次の方法で共有


Office 365 Service Accounts–How do I stop DIRSYNC from breaking every 90 days…

So, this is something I wanted to blog about a few months ago but it got pushed to the bottom of the list of things to do (As usual!). 

Anyway… during the early adopter testing of the Office 365 service we had a number of customers who had deployed what was termed “Exchange Rich Coexistence” or “Hybrid” as it is termed now.  At the time (12 months ago now!) the documentation to get this up and running was fairly patchy and it took quite a bit of trial and error to get things working as people wanted.  However, most customers managed to get things working after 4 weeks or so and were able to begin testing…

Then came the problem… we had talked most of our customers through deploying DIRSYNC at around the same time (within a few days of each other), imagine our confusion when they all stopped working at pretty much the same time!  Lots of red errors in the event logs… this was one of the errors from my test lab…

image

OK, so its pretty clear that we have an authentication problem, but which credentials, our terra-firma or cloud?  and how do I fix it?

Well, it turns out that the the problem is pretty predictable… its caused by the 90 day password expiry policy applied to all Office 365 managed accounts, this will happen repeatedly every 90 days.  In the case of our early adopters they all hit this within 2 days of each other because everyone was so keen to get up and running that they pretty much all installed DIRSYNC as soon as we made the code available!

Luckily we have a couple of ways around this…

  1. Establish an operations process every 90 days to change the password and reconfigure DIRSYNC
  2. Create a service account for DIRSYNC and disable password expiry

For this blog I will concentrate on option 2 and how to reconfigure DIRSYNC after you have created a new account.

Note: If you can create this managed account before setting up DIRSYNC for the first time, then you wont have to visit it again!

Creating an Office 365 service account for DIRSYNC…

The first thing we need to do is to create an Office 365 managed account to use for DIRSYNC.  I find it easiest to do this in the GUI.

  1. Login to https://portal.microsoftonline.com as a tenant Administrator
  2. Under the Management menu, click on Users
  3. Click on New, then select User from the drop down
  4. Enter the appropriate details for the new user account and click next
  5. Assign the new account “Global Administrator” rights
  6. Complete the user creation process (You do not need to assign this user an Office 365 License!)
  7. Make a note of the temporary account password
  8. Start IE in “InPrivate” mode and browse to https://portal.microsoftonline.com
  9. Login with your new DISRYNC service account
  10. On first login Office 365 will prompt you to change the password
  11. Verify that you can logon to the Office 365 portal with your new account

 

Re-configuring DIRSYNC to use the new Office 365 service account…

Before we can complete this section, we are going to need a few bits of information…

  • Local Active Directory Enterprise Administrator Account details and password
  • DIRSYNC service account details and password in Office 365

Process…

  1. Logon to your DIRSYNC server
  2. Open Start –> All Programs > Microsoft Online Services –> Directory Synchronization : Directory Sync Configuration
  3. Click Next at the welcome screen
  4. Enter your new DIRSYNC service account details into the Microsoft Online Services Administrator Credentials box
  5. Click Next (DIRSYNC will validate your credentials)
  6. Enter your existing Enterprise Administrator Credentials into the Active Directory Enterprise Administrator Credentials box
  7. Click Next (DIRSYNC will validate your credentials)
  8. Enable the "Rich Coexistence” checkbox if you are deploying in “Hybrid” and want AD write-back
  9. Click Next
  10. DRSYNC Will re-configure itself to use the new account
  11. Ensure that the Synchronize directories now checkbox is checked and click “Finish”
  12. Start Event Viewer and open the Application Log
  13. Look for Directory Synchronisation Events 1 – 4 (4 means its finished “Export has completed”)

OK, so now we have a new account dedicated for DIRSYNC, but its password is still going to expire in 90 days…

 

Disabling password expiry on your Office 365 DIRSYNC service account…

Now, before we go through these steps it is important to realise that disabling your DIRSYNC service account password expiry has some obvious security risks involved.  This is a powerful account with full rights to your tenant, if it gets compromised then so does your entire tenant!  Make sure that you fully understand these risks before continuing and discuss appropriately with your security team.

OK, so assuming you have decided to go ahead this is what we will need…

Install the Microsoft Online Sign-In Assistant

Install the Microsoft Online Services Module for PowerShell

Launch a PowerShell Window and run the following commands…

    1: Import-Module msonline
    2: $cred = Get-Credential
    3: Connect-MsolService -cred $cred
    4: Get-Command –Module msonline

Once connected we have access to some new MSOL Remote PowerShell cmdlets.  We are going to make use of the get-msoluser and set-msoluser cmdlets.

Firstly, lets take a look at our DIRSYNC service account as it was originally created

    4: ExtensionData               : System.Runtime.Serialization.ExtensionDataObject
    5: AlternateEmailAddresses     : {dirsync@neiljohn.onmicrosoft.com}
    6: BlockCredential             : False
    7: City                        :
    8: Country                     :
    9: Department                  :
   10: DisplayName                 : DIRSYNC Service Account
   11: Errors                      :
   12: Fax                         :
   13: FirstName                   : DIRSYNC
   14: ImmutableId                 :
   15: IsBlackberryUser            : False
   16: IsLicensed                  : False
   17: LastDirSyncTime             :
   18: LastName                    : Service Account
   19: LicenseReconciliationNeeded : False
   20: Licenses                    : {}
   21: LiveId                      : 10033FFF80B3EF03
   22: MobilePhone                 :
   23: ObjectId                    : d756d167-fcf3-4505-99e2-fd1100952182
   24: Office                      :
   25: OverallProvisioningStatus   : None
   26: PasswordNeverExpires        : False
   27: PhoneNumber                 :
   28: PostalCode                  :
   29: PreferredLanguage           :
   30: State                       :
   31: StreetAddress               :
   32: StrongPasswordRequired      : True
   33: Title                       :
   34: UsageLocation               : GB
   35: UserPrincipalName           : dirsync@neiljohn.onmicrosoft.com
   36: ValidationStatus            : Healthy

As you can see from the output, PasswordNeverExpires is to to False, this means that our service account user will inherit the standard 90 day password expiry policy.  To change this we need to issue the following command…

  • Set-MsolUser -UserPrincipalName dirsync@neiljohn.onmicrosoft.com -PasswordNeverExpires $true

If we then repeat the earlier command, we can see that now PasswordNeverExpires is now set to True

 

    1: ExtensionData               : System.Runtime.Serialization.ExtensionDataObjec
    2: AlternateEmailAddresses     : {dirsync@neiljohn.onmicrosoft.com}
    3: BlockCredential             : False
    4: City                        :
    5: Country                     :
    6: Department                  :
    7: DisplayName                 : DIRSYNC Service Account
    8: Errors                      :
    9: Fax                         :
   10: FirstName                   : DIRSYNC
   11: ImmutableId                 :
   12: IsBlackberryUser            : False
   13: IsLicensed                  : False
   14: LastDirSyncTime             :
   15: LastName                    : Service Account
   16: LicenseReconciliationNeeded : False
   17: Licenses                    : {}
   18: LiveId                      : 10033FFF80B3EF03
   19: MobilePhone                 :
   20: ObjectId                    : d756d167-fcf3-4505-99e2-fd1100952182
   21: Office                      :
   22: OverallProvisioningStatus   : None
   23: PasswordNeverExpires        : True
   24: PhoneNumber                 :
   25: PostalCode                  :
   26: PreferredLanguage           :
   27: State                       :
   28: StreetAddress               :
   29: StrongPasswordRequired      : True
   30: Title                       :
   31: UsageLocation               : GB
   32: UserPrincipalName           : dirsync@neiljohn.onmicrosoft.com
   33: ValidationStatus            : Healthy

 

OK, so now we are done!  DIRSYNC will no longer require that your account password is changed every 90 days.

Conclusion

This is a more interesting topic than I had originally, thought, the actual process to configure a service account without password expiry is relatively quick and simple, however there are significant security implications from having an Office 365 account that never requires its password to be changed with such high access rights.

For me what this configuration does is to put the control back into the hands of the Administrator – you now have control over when you change your service account password.  My experience with fixed password expiry on service accounts is that eventually the password will expire when the person responsible for that service is on leave or away sick and nobody else knows what to do – this is a recipe for further disaster.

I would recommend combining this solution for disabling password expiry with an operations process to change the password regularly.  This process should be documented clearly and executed regularly to meet your security policies.  This approach gives you the flexibility of being able to choose your own account password change policy, without the risk of the password expiring and stopping your directory sync process from working.

Comments

  • Anonymous
    January 01, 2003
    Looks like the error message for password expiration has actually got more obscure with newer version of Windows Azure Active Directory Sync (as well as the error code changing from 0x80048830 to 0x80048831): "An unknown error occurred with the Microsoft Online Services Sign-in Assistant. Contact Technical Support. GetAuthState() failed with -2147186688 state. HResult:0. Contact Technical Support.  (0x80048831)" This issue really needs much higher visibility than it currently has, such as being highlighted in the setup guide for DirSync.

  • Anonymous
    September 05, 2011
    Well done on another great post Neil. I consistently enjoy reading your blog. super informative, punchy and on topic. Nic

  • Anonymous
    October 24, 2011
    Legendary, thanks for this - Now to work out how to change a login name and get it to work with MSOL