Download presentation
Presentation is loading. Please wait.
1
Office 365 Identity Management
2
Meet Paul Andrew | @pndrw
Office 365 Technical Product Manager Office 365 datacenter, networking, identity management Passion for informing and inspiring IT Professionals to create simpler solutions to complex problems Meet Andreas Kjellman Active Directory Program Manager Identity Synchronization
3
M2: Directory Synchronization is Easy with Office 365
4
Agenda Overview of the synchronization model Before installing AADSync
Demo install AADSync Considerations after the install
5
Office 365 identity models
Cloud identity Synchronized identity Federated identity Zero on-premises servers Directory sync with password sync Federation Directory sync On-premises identity On-premises identity Between zero and three additional servers Between two and eight on-premises servers
6
Synchronized identity model
Password hashes User accounts Synchronized identity AAD Sync On-premises directory Sign-on User On-premises directory
7
Before installing AADSync
Active Directory remediation Run IdFix Verify DNS domains with Office 365 Add these prior to syncing to preserve UPN Directories other than Active Directory Works with Office 365 – Identity program Will be added soon to AADSync One server is most common Domain controller is Okay Separate SQL Server is Okay up to 100,000 directory objects You can install to Azure IAAS Migrating from DirSync or FIM 2010 Uninstall / Reinstall Side by side install with object review Forest functional level Windows Server 2003
8
IdFix – DirSync AD Remediation
Errors Validated Attributes Duplicate proxyAddresses Invalid characters in attributes Over length attributes Format errors in attributes Use of non-routable domains Blank attribute that requires a value mailNickName proxyAddresses sAMAccountName targetAddress userPrincipalName
9
demo Configure Office 365
10
Install the product Install all dependencies: With default settings:
SQL Express LocalDB, Sync, Sign-in assistant, AAD Connector With default settings: Local service account w/ random password
11
Install and Configure aadsync
demo Install and Configure aadsync
12
User (and contact) matching
Metaverse Connector Space 1 2 1 2 1 2
13
Post installation considerations
14
Out of the box configuration
Single forest Same as DirSync Multi-forest configurations Fully-mesh, Account-resource forest One or multiple Exchange organizations with hybrid Exchange Group membership for security groups with ForeignSecurityPrincipals (FSPs) Assumptions User will have only one enabled user account User will have only one mailbox The best data quality for a user is where Exchange is located Passwords Password (hash) Sync and password write-back
15
Review the configuration
Installation logs %windir%\temp\aadsync Synchronization Rules Depending on if Exchange and Lync is present in AD, different rules will be generated Depending on Exchange version attributes will be removed as needed Only selected services will have outbound rules to AAD Attributes you selected to not be included are removed from the outbound rules to AAD Introducing the Sync Rule Editor A “Resource Kit Tool” to view, change and add Sync Rules
16
demo Sync Rule Editor
17
AADSync installation review
Be aware of directory object limits A new tenant can sync up to 50,000 directory objects Register a vanity domain and it is increased to 300,000 objects Sync now Expect about 1 hour per 5,000 objects Password expiry for the sync account Assign Office 365 licenses High availability Can Backup and reinstall Filtering AADSync By Domain and OUs By attributes
18
Password hash sync security
5/4/2019 Password hash sync security On-premises directory Azure AD Hash Extra Security User Password Password hash AD DS It is not reversible to get the users password A Hash Hashes are mathematical functions that are nearly impossible to reverse The result of the hash algorithm is called a digest Additional Processing We further process it with a one way hash SHA256 algorithm Connections are only to the Azure AD service Connections are SSL encrypted Enables Azure AD to validate the users password when they log in © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
19
Licensing AADSync is following AAD licensing
No extra cost for Sync AADSync is free when synchronizing from on-prem to AAD Includes multiple AD-forests, non-AD LDAP, and any other supported source Includes write-back for hybrid Exchange AADSync requires AAD Premium for write-back from AAD to on-prem Password, device, group, user, … Includes writing between on-premises directories
20
M2 Summary: Directory Synchronization is Easy with Office 365
Directory and password hash synchronization IdFix to avoid synchronization issues Tips for making sync easy
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.