Install and configure Password Synchronization with Azure AD Connect and Office 365
Microsoft is promoting Office 365 hard and they want everyone to get onboard. And some say that they are on the right track here. The licensing is much easier and more flexible with Office 365. But the administration with multiple accounts and passwords can be a hassle. That’s where Password Synchronization with Azure Active Directory connect comes in handy! This is a very fast and easy way to sync your existing Active directory with Office 365. I wrote a guide to help you through the process.
Before you begin
First we have a couple of prerequisites that is good to prepare before you begin.
- Go and download Azure AD Connect from Microsofts site. You find it here.
- Verify your domain in Office 365.
- Create a service account in your Active Directory. For password synchronization it is enough for the account to be a member of the Domain Users group. But you need to add permissions on your domain as well.
Open Active Directory Users and Computers. Right click on your domain name and choose Properties. Go to the tap Security and add the service account you created. Under permissions set allow on Replicating Directory Changes and Replicating Directory Changes All. Klick OK and you are done.
For more information on accounts and permissions for Azure AD Connect click here.
- Have the credentials ready for your Office 365 administrator account.
Installation and configuration
When all this is ready we can start to configure the good stuff! Execute the installation file for AD Connect. (Click the images for large view)
- Welcome! Accept the terms and continue.
- Here you can choose express settings or to customize the installation. I recommend to customize. That, for example, enables you to choose which Organizational Units that will be synchronized.
- Now the required components will be installed. If you have an existing SQL Server you want to use you can choose that here. The same with an existing service account. For this guide I will let the wizard install the default SQL Server 2012 Express.
- This guide focuses on Password Synchronization only. This is the fastest and easiest way to configure single sign on to Office 365. This option will synchronize the password hash, no clear text passwords will be sent.
- Enter the credentials for your Office 365 Administrator account. Note that you must have a verified domain in Office 365 before you can perform this step.
- Now select your domain/forest you want to configure and enter the credentials for the service account you created in the beginning of this guide.
- Now you can choose which OUs to synchronize. It is recommended that you only synchronize the objects that are necessary. Both for security and performance. I recommend to only choose the OU where you have your end users and leave everything else.
- Now it is time to specify how do identify users. The most common scenario is that one user is only represented once across all directories, so I will choose that. If you do not move users across forests and domains you can leave objectGUID in SOURCE ANCHOR. This is a good attribute that won’t change. You can also leave USER PRINCIPAL NAME as default if you have the domain you verified in previous steps as a UPN-suffix for users.
- This depends on the size of your organization or if it is a lab environment. For this guide I will synchronize all users. Otherwise you can choose to only sync the members of a specific group. Perfect for a controlled pilot. (Note that only direct members of the group will be synchronized).
- I will leave this as it is. Will only be using Password Synchronization.
- Now Azure Active Directory Connect is ready for the initial synchronization.
- The wizard will now configure the installation with your settings and perform the initial synchronization.
- Everything should now be completed and ready!
You can now log on to the Office 365 Portal and assign licenses to users. If you want to check the status of the synchronization or troubleshoot you can open Synchronization Service Manager from the start menu.
I hope this guide was helpful! Leave a comment if you have questions or if I did something wrong =)