Wednesday, June 8, 2016

Directory Synchronization to Office 365 w/ Azure Active Directory Connect

Hello everyone! It's been a while - sorry about that. Life has been extremely busy for me the past couple months and I haven't posted in some time. Something that has been reaffirmed to me lately is the fact that life, just like IT, is constantly changing. Since my last post, I've left my old employer (along with almost a dozen of my old co-workers), an organization that had an "old school" mentality in regards to IT.

I'm now with an organization that is much more forward-thinking in regards to embracing cloud technologies, automation, and scripting. Interestingly enough, my title has transitioned from Senior Cloud Analyst to the much more common Senior Systems Engineer, and yet, I'm doing more with the Cloud in this role than the former. How ironic.

My wife and I are also expecting the arrival of our third child in the next several days. Much time has been spent over the past months and weeks preparing for this huge life event once again. My two children can't wait to meet the new baby, especially my son as he is ready to become a "big brother" at long last.

Transitioning to a new job and preparing for a new child - that pretty much explains where my time has been sunk for the past two months. As I step back into blogging, I wanted to write a post about cloud technologies that I'm now working with, particularly Office 365. I inherited a partially working directory synchronization setup that I've been working to fix. In order to better understand the process and what's happening, I wanted to start from scratch and build from the ground up.

The architecture of directory sync to Azure AD - graphic courtesy of Microsoft.
Thankfully, Microsoft offers a free 30-day trial of Office 365 that's perfect for a home lab environment. I'll be demonstrating how to use the Azure Active Directory Connect (AAD Connect from this point forward) tool to synchronize your on-premise Active Directory with Office 365. As usual with my guides, this post will be screenshot heavy - you've been forewarned!



Sign up for Office 365 trial

Microsoft offers a free 30-day trial of Office 365 Business Premium at this link. Sign up and enter the information requested, including creating your user account. As Microsoft puts it, you'll need to prove you're not a robot by entering a valid phone number - I used the option to text me a verification code.

Start your free trial
Entering my personal information
Creating my user ID
Proving I'm not a robot
And we're all set!
That wasn't so bad! I've successfully signed up for an Office 365 Business Premium Trial, created an account and had my Office 365 tenant provisioned. Microsoft has made the process of signing up for Office 365 extremely easy and streamlined, there's really not much to it. You'll land at the Office 365 portal where you can access any of the applications and functionality provided by Office 365.

Setup domain within Office 365 Admin Center

At this point, you'll need to configure Office 365 to work with your domain. This is required so that Office 365 can validate you actually own the domain you'll be synchronizing - to not perform validation would not be prudent on Microsoft's part. To access the Admin Center, you'll want to click the grey Admin tile within Office 365, as shown below.
The Admin Tile in Office 365
You'll be taken to the Office 365 Admin Center. In the left menu, expand Settings and select Domains.
Accessing the Domains menu
Next, click the Add Domain button.
Add a new domain to your Office 365 tenant

Enter your domain name and click Next.
Enter your domain name

Now you'll need to verify that you own the domain specified by adding either TXT or MX DNS records to your domain. TXT is the preferred method, however if your domain registrar won't allow you to create TXT records, you have the option of using an MX record - be very careful with this so you don't impact any mail flow you might have for your domain.
Verifying ownership
Now you'll need to add the specified DNS entry to your domain. How to perform this process will vary depending upon your domain name registrar. In my case, I use Google Domains, so I'll add the appropriate TXT record in order to continue the verification process.
TXT record added to the domain

Once the proper DNS record has been added to your domain and allowed to propogate, you can continue verifying ownership of your domain within the Office 365 Admin Center. I've verified successfully, but I don't want Office 365 to control my DNS records, so I'll select the option to add any additional required entries manually.
I'll manage my own DNS records, thank you very much.
You'll be presented with a list of various DNS records to add to your domain in order to support Exchange Online, Exchange Online Protection, Skype for Business Online, etc. These are outside the scope of this guide, so for the time being, scroll down and select the checkbox to skip this step, and then click Skip.
Skip additional DNS entries
Back on the Domains page, you'll notice the domain is now listed, although flagged with a warning about possible service issues. Again, this is due to not configuring the final DNS entries and is acceptable at this point.
The new domain has been added

Download and install AAD Connect

The latest version of AAD Connect can be found on the Microsoft Download Center. The available version at the time of this post was 1.1.189.0. The download comes across as an MSI file. You'll want to install this on a utility/management server as several services will be installed that will handle synchronization with Office 365.

When launching the installer, the easiest method is to use the Express Settings option. This will install a local instance of SQL Express 2012 that will host the database used by AAD Connect. On the Welcome screen, agree to the license terms and click Continue.

Welcome Screen
Click on Use Express Settings.
Installing using the Express Settings option
Next, you'll need to sign in to Office 365. Use the Global Administrator account you created when signing up for the trial. Enter your user account information and click Next.
Entering your Office 365 credentials
Now enter credentials for an account in your local Active Directory instance. This account will need to be a member of the Enterprise Administrators group - this is required as a new service account user will automatically be created to perform directory synchronization.
Enter your Enterprise Administrator credentials
At this point, I'm presented with appears to be an error. The UPN suffix of my local Active Directory instance does not match the domain with which I've registered in Office 365. This is true as you can see I'm using a sub-domain (ad.tmurphy.org) of the actual domain that I own.
Non-matching UPN suffixes


To resolve this, I can add tmurphy.org as an alternate UPN suffix within Active Directory Domains and Trusts.
Adding tmurphy.org as an alternate UPN suffix
Switching back to AAD Connect and clicking on the Refresh icon, it now shows the alternate UPN suffix with a status of verified under the Azure AD Domain column. Click Next.
The UPN suffix is now verified
On the Configure screen, I've opted to unselect the checkbox so that an immediate synchronization will not take place. I'd like to setup some custom sync options before actually synchronizing with Office 365. Click the Install button. The full tool, including SQL Express, will be installed.
Time to install AAD Connect
After all components are installed, simply click the Exit button.
Installation completed successfully
If you launch AAD Connect again, and choose the option View Current Configuration, you'll be able to see exactly which options were setup with the current sync configuration.
View the current configuration
There's two specific items I want to call out when viewing the current configuration.
  1. The account listed is a service account creating in your Active Directory domain that will be used for all synchronization operations moving forward.
  2. By default, password synchronization is enabled. This means that for any accounts that are synchronized to Azure AD, the user's password will also be synchronized. This may or may not be the behavior you wish to use, but for the scope of this article, we'll be leaving this enabled.
View the current configuration

Configuring OU-based filtering

By default, AAD Connect will synchronize all user accounts from your on-premise Active Directory into Azure AD. I'd like to setup a filter so that only specific user accounts are synchronized. There are two main methods that I use for filtering - OU-based filtering and attribute filtering. OU-based filtering allows you to pick specific organization units within your Active Directory hierarchy that will sync over to Azure AD.

Back on the main screen, we'll select the Customize Synchronization Options button to begin.
Customize synchronization options
Enter your Azure AD credentials and click Next.
Submit Azure AD credentials
Notice that our domain will already show up as configured, so simply click Next.
Click next
On the Domain/OU Filtering screen, you'll be able to choose specific OU's that you wish to synchronize. In my case, I'm selecting just the Users container.
OU-based filtering
The Option Features screen allows you to perform several options, including disabling password synchronization. I'm fine with this option for now, so I'm just going to click Next.
The Optional Features screen
Now I click Install once more - I've opted not to start synchronization at this time as I still want to setup attribute-based filtering.
Finish this step of the customization

Configuring attribute-based filtering

If creating a separate OU to store users that should be synced is not feasible in your environment, and you need something more granular while utilizing existing OU's, you can also filter based on specific attributes of user accounts. The cool part is you can pick any attribute of a user account to filter by - for example I'm going to filter based on the description field in a user's account.
Let's filter on the description!
Looking at the Attribute Editor tab in the user account, we can see that for the description, the attribute name is simply "description". Easy enough.
Finding the correct attribute
In order to filter based on the description attribute, we need to create a custom sync rule for the synchronization service. Browse to C:\Program Files\Microsoft Azure AD Sync\UIShell and launch SyncRulesEditor.exe. Ensure the direction of the rule is set to Inbound, and then click the Add New Rule button.D
Add a new inbound rule
On the Description screen, configure the following options and click next.
  • Name: In from AD - Do Not Sync Filter
  • Connected System: <AD_Domain>
  • Connected System Object Type: user
  • Metaverse Object Type: person
  • Link Type: Join
  • Precedence: 500 (or some other high value)
The Description tab
On the Scoping Filter screen, we'll be setting up a negative filter, meaning if the properties of this filter match, the user will NOT sync. This is actually easier in the end than a positive filter, although it may be confusing on the surface. Click on Add Group, then click Add Clause. Set the attribute to description, set the operator to NOTEQUAL and set the value to "In the cloud", then click Next. Essentially what we are saying here is that, if attribute description is not equal to the value In the cloud, then DO NOT sync the user. For a better explanation of negative/positive filtering, see the Azure documentation.
Setting a negative filter
Leave the default settings on the Join Rules screen, and click Next.
Default join rules
Finally, on the Transformations screen, click Add Transformation, set the following options and click the Add button.
  • Flow Type: Constant
  • Target Attribute: cloudFiltered
  • Source: True
Transformation rules
That's it for our attribute-based filtering. The final step is to enable synchronization. You can do this by opening AAD Connect and running through the Customize Synchronization option again and not changing any values other than setting the start synchronization option on the final screen. This will kick off a sync to Azure AD.
Enabling the synchronization process

The End Results

Now is where we can begin validating that directory synchronization has been configured correctly and the users are actually showing up in Office 365. Logging into the Office 365 Admin Center and checking Health > Directory Sync Status, we see that directory synchronization occurred a few minutes ago successfully.
Checking the directory sync status
Also if we take a look at our active users, we'll now see two users with a status of "Synced with Active Directory".
There's our synced user accounts!
As you can see, our Cloud User account was successfully joined to Azure AD and shows up in the Office 365 Admin Center. The other account you see listed as "On-Premises Directory Synchronization" is just that, the service account that is used for directory synchronization on the Azure AD side of the house. Everything is now working as designed, and adding new users to be synchronized is as simple as updating the description attribute in their user account.

Hopefully this post help get you started on your way towards Office 365, Azure Active Directory and integrating these tools with your on-premise Active Directory instances. It's been a great learning process for me and I'm enjoying the fact that I'm now in a better position to embrace and learn more "true" cloud technologies. I see this area of the industry continuing to grow and becoming more important to understand and utilize in order to be effective in IT and drive value for our businesses.

No comments:

Post a Comment