Follow me on Twitter @AntonioMaio2

Monday, December 15, 2014

Identity Synchronization between Active Directory and SharePoint Online - Part 2

This article is the second in a series on how to configure identity synchronization between on premise Active Directory and SharePoint Online within Office 365.

Part 1
In the previous post in this series we started this topic by covering the following:
-          Introducing the concepts of Identity Synchronization and Federation
-          How to synchronize a .local domain
-          How to prepare Active Directory for Directory Synchronization
                                                                                           
You can access part 1 in this series here: http://sharepoint.protiviti.com/blog/Lists/Posts/Post.aspx?ID=142.
 
We’ll continue here with the step by step process of setting up Directory Synchronization between your on premise Active Directory domain and your Office 365 tenant.


Setup Your Domain in Office 365
The next step in the process of setting up directory synchronization is registering your domain in your Office 365 tenant.  You do this by logging in to your Office 365 tenant as a tenant administrator and clicking DOMAINS in the left hand menu.

You’ll see your Office 365 domain listed (*.onmicrosoft.com), but you need to add your on premise domain to this list and Microsoft needs to verify that you own that domain.  This must be a publicly routable internet domain and it must be the same domain that you setup as the Alternate UPN Suffix in the 1st post in this series.
 
Click +Add domain in center of the window.   

There are 3 steps in the process of adding a domain:


Step 1 here, specifying the domain name and confirming ownership is the most critical step to Directory Synchronization. 
 
-          Click Start Step 1 and specify the domain name.  In my case I used maiolabs.com.  Click Next.
-          Now you’ll need to confirm that you own this domain.  This can be done a couple of different ways.

If your domain is managed at GoDaddy, Office 365 will allow you to confirm ownership simply by performing a secure login to your GoDaddy account that you use to manage this domain.  To do this, click Confirm Ownership on the screen above.  A window will appear asking you to sign into your GoDaddy account.

If you use this option to confirm ownership of your GoDaddy domain, the process will complete immediately and you can continue to Step 2 and Step 3 with adding a domain. 

Alternatively, if you manage your domain elsewhere, you can follow the manual steps required to verify ownership.  Simply click Follow the manual steps in the window above.

The manual steps require you to add a particular record to your DNS configuration at your DNS hosting provider.  I typically add the TXT record with the code specifically provided by Microsoft here because it’s quite simple to do.  Once added to the DNS record, you’ll have to come back here and click Done, Verify Now.  This typically does not work immediately after adding the DNS record.  You usually have to wait several hours for the record to be updated and accessible.  You can return to DOMAINS in your Office 365 tenant later and try to verify again. 

Ensure that you spell the code correctly when you add it.  It can take up to 72 hours for the updated DNS record to be accessible by Office 365 to verify ownership, and you don’t want to have a typo require you to have to wait excessively. 

Once the domain ownership is verified, you must proceed through Step 2 and Step 3 in the process of adding a domain, however each step allows you to skip that step once you’re into it.  Once Step 3 is complete, your publicly routable internet domain will now appear in your domain list with the status Setup complete.
 
Activate Directory Synchronization in Office 365
The step in this process is to activate directory synchronization in your Office 365 tenant.  You do this by clicking USERS in the menu on the left and then clicking Set up beside Active Directory synchronization.

Clicking Set up will bring up the following screen.  Click the Activate button.

This will bring up a confirmation window which contains a very important point about this process.

The important point here is that once identities and groups are synchronized to Office 365 from an on premise AD domain, those objects can only be edited within the on premise AD domain.  Click Activate here to continue.

Installing and Configuring the Directory Synchronization Server On Premise
Now it’s time to actually install and configure the Directory Synchronization server - this server application is also called DirSync and the install file is DirSync.exe.  You can download DirSync.exe by clicking USERS in the left hand menu, then clicking Set up beside Active Directory synchronization as shown above, and then clicking the Download button.

DirSync must be installed on a domain joined server.  In its earlier releases DirSync had to be installed on the domain controller itself, but now it can be installed on its own dedicated server, which is recommended.   Ensure that you have the following prerequisites in place for the Directory Synchronization Server before proceeding with the install:

-          Domain joined to the Active Directory forest you will be synchronizing.

-          64 bit Windows Server Operating System (2008 with SP1 or later, 2008 R2 with SP1 or later, 2012, 2012 R2, all either standard, enterprise or data center)

-          .NET 3.5.1 and .NET 4.0 Frameworks must be installed

-          PowerShell must be enabled in Windows Server 2008


Other notes:

-          Access to the computer running DirSync should be limited to users who have access access and permissions to make changes to the Active Directory domain controllers.

-          Ensure that Microsoft Online Sign-In Assistance is not already installed.  If it is, uninstall it.  The DirSync installation will try to install this and the entire installation will fail if it is already installed.

-          Only 1 instance of DirSync can be installed within an on premise AD forest

-          DirSync will synchronize all domains within the AD forest

To install and run DirSync, you must have the following permissions:

-          Local administrator permissions to the computer running the Directory Synchronization server

-          Administrator permission to the local Active Directory forest (part of the Enterprise Administrators group)

-          A service administrator in the Office 365 tenant

During the DirSync install process, you’ll need to provide the username and password for the on premise Active Directory administrative account and the service administrator for Office 365.  When installing DirSync, the Configuration Wizard will create a service account that is used to read from the local Active Directory and write to Azure AD. The wizard creates this account using both your local Active Directory admin permissions and your cloud admin permissions, which must be provided during the installation process.

You can deploy and host DirSync within an Azure VM as long as you have network connectivity  between your on-premises network and your Azure Virtual Network.  However, that's beyond the scope of this article.

Installing DirSync.EXE
Once you’ve downloaded DirSync.exe to the Directory Synchronization server, start the installation process:

-          Welcome screen - click Next

-          Accept the EULA and click Next

-          Select the installation folder and click Next

-          The installation process takes about 10 minutes

-          When the installation process is complete, ensure the Start Configuration Wizard now check box is on and click Finish

DirSync Configuration Wizard
Once the configuration wizard starts, you’ll be asked to specify the Azure Active Directory Administrator credentials.  Enter the username and password of the service administrator account for Office 365 and click Next.

Click Next.  You’ll then be asked to specify the Active Directory Enterprise Administrator credentials.  Enter the username and password for an administrative user that is part of the Enterprise Administrators group of the local Active Directory and click Next.


-          You’ll then be asked if you would like to Enable Hybrid Deployment.  This feature allows Office 365 (Azure Active Directory) to write changes to identities back into the on premise Active Directory.  An example of this is if a user changes their password – with a Hybrid Deployment, this change will be synchronized back to the on premise AD.  Select Enable Hybrid Deployment and click Next.

-          You’ll then be asked to Enable Password Sync.  This feature allows password changes within the on premise AD to be synchronized to Office 365.  Although this is not true single sign on, it does make the end user experience much better because they use the same username and password for both on premise resources and Office 365, even as passwords change.

Once the configuration process is complete, you’ll be asked to run your 1st directory Synchronization.

Click Finish.  The directory synchronization process will begin immediately.

If you return to Office 365, click USERS in the left hand menu and then Click Active Users, after a few minutes you’ll see user accounts and groups from the on premise AD appearing in your Office 365 tenant.

My on premise user accounts here are obviously dwarfs.  J  You’ll notice that user accounts that are synchronized from on premise AD have a status of Synched with Active Directory and, as mentioned earlier, cannot be edited in Office 365.

In order to login to Office 365 and SharePoint Online with these new users, you’ll still need to assign an Office 365 license to each user individually here.  This directory synchronization process will now occur automatically every 3 hours.

Once licenses are assigned, user accounts that were synched from on premise AD can now login to Office 365 using their same on premise username and password!