How to Sync Local Active Directory to Office 365 with DirSync?
How to Sync Local Active Directory to Office 365 with DirSync?
Moving to Office 365 doesn’t mean that you need to remove all local servers. There are companies who still have a domain controller due to other applications that are bound to Active Directory authentication. These are legacy applications and cannot authenticate directly with the Azure Active Directory, which is basically the authentication mechanism of Azure/Office 365. It is to be noted that the Azure Active Directory is not same as the on-premises Active Directory, where you can add policies and other things. It is mainly used for authentication and device management. If you need to have the same Active Directory experience as the on-premises, for example, to setup logon scripts and printer mappings, you need to subscribe to the Azure Active Directory Domain Services.
Normally, if a company has its own Active Directory server and migrated to Office 365 for email and files, the users will end up with a username and password for the local services and a different username and password for the online services. The ideal scenario would be to have a single account to access all services across the business. This can be achieved with two methods of authentication:
Authentication on the cloud using Azure AD Connect
Authentication on premises using Azure AD Connect and Federated Services
Azure AD Connect along with Federated Services
This would involve several servers, mainly Active Directory Server, Active Directory Server Federated Services, Active Directory Federated Services Proxy, and a server for the Azure Active Directory Connect.
*Image source (Microsoft)
*
The benefits of this would be that the authentication is fully controlled by the company and any access cards, third-party multi factor authentication is managed by the company. This is called Pass-through authentication. This is the full seamless authentication method. This comes at a cost as you need to manage more servers and services around it. If the connection of the servers or any server is down which would interrupt the connection with the Azure services, all the users will not be able to access any service on Office 365. This means that if the connection between the on-premises and Office 365 is down, all the users and services will not be able to authenticate with the mailboxes, OneDrive, SharePoint Online, Teams and other Office 365 services. This is not recommended for small to medium businesses.
Azure Active Directory Connect (AAD)
There is another way to achieve single sign-on without the complexity of adding more servers and support on the network. This would only require a server with the Azure AD Connect (AAD) installed. This method will ensure that the identity on your local premises is same as the one in Azure Active Directory, while you can manage the identity from your local server. The authentication is made on the cloud, but the local Active Directory will synchronize with Azure Active Directory. Although you are hooking up your local Active Directory, you can still have a mix of Active Directory synced users and on-cloud identities. As you can see below, the setup is quite easy and simple, yet effective.
Image Source (Microsoft)
For this to happen, you need to have two servers - your Active Directory Domain Controller and another one to install the AAD Connect. There are no firewall settings or security measures to set this up. It’s having single sign-on without the complication. For this to work, you will need to create a UPN Suffix. This can be created by opening the Active Directory Domains and Trusts. It will have no impact on the users or applications.
This will enable the users to authenticate using their email address and password, rather than with the DOMAIN\User method. Once this is done, you need to open the Active Directory Users and Computer and change the User logon name domain to the domain name of your company, which will be the email address of your user.
Once this is done, you need to open your Azure Active Directory portal using the link: https://aad.portal.azure.com. Then, click on the below in the Dashboard.
Here you can download the Azure AD Connect synchronization tool.
Once downloaded, you can install on the server which you will be using for this purpose.
Note: It is not recommended to install on the same server as your domain controller. It must be a domain joined server.
Once installed, you will be asked to configure the settings and connect it to your tenant. Enter the credentials of your global administrator and you will immediately connect the AAD tool with Office 365. The next thing is how to associate your local users to be synchronized. This can just synchronize each object or as recommended it’s best to create a Security group called AzureSyncGroup (for example) and whatever object is in the group will be synchronized to the cloud.
Passwords from local to the cloud will also be synchronized. This means that users will have the same username i.e., their email address and the same password for both scenarios. Natively, you cannot change the password from the user’s Office 365 portal as it is a one-way synchronization for the password. If you would wish to have a two-way synchronization, which is called Password Writeback, the users must also have the Azure AD Premium P1 subscription. This way the users can change their password from the Office 365 portal and this will synchronize to the local Active Directory servers.
Conclusion
This will make your authentication simple and avoid the hassle for the users to remember different passwords. You can simply create a user in your AD, sync, and it will be automatically created in Office 365. All you need to do is assign the license. If a user leaves the company, all you need to do is disable the user from your on-premises AD server and it will also disable the online user.
As you can see, this will simplify the user’s daily work to access their applications. You can also simplify migrate from Exchange Server to Office 365 with no hassle.