The most popular post on my blog is currently:

Windows Azure Active Directory Sync tool (DIRSYNC) – the basics

The currently recommended tool for syncing your on premises AD to Office 365 is now is not DIRSYNC but:

Azure AD Sync Services

There is a further updated version that is currently in preview called:

Azure AD Connect

and you can read more about that preview here:

Azure AD Connect Preview 2 is available

I’ll do a blog post on that very soon, but for now let’s concentrate on what is generally available.

You can read more about Azure Active Directory Sync here:

https://msdn.microsoft.com/en-us/library/azure/dn790204.aspx

Firstly, download the tool from the link above. In this case I am installing on clean AD and I’m also going to install the tool onto a domain controller, which is supported but not best practice. I am also using a new demo empty Office 365 E3 tenant.

After you have made sure your on premises AD is in good health, and before installing the sync tool on your network, you should login to your Office 365 tenant as a global administrator and navigate to the Admin portal.

You then need to select the Active Users option from beneath the Users menu item from the option on the left of the Office 365 Admin portal.

Note: that I have no users apart from the Global Administrator in my new Office 365 tenant initially.

At the top of the Active Users dashboard you will see an option called Active Directory synchronization as shown above. Select the Set up hyperlink to the right.

This will then present you with a number of steps. You should complete Steps 1 and 2, which I have already completed.

Then select the Activate button under option 3.

You’ll then be prompted to confirm you do want to proceed with synchronization. Note the warnings and select the Activate button to proceed.

You should now see that option 3 displays Active Directory synchronization is activated as shown above.

Return to your on premises sync server and double click on the package you downloaded. It will be extracted.

Double click the icon it places on the desktop to commence the configuration process.

You are prompted for the location to install the software. The default location is:

c:\program files\microsoft azure ad sync

You can however change this if desired.

When you have entered in the appropriate installation directory and checked the I agree to the license terms box, you can select the Install button in the lower right hand corner.

You will now see the program install the files to the installation directory as shown above.

You will then see Microsoft SQL Express being installed. Having SQL on a domain controller is generally not best practice but is supported now. However, beware that they sync tool will install and use SQL Express by default.

You will then see it installing the actual Sync Service on your machine.

Amongst a few other Azure services installed on your machine you’ll now find the Microsoft Azure AD Sync service as shown above.

You’ll then be prompted to enter you details for Azure AD as shown above.

Remember, Office 365 is built on Azure AD and uses it to manage identity. Thus, here you now enter your Office 365 global administrator credentials.

Best practice is to use a dedicated global administration account that has not been assigned any licenses. That is, create a new user and make then a global administrator but don’t assign them a license in your Office 365. Then only use this user to synchronise your local AD to Office 365.

Here, I am am just going to use the default tenant administrator to keep it simple but importantly, the user you enter here MUST have the Office 365 Global Administration role.

When you have completed the required details here press the Next button to proceed.

The provided login will then be authenticated.

If you have not as yet enabled directory synchronization in your Office 365 tenant, as detailed previously, you will see the above error message.

You will be prompted to enable this before you can proceed further.

You’ll then be prompted for a local forest (domain) and domain administrator as shown above.

If you look at your local Active Directory Users and Computers you will normally find the forest name at the top of the tree. In this case it is kumoalliance.org.

Note, that you need to have users assigned to routable domain locally as their primary UPN, not something like .local or .lan. if they are, then you will need to change this prior to synchronisation or otherwise users won’t end up correctly in Office 365.

Take a look at this article:

How to synchronize a .local domain

on how to perform update your users if you only have a .local domain.

Also note here that I have four users in my local domain also shown above.

When the correct local domain administration credentials have been entered select the Add Forest button.

If that is successful you should see you domain listed below teh entry fields now as shown above.

Select the Next button to proceed.

You should now see the connector from your local AD to Azure being created and configured as shown above.

You are now given the options to match local users to Azure AD users if they exist. This will basically match on premise AD objects to those already in Azure AD.

Because there are currently no users in my Office 365 tenant there are none that require matching so best practice is to leave the default options configured and select the Next button to continue but as you can see, you can match users between your local AD and the cloud via a variety of options.

Remember again, that my Office 365 tenant is empty except for the default admin account as shown above.

You are now presented with the Optional features page. You can learn more about the options here at:

https://msdn.microsoft.com/en-us/library/azure/dn757602.aspx#BKMK_ConfigureSynchronizationOptions

Where many get confused is the difference between Password write-back and Password synchronization. Password write-back is an Azure Active Directory Premium feature. For more information on how to configure this, see:

Password writeback: how to configure Azure AD to amange on-premises passwords

and 

http://blogs.technet.com/b/ad/archive/2014/04/29/deep-dive-password-reset-with-on-premise-sync-in-azure-ad-premium.aspx

Office 365 currently doesn’t include Azure AD Premium so the only option available is Password synchronization which you should select. More information on password synchronization can be found here:

https://msdn.microsoft.com/en-us/library/azure/dn835016.aspx

Remember, Azure AD sync allows the connection of more than just Office 365 to your local AD, that’s why there are more options here.

The new sync tool, Azure AD Connect, that is in preview, will support password writeback as the above blog post highlights towards the end of the post. As I said, I will also do a post on this soon.

So, in summary here, select Password synchronization and then the Next button to continue.

You can now review the information and when ready select the Configure button to continue.

The tool will now complete the configuration and enable the options you select. You see it connecting as shown above.

You will then see it enable the options you selected with any issues or errors highlighted.

When the process is complete you’ll have the option to Synchronize now, which you can uncheck if desired. Remember, this first sync may be quite large and take some time depending on how many objects are being copied to Office 365.

However, in most cases, you’ll leave this option checked and select the Finish button.

In a very short period of time you should see your users appear in the Office 365 console as shown above.

However, importantly, they will not have a license assigned to them so they won’t have things like a mailbox yet.

Why is that? Remember you can have many different types of licenses in Office 365 and you can allocate them to different users as you please. The sync client doesn’t know which licenses you want applied to which user so they need to be applied manually.

If all the users are going to get the same license simply select all the users in bulk as shown above, then select the Activate synced users hyperlink in the lower right hand side.

Then assign the location and license you want to apply to these users and select the Activate button at the bottom of the screen.

The process is now complete. Your local AD users are now synced to Office 365 using Azure Azure Sync Services. If they change their password on premises it is also synced using password hashing to Office 365.

Points to remember with Azure AD Sync (and DIRSYNC for that matter):

– By default, passwords changed in the cloud are overwritten when the next sync from on premises AD occurs.

– Information is copied from local AD to Office 365 not back. That is, the way it was installed above, it is a one way sync from on premises to Office 365.

– Owners of an on-premises distribution group that’s synced to Office 365 can’t manage the distribution group in Exchange Online

– Azure AD Sync services allow the configuration of object filtering

– Changes are synchronized based on a three hours interval  (this is the same interval that is also used by DirSync). There is a scheduled task running as the service account which will run the cycle. If you unselected “synchronize changes now” during installation then the task is installed as “disabled”. You can force synchronization using a PowerShell command if required as well as running the following file:

C:\Program Files\Microsoft Azure AD Sync\Bin\directorysyncclientcmd.exe

– You can upgrade from DIRSYNC to Azure AD Sync Services

– The new Azure AD Connect tool is due soon with more features (blog post on that coming soon)

You’ll also find some tools installed on your sync machine to help manage and troubleshoot the sync process.

Like the Synchronization Service Manager show above that give you a low level insight into what the sync is actually doing. More on that again in an upcoming post.

One of the most common tasks that any IT administrator performs is to reset users passwords. This means that a lot of this administration can be alleviated if the users are able to reset their own passwords.

You can enable user self service password resets in Office 365, however at this point in time you need to have an Azure Active Directory Basic or Premium subscription enabled on your Office 365 Azure AD Free account. I showed you how to enable this for every Office 365 account a few posts back.

It is also important at this point to highlight some information from the Office 365 roadmap. Under “Development” you will currently find:

Sign-In Page Branding and Self Service Password Reset

Sign-in Page Branding enables an Office 365 customer to select custom colors, text and Imagery for their Office 365 sign-in page. Self Service Password Reset allows a user who has forgotten their password to reset it based on prearranged alternative personal information. These two features were previously available with the Azure AD Premium subscription and are now being made available to all Office 365 subscribers.

Thus, both branding and the user self service password reset ability will becoming available to all Office 365 subscribers.

So, this is how you enable it at the moment, with the requirement of an Azure Active Directory Premium subscription (which you can get on a 90 day trial). In the very near future this will no longer be required and be available in the Office 365 Azure AD Free account.

The first step in the process of enabling the user self service password reset feature is to login to your Office 365 Azure AD Free account, which I have detailed previously about enabling.

You will typically only see the Active Directory option on the menu on the left. When you select this you will then see your Office 365 AD to the right. If you select your Office 365 directory you will drill down into more information for that directory.

One of the options across the top now is Configure. Select this.

If you scroll through all the options on the page you will find no mention of user self service password resets. This is because you need to firstly enable an Azure AD Premium subscription (or trial) to enable this feature. As I mentioned previously, soon you will not need to do this as it will be included in the standard Azure free AD offering.

To at least see what user self service password resets are all about you can enable a 90 day Azure AD Premium subscription by now selecting Licenses from the menu across the top.

Then select the link to Try Azure Active Directory Premium Now.

Select the check button in the lower right hand of the window that appears once you have read its contents.

You will then need to wait a few minutes while the Azure AD Premium subscription is configured.

In a few moments you should see that the subscription is enabled as shown above. Select this to configure.

To enable the Azure AD Premium features for users you will need to select a user from the list of Office 365 users displayed and then select the Assign button at the bottom of the screen.

You will also need to assign a license for an Office 365 global administrator to configure the service. In this case, it has been enabled for the same admin user who is logged into the Azure portal currently.

When you assign a user an Azure AD Premium license you will see the above status message at the bottom of the screen indicating successful completion of the license assignment.

If you now return to the Configure tab you should find a new section devoted to user password reset policy as shown above.

If you now select the green Customize Branding button you will be taken to the above screen where you can upload a number of different graphics to be displayed in the portal as well as desired messaging as shown above.

Scroll down and ensure User enabled for password reset is set to YES.

You can also configure the number of authentication methods. In this case I also added Security Questions.

You can choose how many authentication methods are required for password to be reset and since I have selected to use Security Questions, I can also determine how many questions will be required for the user to create.

The next option allows you to set how many Security Questions are required to be answered from those set.

Next, you enter the questions you wish the user to create answers for.

You can then Require users to register when signing into the Access Panel. This means when the users sign into the Azure Single Sign On portal available via Office 365 they will be prompted to set up the required password reset information. Normally you want this set to YES.

The Azure Single Sign On portal is a free component of the Azure AD Free plan that is available to all Office 365 tenants. I covered how to set that up in a previous post. Your users access this single sign on portal via:

http://myapps.microsoft.com

If you scroll down you can modify the language used when sending emails as well as whom to notify when passwords are reset.

Once you have completed your configuration press the Save button at the bottom of the screen. You should see the status bar at the bottom indicating that your changes are being updated.

Now when a user navigates to the Office 365 portal login page, as soon as they type their login details the branding will be applied to the portal as shown above.

Now let’s say the user now attempts to reset their password by selecting the Can’t access your account? link. They will be taken to a page shown above where they will be prompted to enter some CAPTCHA information.

Once they have done this they will be presented with the above screen telling them that their account could not be verified and they should contact an administrator (link provided, configurable from Azure).

Why is that? The reason is that the user hasn’t logged into the Azure single sign on portal and set up their security options for doing password resets yet.

Thus, once you have enabled user password self service you need to send all your users to the Azure single sign in portal at:

http://myapps.microsoft.com

Once they have logged in with their Office 365 credentials they will be prompted to verify their contact information as shown above. This requirement, again, is an option set in the Azure portal during configuration previously mentioned.

Depending on the security requirements you have configured the user will need to complete each option via the process found by clicking on each of the links for that option.

Once all of these are complete ensure the Save button is select at the bottom of the page.

So if a user now selects the link Can’t access your account? on the Office 365 portal login page and completes the CAPTCHA they will now be taken to the above screen which will ask then which security method they wish to use to verify their identity.

Simply select the method from the list available and complete the requirements.

in this case the method selected is via an alternate email address. That sends a one time code to that email address which then needs to be entered at this challenge.

Once the identity of the user has been verified, they are then given the option to reset their password as shown above.

When that has been completed they can now login to the Office 365 portal (or the Azure single Sign in portal) with these details.

Again, note the branding that was also configured in this process.

Once user self service password resets are configured they should make the life of an Office 365 administrator much easier. To do this at the moment requires an Azure AD Premium subscription but as I mentioned in the beginning this will be changing so it is available for all Office 365 accounts for free very soon. So try it today with this method and get ready for when it is available everywhere.