Using your on-premises credentials with Microsoft Office 365 has traditionally been a complex task. Users needed to access Active Directory Federation Services (AD FS) with their AD username and password. And while a deployment using these tools is suitable for larger organizations, it has some drawbacks -- requiring multiple AD FS servers, AD FS proxy servers and directory synchronization infrastructure. The new version of DirSync, known as Windows Azure Active Directory Sync, comes with a new feature called Password Sync that can help alleviate this headache.
How Password Sync works
Password Sync doesn't use the traditional token-sharing mechanisms AD FS uses; instead, it pushes a digest of the on-premises Active Directory password hash. Although credentials are pushed into Office 365's back-end Azure Active Directory, the plain-text password never is. You can't use the digest of the password hash to access on-premises resources. Passwords are kept safe, giving organizations the benefits of removing a dependency on AD FS without compromising security.
Forefront Identity Manager (FIM) has traditionally required the use of the Password Sync Notification Service (PCNS). DirSync doesn't use PCNS, nor does it rely on agents installed on domain controllers. Therefore, users don't need to change their password to push changes up into the cloud. Additionally, password changes are pushed to the cloud outside of the standard three-hour DirSync schedule, meaning a changed password reaches Office 365 in minutes.
Password Sync limitations with Office 365
As with many great new features, Password Sync is not without its limitations.
If you use Active Directory Federation Services and federated identities, just enabling Password Sync will have no effect on the AD accounts using AD FS. You'll need to convert the domains to standard Managed domains using the Convert-MSOLDomainToStandard cmdlet, which will temporarily break login functionality until a full password sync has occurred.
If you have multiple domains within your tenant, you can implement Password Sync for a subset of those users by specifying an alternate user principal number for those users.
If you make use of password expiry features within your on-premises Active Directory to restrict access to accounts, then you should also be aware of the password policy for accounts synced to Office 365. An on-premises account with an expired password won't be able to log on until the user changes the password, but the user would still be able to log on to use Office 365 services.
Prerequisites for enabling Password Sync
If you don't currently use DirSync against your Office 365 tenant, you'll need to enable it to make use of the DirSync features. To enable it, visit the Office 365 portal and navigate to users and groups. Under the Active Directory synchronization heading, choose Set up and then Activate under Section 3 (Figure 1).
After activating Directory Sync, or if you're preparing for an upgrade, download the Directory Sync tool under Section 4 (Figure 2).
If you're already using Directory Sync, you'll need to uninstall the version you currently have. The upgraded version uses a new database schema for the underlying FIM instance, so an in-place upgrade isn't possible.
If you've made custom changes, such as filtering based on an organizational unit, be sure you've recorded these changes before you uninstall Microsoft Online Services Directory Synchronization from Programs and Features within the local server.
Installing the new version of DirSync
If you currently run DirSync on Windows Server 2008 R2, consider this a good time to replace the server with Windows Server 2012, which fully supports DirSync. If not, make sure you install both .NET Framework 3.5 and .NET Framework 4.0 on the DirSync server. Version 4.0 of the framework is a new prerequisite.
You should also consider an upgrade to the latest version of the Windows Azure Active Directory Module for PowerShell, formally known as the Microsoft Online Service Module for PowerShell. You can download and install this and the prerequisite of version 7.0 of the Online Services Sign-In Assistant here:
- Microsoft Online Services Sign-In Assistant for IT Professionals RTW
- Windows Azure Active Directory Module for Windows PowerShell (64-bit version)
For more organizations, install DirSync with the default settings at the end of the installation wizard and choose Start Configuration Wizard now. You'll be prompted for Office 365 tenant's Global Administrator credentials, local Active Directory credentials and options to enable a hybrid deployment.
In particular, we're interested in the Password Synchronization page of the Wizard (Figure 3). Select Enable Password Sync and then complete the configuration.
After installation of the new version of DirSync, make sure existing passwords are synchronized during a full sync; otherwise, users may need to change their passwords to trigger the sync.
To enable a full sync, open regedit on the DirSync server and navigate to HKLM\SOFTWARE\Microsoft\MSOLCoExistence\PasswordSync. Locate the FullSyncRequired key and change the DWORD value to 1 (Figure 4).
After changing the registry value, restart the Forefront Identity Manager Synchronization Service (Figure 5).
To validate that password hashes have uploaded to Office 365's Azure directory service, open the Event Viewer and look for event IDs numbered 656 (Figure 6).
DirSync, Office 365's new Azure AD Sync tool, has new features that make it easier to deploy hybrid Exchange. DirSync removes the need for Active Directory Federation Services for many customers.
About the author
Steve Goodman is an Exchange MVP and works as a technical architect for one of the U.K.'s leading Microsoft Gold partners, Phoenix IT Group. Goodman has worked in the IT industry for 14 years and has worked extensively with Microsoft Exchange since version 5.5.