Sync AD with Office 365

In connection with the recent release of Office 365 in Russia, together with SKB Kontur, I would like to talk a little about the tools offered by Office 365, designed to make it easier for administrators to transfer the enterprise infrastructure to the cloud. Today we’ll dwell on one of them, namely on the synchronization of the local Active Directory directory service with Office 365.

Let's imagine that we have already deployed Active Directory, it is actively used in our enterprise and we would like to use it in conjunction with cloud services. Synchronization with AD will allow us to quickly copy not only existing users, but also those created in the future, and also give us the opportunity to manage personal data of users in one place, Active Directory, we will not have to do double work on changing user data in several places For example, to display actual personal data of users in the address book, such as phones, all changes will be automatically copied to the Office 365 control panel.

Synchronization

The synchronization itself is performed by the Microsoft Directory Sync application, which is available for download from the Office 365 Control Panel. To install Directory Sync, the computer must meet the following requirements:

• 32-bit OS versions of Windows Server 2003, Windows Server 2003 R2, Windows Server 2008
• Be a member of the Active Directory forest to be synchronized
• DO NOT be a domain controller
• Have Microsoft .NET Framework 3.5 installed
• Have Windows PowerShell installed
')
Before you start the synchronization process, you need to enable it in the Office 365 control panel. This is done simply: Administration> Users> Active Directory synchronization management> Activate, no additional settings are needed on the Office 365 side.



Now let's run the Directory Sync wizard itself, in fact it consists of two steps, you will be asked to enter your account and password twice, the first time for a user with Office 365 administrator privileges, which you use to log in to your control panel, and the second time for a user who is Enterprise Admins groups, your Active Directory.



During execution, all users and security groups in the forest will be copied, and an Active Directory account MSOL_AD_Sync will be created, which is a regular domain user, it will be used for subsequent synchronizations, the administrator account will not be used anymore.
Synchronization time depends on the number of Active Directory users. Currently, up to 10,000 users can synchronize at a time. If you need to synchronize a larger number, it is recommended to contact support.
You can verify the success of synchronization using the Event Viewer, the following event should appear there:

Control Panel

Immediately after synchronization is complete, accounts copied from your Active Directory will appear on the Users tab in the Office 365 Control Panel, synchronized accounts will be marked with the appropriate icon.



The next step is to activate the subscriptions for the copied accounts, by default the accounts are created without any licenses included for them, in other words, after copying you choose certain services that will be activated for certain users.
For synchronized users, all changes must be made on the Active Directory side, synchronized user data is not editable from the Office 365 control panel, a warning message is displayed at the top of the screen.



What should be remembered:

• Synchronization is performed only in one direction, all changes must be made on the Active Directory side.
• User passwords are not sonhranded, there will be a separate password for the Office 365 account, a “single sign-in” setting that requires Active Directory Federation Services configuration is required to use a shared account.
• Synchronization of changes is carried out every 3 hours.
• Forced synchronization requires the next launch of the Directory Sync wizard.
• At the moment, the ability to disable synchronization is missing. After enabling Active Directory directory synchronization, you can only change synchronized objects using local applications.

Synchronization with Active Directory in just a few minutes will allow you to copy user data to the “cloud” and help significantly reduce the transition time to Office 365. In the case of the final transition to Office 365 or if for some reason the synchronization does not suit you, there is a possibility import user accounts using a CSV file.
I would also like to note that the knowledge base was localized, many articles are already available in Russian. You can learn more about the synchronization process yourself.