Directory Synchronization in Office 365 Bill Fiddes | Learning and Development Specialist Rob Latino | Program Manager in Office 365 Support

Meet Bill Fiddes Learning & Development Specialist Customer Support Services Been with Microsoft for 7 years “Professionally” in the computer industry for 10 years Focus on Customer Support Readiness for Azure Active Directory and Office 365 Identity Wife and three children living in Maple Valley, WA

Meet Rob Latino Program Manager in Office 365 Support organization for over 4 years Certified in Office 365 Administration Involved in the Office 365 community and technical content management

Course Topics Directory Synchronization in Office 365 01 | What is Azure Active Directory? 06 | Hard and Soft User ID Matching 02 | Directory Synchronization Overview 07 | Configuring Alternate User ID 03 | Directory Synchronization Scenarios 08 | Configure Filtering 04 | Directory Synchronization Tool Comparison 09 | Azure Active Directory Subscriptions 05 | Source of Authority

Setting Expectations This is for admins who want to do more advanced configuration options with directory synchronization Changing source of authority Mapping existing cloud users to local users Signing in with something other than UPN Syncing some objects instead of all objects Extra value with Azure Active Directory subscriptions

Join the MVA Community! Microsoft Virtual Academy Free online learning tailored for IT Pros and Developers Over 2M registered users Up-to-date, relevant training on variety of Microsoft products “Earn while you learn!” Get 50 MVA Points for this event! C.O.

01 | What is Azure Active Directory?

What is Azure AD and what does it have to do with me? Azure Active Directory provides identity management and access control capabilities for cloud services such as Office 365. Azure AD capabilities include a cloud-based store for directory data and a core set of identity services, including user logon processes, authentication services, and Federation Services. The identity services that are included with Azure AD easily integrate with your on-premises Active Directory deployments and fully support third-party identity providers.

02 | Directory Synchronization Overview

Directory Synchronization Overview 7/28/2018 Directory Synchronization Overview Synchronize your directory to the Microsoft Cloud Services Synchronizes users, passwords, security groups, distribution lists, contacts, and conference rooms. Enables unified Global Address List with Exchange Online Enables Exchange Hybrid and synchronizes some Exchange Online attributes back to on-premises Synchronize passwords back to on-premises Synchronization occurs every 3 hours © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Directory Synchronization Overview - continued 7/28/2018 Directory Synchronization Overview - continued Synchronize from single or multiple forests Directory Quota limits Up to 50k objects with no verified domain Up to 500k objects with a verified domain Unlimited if you have Azure Active Directory Basic or Premium subscription Lots of new features coming soon © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

03 | Directory Synchronization Scenarios

Directory Synchronization Scenarios 7/28/2018 Directory Synchronization Scenarios Directory Sync Scenario - Used to synchronize on-premises directory objects (users, groups, contacts) to the cloud to help reduce administrative overhead. Directory synchronization is also referred to as directory sync. Once directory sync has been set up, administrators can manage directory objects from your on-premises Active Directory and those changes will be synchronized to your tenant. In this scenario, your users will use different user name and passwords to access your cloud and on-premises resources. Directory Sync with Password Sync Scenario – Used when you want to enable your users to sign in to Azure AD and other services using the same user name and password as they use to log onto your corporate network and resources. Password sync is a feature of the Directory Sync tool. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Directory Synchronization Scenarios - continued 7/28/2018 Directory Synchronization Scenarios - continued Directory Sync with Single Sign-On Scenario - Used to provide users with the most seamless authentication experience as they access Microsoft cloud services while logged on to the corporate network. In order to set up single sign-on, organizations need to deploy a security token service on-premises, such as Active Directory Federation Services (AD FS). Once it has been set up, users can use their Active Directory corporate credentials (user name and password) to access the services in the cloud and their existing on-premises resources. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

04 | Directory Synchronization Tool Comparison

Directory Synchronization Tool Comparison Azure Active Directory Sync Tool (DirSync) First appliance for Directory Synchronization to Azure AD Supports only single forest synchronization Password write back will remain in preview and not supported Azure Active Directory Sync Services (AAD Sync) Newest appliance and will eventually replace Directory Synchronization to Azure AD Supports single and multi-forest synchronization Password-write Many new features coming soon Azure Active Directory Connect Includes Azure Active Directory Sync Services (AAD Sync) Will also assist you to set up AD FS Will also assist you to set up your Web Application Proxy

Directory Synchronization Tool Comparison On-Premises to Cloud Synchronization Feature (DirSync) (AAD Sync) Connect to single on-premises AD forest X Connect to multiple on-premises AD forests   Connect to single on-premises LDAP directory (no AD at all) CS Connect to multiple on-premises LDAP directories Connect to on-premises AD and on-premises LDAP directories Connect to custom systems (i.e. SQL, Oracle, MySQL, etc.). Synchronize customer defined attributes (directory extensions) Password Hash Sync for single on-premises AD forest Password Hash Sync for multiple on-premises AD forests Cloud to On-Premises Synchronization Feature (DirSync) (AAD Sync) Write-back of devices X CS Attribute write back (for Exchange hybrid deployment ) Write-back of users, groups objects   Write-back of passwords (from SSPR and password change)  Preview Write-back of customer defined attributes (directory extensions)

Directory Synchronization Tool Comparison Set-up and Installation Feature (DirSync) (AAD Sync) Supports installation on a Domain Controller X Supports installation using SQL Express Step-up from DirSync to AADSync   Localization Windows Server languages CS Support for Windows Server 2008 and Windows Server 2008 R2 Support for Windows Server 2012 and Windows Server 2012 R2 Filtering and Configuration Feature (DirSync) (AAD Sync) Filter on Domains and Organizational Units X Filter on attribute values on objects Allow minimal set of attributes to be synchronized "MinSync"   Allow different service templates to be applied for attribute flows Allow removing attributes from flowing from AD to AAD Allow advanced customization for attribute flows

05 | Source of Authority

Source of Authority There are three scenarios where you may change the source of authority for an object—when you activate, deactivate, or reactivate directory synchronization from within any account portal or with Windows PowerShell. Source of authority is transferred after you perform the first synchronization. Activate: When you activate directory synchronization and then synchronize directories, the source of authority for any cloud object that is matched to an on-premises object is transferred from the cloud to your on-premises Active Directory. Activating directory synchronization is a requirement for an Exchange hybrid deployment, an Active Directory Federation Services 2.0 (AD FS 2.0)/single sign-on (SSO), and the staged Exchange migration scenarios.

Source of Authority - continued Deactivate: When you deactivate directory synchronization, the source of authority is transferred from the on-premises Active Directory to the cloud. Deactivating directory synchronization is a requirement if you want to transfer all user, group, contact, and mailbox management using Windows PowerShell and account portal tools to the cloud. For example, some organizations that used the staged Exchange migration tools to move their mailboxes to the cloud and no longer want to manage objects from on-premises can deactivate directory synchronization. Reactivate: When you reactivate directory synchronization, the source of authority is transferred from the cloud back to your on-premises Active Directory (where it previously resided).

Activating directory synchronization 7/28/2018 7:58 AM Demo Demo activating Directory Synchronization Demo downloading/installing appliances Activating directory synchronization © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

06 | Hard and Soft User ID Matching

Hard and Soft User ID Matching Hard matching - GUID match logic. When you reactivate directory synchronization, objects in the on-premises Active Directory are matched with objects in the cloud according to previous directory synchronization GUID (objectGUID) on the cloud objects. When such a match is found, the directory synchronization process makes a GUID match and overwrites the target object data in the cloud objects with the data from the corresponding on-premises objects.

Hard and Soft User ID Matching - continued Soft Matching - SMTP match logic. If directory synchronization does not find a GUID match in the cloud, a process called SMTP match is used. In this process, directory synchronization matches corresponding objects, according to the primary SMTP address. If a target (cloud) object’s primary SMTP address matches a primary SMTP address of an object in the on-premises organization, the data for the on-premises object is used to overwrite the data for the corresponding cloud object.

Demo User ID Matching 7/28/2018 7:58 AM Demo soft matching Demo hard matching Demo setting up Alternate Login ID User ID Matching © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

07 | Configure Alternate User ID

Configuring Alternate User ID Alternate User ID is a feature that was introduced in Active Directory Federation Services (AD FS) in Windows Server 2012 R2 Update 1. Alternate login ID facilitates logon to AD FS by using an administratively defined user attribute. After it is configured, AD FS will prefer to locate the user account by the defined attribute first instead of by the UPN. Users will still be able to log on by using previously allowed methods. You can also use alternate login ID without single sign-on (SSO) and AD FS by using cloud-managed sign-in and directory synchronization.

Demo Alternate Login ID 7/28/2018 7:58 AM Demo soft matching Demo hard matching Demo setting up Alternate Login ID Alternate Login ID © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

08 | Configure Filtering

Configure Filtering Organizational-unit (OU)–based: You can use this filtering type to manage the properties of the SourceAD Management Agent in the Directory Synchronization tool. This filtering type enables you to select which OUs are allowed to synchronize to the cloud. Domain-based: You can use this filtering type to manage the properties of the SourceAD Management Agent in the directory synchronization tool. This type enables you to select which domains are allowed to synchronize to the cloud User-attribute–based: You can use this filtering method to specify attribute-based filters for user objects. This enables you to control which objects should not be synchronized to the cloud

Demo Filtering 7/28/2018 7:58 AM Demo filtering © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

09 | Azure Active Directory Subscriptions

Azure Active Directory Subscriptions Built on top of a large set of free capabilities in Microsoft Azure Active Directory, Active Directory Premium and Azure Active Directory Basic editions provide a set of more advanced features to help empower enterprises with more demanding identity and access management needs. Azure AD Premium Trial available for 30 days Features Free Basic Premium Sync up to 500k objects X Sync unlimited objects Forefront Identity Manager (FIM) server licenses – For syncing between on- premises databases and/or directories and Azure AD Self-service password change for cloud users Self-service password reset for cloud users Azure AD Sync bi-directional synchronization (Coming Soon) Write-back of devices (Coming Soon) Write-back of users, groups objects (Coming Soon) Write-back of customer defined attributes (directory extensions) Password reset with write-back to on-premises directories (Coming Soon) Password change write-back to on-premises directories (Coming Soon)

Azure Active Directory Subscription 7/28/2018 7:58 AM Demo Demo how to trial Azure AD Premium Azure Active Directory Subscription © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Configuration resources Feature DirSync AAD Sync Enable Directory Synchronization Can be enabled using the Office 365 admin center… http://technet.microsoft.com/en-us/library/dn144766.aspx Password Hash Sync http://technet.microsoft.com/en-us/library/dn246918.aspx http://msdn.microsoft.com/en-us/library/azure/dn835016.aspx Password Write-back http://msdn.microsoft.com/en-us/library/azure/dn688249.aspx Alternate Login ID http://social.technet.microsoft.com/wiki/contents/articles/24096.dirsync-using-alternate-login-ids-with-azure-active-directory.aspx Filtering http://msdn.microsoft.com/en-us/library/jj710171.aspx http://msdn.microsoft.com/en-us/library/azure/dn801051.aspx Soft Matching http://support.microsoft.com/kb/2641663 Hard Matching http://blogs.technet.com/b/praveenkumar/archive/2014/04/12/how-to-do-hard-match-in-dirsync.aspx

Summary Directory Synchronization in Office 365 01 | What is Azure Active Directory? 06 | Hard and Soft User ID Matching 02 | Directory Synchronization Overview 07 | Configuring Alternate User ID 03 | Directory Synchronization Scenarios 08 | Configure Filtering 04 | Directory Synchronization Tool Comparison 09 | Azure Active Directory Subscriptions 05 | Source of Authority

© 2013 Microsoft Corporation. All rights reserved © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.