Office 365 Directory Synchronization

Posted over 3 years ago

by

Dan Kenyon-smith

1 Comment

Dirsync is required to support Single Sign On (SSO) and creates Mail Enabled Users (MEU) in the cloud tenant. Installing Dirsync allows you have a unified Global Address List (GAL) between on-premise and cloud (Office 365). It also allows you to on-board/off-board users to and from Office 365 (this requires a 2 way sync).

Note: When user accounts are first sync’d they are marked as non-activated (therefore do not consume any licenses)

Here are the steps for installing and verifying Disync has completed. Also to verify Dirsync has completed check the event logs for:-

Source = Directory Synchronisation with an Event ID of 4 ‘The export has completed’

1

Steps	Action
Activate directory synchronisation from the online portal	Sign in to the online portal https://portal.microsoftonline.com, under Admin (as per above steps) click users
Select ‘Activate’ Active directory Synchronization Note: User users that there are no synchronized users from your on-premise AD
Select Step 3 ‘Active directory Synchronization’ and click ‘Activate’
Select ‘Yes’ to activate Directory Synchronization
Now we need to install the Directory Synchronization Tool	Launch the Directory Synchronization Tool by double clicking on Dircync.exe
Click next on the welcome screen
Accept the license agreement and default install location
The Directory Synchronization Tool will install and click finish when it’s completed
On the Directory Synchronization server launch ‘directory Sync configuration’ and click next on the welcome screen
Specify your Office 365 administrator credentials
Specify Enterprise Admin credentials to create the service account Note: The credentials specified here are not saved or cached in memory.
Click Next on the configuration page
Verify the ‘Synchronize directories now’ is selected and click finish
Review the wizard and click ok
Verify users have been synchronized Note: If might take a few minutes for the user appear, if they don’t appear refresh your browser	Sign into the online portal https://portal.microsoftonline.com
All changes to the user account needs to managed on-premise and then the changes will synchronised to Office 365 by the directory synchronization tool.	On the home page, select ‘Admin’ the under management select ‘Users’
Directory synchronization will occur every 3 hours, but you can force synchronization if required	Navigate to C:\Program Files\Microsoft Online Directory Sync and Double-click DirSyncConfigShell.psc1. Then run Start-OnlineCoexistenceSync
Update your domain to a shared domain	On the home page, select Admin and then manage under Exchange Online (this takes you into the Exchange Control Panel (ECP))
	In the ECP, select ‘Mail control’ then ‘domains and Protection’ and select company.com as a shared domain

Written by Daniel Kenyon-Smith

Adding and Verifying a Federated Domain

Posted over 3 years ago

by

Dan Kenyon-smith

Steps	Action
Launch Microsoft Online Services Identity Federation Management tool	At the PowerShell command prompt type Type $cred = Get-Credential In the pop up window specify the username used for online account management (your Office 365 administrator credentials)
Connect ADFS 2.0 and Office 365	Type Set-MSOLContextCredential -MSOLAdminCredentials $cred
Add a federated Domain Note: This creates a domain in Office 365 and marks it for federated authentication. You will need to verify domain ownership by performing the step indicated in the warning message. For example: WARNING: Please verify company.com domain ownership by adding a DNS ms123456789.company.com CNAME record targeting ps.microsoftonline.com at your domain registrar. More information can be found http://technet.microsoft.com/en-us/library/cc742578.aspx	Add-MSOLFederatedDomain -DomainName Company.com
Verify a federated domain	Run the following command again Add-MSOLFederatedDomain -DomainName Company.com (because the domain has already been created (as this commad was run in the previous step) the link will be created between the Microsoft Federation Gateway and your local ADFS 2.0 server. Office 365 will verify the CNAME record you created matches the information you were given to verify ownership of the domain. Then run Get-MSOLFederationProperty -DomainName Company.com
Verify a federated domain	Sign into Office 365 using you corporate credentials (you need to have AD synchronisation running). If you are successfully logged in then federation has been successfully verified
View the Active Domain in the Microsoft Online Services portal.	Sign into https://portal.microsoftonline.com
On the home page, select Admin
Select domains
Select you federated domain and notice to says domain type ‘federated’

Written by Daniel Kenyon-Smith

Configuring ADFS v2.0 for Office 365

Posted over 3 years ago

by

Dan Kenyon-smith

2 Comments

1 Here are the steps i followed for configuring ADFS for Office 365 (see my previous post for installing ADFS)

Steps	Action
Click, Start, Admin Tools, ADFS 2.0 Management
Click ‘ADFS 2.0 Federation server Configuration Wizard’
Click ‘Create a new Federation Service’ unless you want to join you server to an existing federation server farm
Select ‘Create a new Federation Farm’ Note: You create an Active Directory Federation Services (ADFS)-enabled Web server farm when you want to balance the load of incoming federated access requests that are made to one or more protected applications. The obvious benefits that can be obtained from a Web server farm are fault tolerance for the hosted applications and a possible increase in client-side browser performance. To client computers, the Web server farm performs like a single Web server servicing a highly scalable federated application. For more details see – When to Create a Web Farm
Select the SSL certificate name and Federation name specified earlier when creating the SSL certificate
Review the results and close

Written by Daniel Kenyon-Smith

Installing Active Directory Federation Services (ADFS) v2.0

Posted over 3 years ago

by

Dan Kenyon-smith

Here are the steps i followed when installing ADFS 2.0

Steps	Action
Start the ADFS installation	Launch AdfsSetup.exe
On the Welcome to the ADFS 2.0 Setup Wizard page, click Next
Accept the End-User License Agreement and click Next
Select the required role, in this case I’m using ‘Federated Server’
Click Next on the Prerequisites screen
Installation will begin
Restart once completed

Also note that you will need to create a certificate that matches the CN of the federation name (e.g. adfs.company.com) and assign it to the default website bindings in IIS

Written by Daniel Kenyon-Smith

Office 365 Namespace Requirements

Posted over 3 years ago

by

Dan Kenyon-smith

Please find a list of typical namespaces that are required when setting up and installing Active Directory Federation Services (ADFS) 2.0 and rich coexistence/hybrid with Office 365

Namespace	Value	Description
On premise SMTP Namespace	Company.com	On-premise SMTP namespace
Online Tenant Namespace	Company.onmicrosoft.com	Name of the namespace given by Microsoft when the tenant is created
Service Namespace	Office365.Company.com	SMTP mail routing namespace for determining where the mailbox is located.
Delegation Namespace	Exchangedelegation.Company.com	Federation delegation to the Microsoft Federation Gateway. Allows sharing of free/busy between external organisations
Federation Service Name	Federation.Company.com	ADFS name that O365 will redirect clients to
Autodiscover	Autodiscover.Company.com	Autodiscover service for Outlook client on-premise
Autodiscover	Autodiscover.Office365.Company.com	Autodiscover service for Outlook clients migrated to O365

Written by Daniel Kenyon-Smith