Neil Johnson - a rock 'n roll nerd....

Mostly Exchange Server and Office 365, but probably some other stuff too...

Office 365 Service Accounts–How do I stop DIRSYNC from breaking every 90 days…

Office 365 Service Accounts–How do I stop DIRSYNC from breaking every 90 days…

  • Comments 3
  • Likes

So, this is something I wanted to blog about a few months ago but it got pushed to the bottom of the list of things to do (As usual!). 

Anyway… during the early adopter testing of the Office 365 service we had a number of customers who had deployed what was termed “Exchange Rich Coexistence” or “Hybrid” as it is termed now.  At the time (12 months ago now!) the documentation to get this up and running was fairly patchy and it took quite a bit of trial and error to get things working as people wanted.  However, most customers managed to get things working after 4 weeks or so and were able to begin testing…

Then came the problem… we had talked most of our customers through deploying DIRSYNC at around the same time (within a few days of each other), imagine our confusion when they all stopped working at pretty much the same time!  Lots of red errors in the event logs… this was one of the errors from my test lab…

image

OK, so its pretty clear that we have an authentication problem, but which credentials, our terra-firma or cloud?  and how do I fix it?

Well, it turns out that the the problem is pretty predictable… its caused by the 90 day password expiry policy applied to all Office 365 managed accounts, this will happen repeatedly every 90 days.  In the case of our early adopters they all hit this within 2 days of each other because everyone was so keen to get up and running that they pretty much all installed DIRSYNC as soon as we made the code available!

Luckily we have a couple of ways around this…

  1. Establish an operations process every 90 days to change the password and reconfigure DIRSYNC
  2. Create a service account for DIRSYNC and disable password expiry

For this blog I will concentrate on option 2 and how to reconfigure DIRSYNC after you have created a new account.

Note: If you can create this managed account before setting up DIRSYNC for the first time, then you wont have to visit it again!


Creating an Office 365 service account for DIRSYNC…

The first thing we need to do is to create an Office 365 managed account to use for DIRSYNC.  I find it easiest to do this in the GUI.

  1. Login to https://portal.microsoftonline.com as a tenant Administrator
  2. Under the Management menu, click on Users
  3. Click on New, then select User from the drop down
  4. Enter the appropriate details for the new user account and click next
  5. Assign the new account “Global Administrator” rights
  6. Complete the user creation process (You do not need to assign this user an Office 365 License!)
  7. Make a note of the temporary account password
  8. Start IE in “InPrivate” mode and browse to https://portal.microsoftonline.com
  9. Login with your new DISRYNC service account
  10. On first login Office 365 will prompt you to change the password
  11. Verify that you can logon to the Office 365 portal with your new account

 

Re-configuring DIRSYNC to use the new Office 365 service account…

Before we can complete this section, we are going to need a few bits of information…

  • Local Active Directory Enterprise Administrator Account details and password
  • DIRSYNC service account details and password in Office 365

Process…

  1. Logon to your DIRSYNC server
  2. Open Start –> All Programs > Microsoft Online Services –> Directory Synchronization : Directory Sync Configuration
  3. Click Next at the welcome screen
  4. Enter your new DIRSYNC service account details into the Microsoft Online Services Administrator Credentials box
  5. Click Next (DIRSYNC will validate your credentials)
  6. Enter your existing Enterprise Administrator Credentials into the Active Directory Enterprise Administrator Credentials box
  7. Click Next (DIRSYNC will validate your credentials)
  8. Enable the "Rich Coexistence” checkbox if you are deploying in “Hybrid” and want AD write-back
  9. Click Next
  10. DRSYNC Will re-configure itself to use the new account
  11. Ensure that the Synchronize directories now checkbox is checked and click “Finish”
  12. Start Event Viewer and open the Application Log
  13. Look for Directory Synchronisation Events 1 – 4 (4 means its finished “Export has completed”)

OK, so now we have a new account dedicated for DIRSYNC, but its password is still going to expire in 90 days…

 

Disabling password expiry on your Office 365 DIRSYNC service account…

Now, before we go through these steps it is important to realise that disabling your DIRSYNC service account password expiry has some obvious security risks involved.  This is a powerful account with full rights to your tenant, if it gets compromised then so does your entire tenant!  Make sure that you fully understand these risks before continuing and discuss appropriately with your security team.

OK, so assuming you have decided to go ahead this is what we will need…

Install the Microsoft Online Sign-In Assistant

Install the Microsoft Online Services Module for PowerShell

Launch a PowerShell Window and run the following commands…

   1: Import-Module msonline
   2: $cred = Get-Credential
   3: Connect-MsolService -cred $cred
   4: Get-Command –Module msonline


Once connected we have access to some new MSOL Remote PowerShell cmdlets.  We are going to make use of the get-msoluser and set-msoluser cmdlets.

Firstly, lets take a look at our DIRSYNC service account as it was originally created

   4: ExtensionData               : System.Runtime.Serialization.ExtensionDataObject
   5: AlternateEmailAddresses     : {dirsync@neiljohn.onmicrosoft.com}
   6: BlockCredential             : False
   7: City                        :
   8: Country                     :
   9: Department                  :
  10: DisplayName                 : DIRSYNC Service Account
  11: Errors                      :
  12: Fax                         :
  13: FirstName                   : DIRSYNC
  14: ImmutableId                 :
  15: IsBlackberryUser            : False
  16: IsLicensed                  : False
  17: LastDirSyncTime             :
  18: LastName                    : Service Account
  19: LicenseReconciliationNeeded : False
  20: Licenses                    : {}
  21: LiveId                      : 10033FFF80B3EF03
  22: MobilePhone                 :
  23: ObjectId                    : d756d167-fcf3-4505-99e2-fd1100952182
  24: Office                      :
  25: OverallProvisioningStatus   : None
  26: PasswordNeverExpires        : False
  27: PhoneNumber                 :
  28: PostalCode                  :
  29: PreferredLanguage           :
  30: State                       :
  31: StreetAddress               :
  32: StrongPasswordRequired      : True
  33: Title                       :
  34: UsageLocation               : GB
  35: UserPrincipalName           : dirsync@neiljohn.onmicrosoft.com
  36: ValidationStatus            : Healthy


As you can see from the output, PasswordNeverExpires is to to False, this means that our service account user will inherit the standard 90 day password expiry policy.  To change this we need to issue the following command…

  • Set-MsolUser -UserPrincipalName dirsync@neiljohn.onmicrosoft.com -PasswordNeverExpires $true

If we then repeat the earlier command, we can see that now PasswordNeverExpires is now set to True

 

   1: ExtensionData               : System.Runtime.Serialization.ExtensionDataObjec
   2: AlternateEmailAddresses     : {dirsync@neiljohn.onmicrosoft.com}
   3: BlockCredential             : False
   4: City                        :
   5: Country                     :
   6: Department                  :
   7: DisplayName                 : DIRSYNC Service Account
   8: Errors                      :
   9: Fax                         :
  10: FirstName                   : DIRSYNC
  11: ImmutableId                 :
  12: IsBlackberryUser            : False
  13: IsLicensed                  : False
  14: LastDirSyncTime             :
  15: LastName                    : Service Account
  16: LicenseReconciliationNeeded : False
  17: Licenses                    : {}
  18: LiveId                      : 10033FFF80B3EF03
  19: MobilePhone                 :
  20: ObjectId                    : d756d167-fcf3-4505-99e2-fd1100952182
  21: Office                      :
  22: OverallProvisioningStatus   : None
  23: PasswordNeverExpires        : True
  24: PhoneNumber                 :
  25: PostalCode                  :
  26: PreferredLanguage           :
  27: State                       :
  28: StreetAddress               :
  29: StrongPasswordRequired      : True
  30: Title                       :
  31: UsageLocation               : GB
  32: UserPrincipalName           : dirsync@neiljohn.onmicrosoft.com
  33: ValidationStatus            : Healthy

 

OK, so now we are done!  DIRSYNC will no longer require that your account password is changed every 90 days.

Conclusion

This is a more interesting topic than I had originally, thought, the actual process to configure a service account without password expiry is relatively quick and simple, however there are significant security implications from having an Office 365 account that never requires its password to be changed with such high access rights.

For me what this configuration does is to put the control back into the hands of the Administrator – you now have control over when you change your service account password.  My experience with fixed password expiry on service accounts is that eventually the password will expire when the person responsible for that service is on leave or away sick and nobody else knows what to do – this is a recipe for further disaster.

I would recommend combining this solution for disabling password expiry with an operations process to change the password regularly.  This process should be documented clearly and executed regularly to meet your security policies.  This approach gives you the flexibility of being able to choose your own account password change policy, without the risk of the password expiring and stopping your directory sync process from working.

Comments
  • Well done on another great post Neil. I consistently enjoy reading your blog. super informative, punchy and on topic.

    Nic

  • Legendary, thanks for this - Now to work out how to change a login name and get it to work with MSOL

  • Looks like the error message for password expiration has actually got more obscure with newer version of Windows Azure Active Directory Sync (as well as the error code changing from 0x80048830 to 0x80048831):

    "An unknown error occurred with the Microsoft Online Services Sign-in Assistant. Contact Technical Support. GetAuthState() failed with -2147186688 state. HResult:0. Contact Technical Support.  (0x80048831)"

    This issue really needs much higher visibility than it currently has, such as being highlighted in the setup guide for DirSync.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment