Microsoft Azure public cloud allows you to synchronize users from on-premises Active Directory to Windows Azure Active Directory. Windows Azure Active Directory is sometimes referred to as just WAAD. In a federated identity solution, organization, users can access on-premises resources and Office 365 applications using one set of credentials. As part of the federated identity solution, you would be required to implement ADFS servers. An ADFS server would help in implementing single-sign-on (SSO), in which when users need to access an Office 365 application, they will be authenticated by the ADFS server allowing them to access applications using currently logged on credentials. However, before the SSO can be accomplished, you will be required to sync users along with their passwords to Office 365 WAAD. While there are other ways to synchronize on-premises Active Directory objects along with passwords to Office 365 WAAD, the preferred solution is to use the Azure Directory synchronization service or AAD Connect tool. This article helps you understand what you should consider before implementing AAD Connect server in your environment.
How many AAD Connect servers do you need?
While AAD Connect server doesn’t implement automatic failover mechanism in which one AAD Connect server will be available if another AAD Connect server goes down for some reason, you can implement one or more AAD Connect servers to ensure there is no single point of failure and manually switch over to a standby AAD Connect server. In case an AAD Connect server goes down, you will have another AAD Connect server to take over the synchronization tasks. You will be required to configure the standby AAD Connect server with the same settings and keep it offline.
Running the IDFix tool
IDFix is a tool designed by Microsoft to check potential issues in user accounts such as user formatting and other user data-related issues. IDFix scans all required properties of user accounts in an Active Directory domain and provides a report. It is recommended to run IDFix and scan all user accounts to avoid any issues during the synchronization. To run the IDFix tool, you will need to join the IDFix computer to the same Active Directory domain and make sure Microsoft .NET Framework 4.0 is installed on the IDFix computer. The common issues that IDFix reports are TopLevelDomain issues, Syntax Issues, user accounts using special characters in ProxyAddresses attribute, and missing data in ProxyAddresses attribute.
Performing Active Directory cleanup activities
Before enabling synchronization on AAD Connect servers, it is important to perform some cleanup activities in the on-premises Active Directory as listed below:
- Identify disabled user accounts: You may not want to synchronize disabled user accounts. It is recommended to get all disabled accounts in on-premises Active Directory and exclude them from the synchronization. Generally, disabled accounts are kept separately in an organizational unit.
- Identify locked out user accounts and unlock them before enabling synchronization.
- Identify and exclude service accounts: You may not want to synchronize service accounts as part of the synchronization activity. While it’s difficult to identify which user accounts are used as service accounts in an Active Directory domain, getting a list of service accounts and checking with the IT teams will help to some extent. Some organizations have user creation procedures in which the purpose of a user account is defined in the “Description” field. Make sure to exclude service accounts from synchronization activity.
Identification of users
Create Azure Directory synchronization security groups
Make sure AAD Connect servers are configured with all production organizational units and necessary security groups have been created in Active Directory and configured in AAD Connect server. AAD Connect server can be configured with group-based filtering in which users who are part of a security group will be selected for synchronization. However, you will be required to configure organizational units before the group-based filtering can be used. Apart from selecting production organizational units, ensure that you have configured AAD Connect servers to sync password setting.
What’s your migration approach?
It is important to understand that if you have cloud users already synced in Office 365 and are planning to re-enable synchronization for all production users, take a note of the following points:
- Once AAD synchronization in Office 365 is enabled, Office 365 will disable the ability for users to change the password from the Office 365 portal. This is a huge impact for Office 365 users whose passwords have expired and need to change it to access resources.
- Users will receive a prompt on mobile and Windows devices if the user’s password in Office 365 does not match the passwords in on-premises Active Directory and vice-versa.
If you have users already synced to Office 365, it is recommended to send user communications to ensure they change their Office 365 password to match the on-premises Active Directory.
Once you have performed the above steps including cleanup activities, you can enable Azure Directory synchronization. As part of the process, you will be required to enable synchronization in Office 365. There are a few steps that you need to follow to enable synchronization in Office 365. Once done, you can start adding users to the security group that you created for synchronization purposes. (To understand what you can do to verify synchronization status of all users in Office 365, see our article here.)
Synchronizing your on-premises Active Directory user base to Office 365 involves a little bit of planning, including running the IDFix tool to ensure user accounts are in the required format, the creation of security groups if you wish to use group-based filtering for synchronization, configuring AAD Connect servers to use all production organizational units and security groups, and enabling synchronization in Office 365 portal.