheduler Properties
as well to complete the process.
When you click on Azure AD Sync Scheduler Properties, It will prompt you to enter the
Password of Microsoft account created during the installation and configuration but we can
replace that account with our Azure AD Sync on prem service account. Enter your on prem
Azure AD Sync service account credentials and hit Ok.
After modifying the trigger settings, you can see that you have successfully modified the
default sync time of Azure AD Sync tool to 10 minutes.
Last action that we need to perform after changing the default sync time is to enable the
scheduler by Right Clicking on the scheduler and Click Enable.
