Last week, the Active Directory team released a new version of a tool called “DirSync”. This is a tool who makes it possible to synchronize Active Directory accounts from your on-prem environment with Office 365. The version they release was a special one. Let me quote:
I’m happy to let you know that we’ve made it dead simple to connect AD to Azure AD, enabling users to log into Office 365, Windows Azure and any other cloud app integrated with Windows Azure AD using their on-premise username and password. We’ve done this by updating Windows Azure Active Directory Sync Agent (a.k.a. DirSync) adding the ability to sync hashes of users’ on-premise AD passwords into Windows Azure AD.
How cool is that? Well, curious as I am, I decided to give this tool a go and synced my (playground) Active Directory to my Project Online tenant (which is nothing more than a Office 365 subscription). In this post, I’ll explain how you can achieve this.
First things first, you need an Active Directory. If you have an on-prem AD, just skip this step, at it’s just for demo purposes. As I don’t have the required hardware, but I do have an MSDN subscription, I used some Windows Azure VM’s for that part. What I did was first creating a DNS server (Networks -> Virtual Network -> Register a DNS Server). Next, a new virtual network using my DNS Server. Now you can create your 2 Azure VM’s. I will not explain this in detail, but be sure that you use your Virtual Network when you go trough the Wizard.
You need 2 VM’s, one for the Active Directory role and one responsible for the DirSync. I’ll not go into detail about how to setup an AD role and how to join the other machine to this domain. You can find all info here: http://technet.microsoft.com/en-us/library/jj574166.aspx. Once completed, you should have this:
Next up, we will ‘enable’ DirSync at our Office 365 subscription. Browse to https://portal.microsoftonline.com/DirSync/DirectorySynchronization.aspx and enable step 3:
Next up, we will install the “DirSync” tool. You can download the latest version here (or use the “Download” link on the page you’re currently looking at). Once the file has been downloaded (180 MB), run the installer, and follow the wizard. The installation takes about 10 minutes.
Once the installation has been completed, the configuration Wizard will start. Provide your Windows Azure Active Directory Administrator (WAAD) Credentials. This is the account that you used to create your Office 365 subscription. (if you don’t know the credentials, or you want to try, browse to: https://activedirectory.windowsazure.com and test it)
At the next step of the wizard, enter your Active Directory Enterprise Administrator Credentials.
At the next step, be sure to enable “Enable Password Sync“. That’s this cool new feature!
Once the last step has been completed, a first “full sync” will be started:
That’s it! Nothing special. Now you have to check the “Users” in your Project Online (office 365) subscription. Browse to “Admin -> Office 365 -> Users“. There you will see the AD users! Great! Now, just “syncing” this users does not mean that they have access to your subscription. They are not assigned to a license. To manage this, click on the user, and select “Activate Synced Users“
Assign the correct license to this user, and click “Next” to finish. Note that this user will get a temporary password, but you don’t need this as you have DirSync with password sync (joy!).
Still one small thing to do. “Share” my site (in this case the Project Web Access) with that new user. Just click on the “Share” button.
Now open a new (inprivate) browser window, and login using the username and password from your Active Directory. There you go:
There you have it! A sync between your AD and Project Online (Office 365). But it doesn’t stop there for this post. I just wanted to be sure that the password sync does actually work. So I changed the password and the first name of my user in my AD. But then … How can I force a sync? By default, it takes about 3 hours (password changes-only will be instantly, but changing a name for example will take some time).
So, PowerShell to the rescue! Browse to “C:\Program Files\Windows Azure Active Directory Sync” and double-click on DirSyncConfigShell.psc1. Enter the command “Start-OnlineCoexistenceSync“:
If you open the “Event viewer” on your machine, you will see some entries from the AD sync:
Enjoy your syncing!
Hi Alexander,
First of all thank you for the detailed document. Loved it.
Have couple of questions.
* Here you are referring to Windows Azure. Do we need to subscribe for it? If yes, what is the cost.
* I am confused with this terminology of Windows Azure AD and Office 365. Are these different?
* I have on-prem AD and would like to sync with project online tenant. Do I need to buy any other subscriptions in cloud?
Thanks
Anil