Q&A: Syncing Office 365 with Azure Active Directory
Office and SharePoint Live presenters Dan Usher and Scott Hoag discuss how you can simplify your life with automation.
Automation is practically a necessity these days. Applications and infrastructure have become so widespread and complex, managing them without automation seems too daunting to even consider. Mundane management tasks like setting up users and configuring user identities run more smoothly with simple automation.
We spoke with Dan Usher and Scott Hoag about what you can expect from their forthcoming sessions "Setting Up Directory Synchronization for Office 365" and "To the Cloud! Using IaaS as a Hosting Provider for SharePoint" at Office and SharePoint Live!, which is part of the Live! 360 event coming this to Orlando, Fla. this December.
What are some of the biggest challenges IT shops face when it comes to Office 365 directory synchronization?
Scott: Several challenges with directory synchronization are often glossed over in planning. First and foremost, you must ensure your directory is in an acceptable state for synchronization. Microsoft provides tooling, such as IdFix. This can point out potential issues such as duplicates and formatting problems; and help you fix them. Once you've remediated your directory, you'll also want to understand the identity flow for your organization. Are your UPNs internet routable? Do you UPNs match your e-mail addresses? These are the types of questions you'll have answer to understand how your users are going to login to Office 365 services and how you may need to customize Azure Active Directory Connect (AAD Connect) to meet your needs for directory synchronization.
Dan: The biggest obstacle is the pre-planning and cleanup activities required before transitioning to Office 365. Moving all your files to a document library without determining the associated content types or taking the time to restructure simply prolongs the problem. The same holds true for Office 365 directory synchronization. If the source LDAP or Active Directory where identities reside are a mess, they won't be magically transformed by synchronizing them to Office 365. As Scott mentioned, Microsoft provides the IdFix tool to scan the locally connected domain as a part of the Directory Synchronization process. Microsoft also has an additional Office 365 Support Assistant to scan your local Active Directory for issues such as missing UPNs or non-Internet routable User Principal Name domain suffixes.
Is there a high bar for correctly implementing synchronization? If so, what obstacles usually stand in the way?
Scott: Microsoft has made the on-boarding process for directory synchronization as frictionless as possible. Depending on your needs, it can be a "next, next, next, done" type of installation or customized to meet your needs. As with most things Microsoft related, you'll want to understand the perquisites and software boundaries for Azure Active Directory Connect (AAD Connect). With a clear understanding of the capabilities of directory synchronization, you'll be able to make the right choices as you prepare to implement.
Dan: Over the past few years, Microsoft has continued to simplify the directory synchronization process. As long as you have the appropriate account credentials and permissions within Active Directory to install the native tooling (Azure Active Directory Connect), it's simply a matter of determining the server upon which you want to install the tool. In previous versions, there were complexities to implementing filtering rules or the ability to sync from multiple Active Directory domains or directory services. This was primarily the limitation of DirSync, which would then push administrators to make use of Forefront Identity Manager (FIM). The current tooling alleviates those concerns as the wizard essentially walks you through scenarios for which previous tooling was incapable.
What is your top tip for automating Office 365 user creation?
Scott: I always encourage organizations synchronizing identities with Office 365 to make sure they are running the latest versions of the directory synchronization tooling. If you're still running DirSync, you should be thinking about upgrading to Azure Active Directory Connect. In the latest versions, AAD Connect offers more functionality and can even automatically update itself.
Dan: My top tip for automating Office 365 user creation is to realize that like any other application; you need to keep it up to date with patches. Similar to Office 365, the Azure Active Directory that provides the Identity capabilities used within Office 365 is constantly being updated, iterated and enhanced. There are times when the APIs are changed or updated. As such, if the synchronization engine, whether it be the free Azure Active Directory Connect tool or the Microsoft Identity Manager 2016, that too needs to be up to date to be able to connect and efficiently use the enhancements. My favorite capability Microsoft introduced a few years back was the password synchronization capability. This simplified the sign on process users, reducing the number of passwords that they need to know and eliminating post-it notes with usernames and passwords stuck to their laptops.
What are your favorite Office 365 tools?
Scott: I've become a huge fan of the updated Office 365 Administration Center and the associated applications for iOS and Android. Being able to administer your tenancy on-the-go is invaluable. The Administration Center also gives you visibility into the health of your directory synchronization, informing you of the last synchronization times and when updates are available for AAD Connect.
Dan: My favorite Office 365 tool is either the SharePoint App or the OneDrive App and the associated Office apps. Being able to quickly create, edit and review documents from anywhere helps me be more productive and keep my teammates moving forward without having to wait on me for additions to a document. In terms of favorite Office 365 tool associated with Directory Synchronization, I'd have to say that IdFix is a favorite to mitigate problems in a local source Active Directory.
What are your favorite Azure Active Directory Connect tools?
Scott: AAD Connect has come a long way. If you've only ever run the installation and configuration wizards, you're missing out on a lot of the power Microsoft has included in the tooling. In the latest revisions of AAD Connect, you have access to a robust Synchronization Rules engine and editor where you can control your inbound and outbound projects to Azure Active Directory. You should also familiarize yourself with miisclient.exe tool included with AAD Connect for troubleshooting and the associated PowerShell cmdlets for post-installation configuration.
Dan: As a SharePoint IT Pro, I became very accustomed to using the underlying MIIS Client that was a part of the FIM tooling for the SharePoint User Profile Application and associated Synchronization Service tool. When I want to see where a hiccup is occurring or verify the status and what the Azure Active Directory Connect tooling is performing, I'll open up the miisclient.exe to review in real time the delta exports and imports in addition to the synchronizations occurring. I'm glad to see Microsoft left this component in to give the real time execution of synchronization.
What surprised you most when you were learning how to synchronize Office 365 with Azure Active Directory?
Scott: I've been working with directory synchronization since its early days. It always surprises me how easy it is to install and configure the synchronization agents. From the earliest versions of DirSync to AAD Connect, Microsoft has done a great job with the installation and on-boarding experience for customers needing to synchronize their on-premises identities with Office 365 and Azure Active Directory.
Dan: Having worked with Microsoft's ILM tooling before FIM even existed, I remember being surprised at the robust nature of the Directory Synchronization tooling. While DirSync had limitations around the number of supported user objects or its inability to perform synchronization by more than a single domain (IT Pros were steered to using FIM for complex use cases), it still performed rock solid and was fairly simple to setup. This lowered the bar of entry when Microsoft introduced this free tooling since it meant IT pros didn't have to have a deep background in Identity Management lifecycles and workflows to synchronize identities to Azure Active Directory. They could operate DirSync as another component of their computer networking ecosystem.
What do you want to make sure attendees walk away with from your Live 360! session "Setting Up Directory Synchronization for Office 365?"
Scott: I'd love for attendees to walk away with a solid understanding of all of the identity models for Office 365 (cloud only, directory synchronization, and directory synchronization with federation). I'd also like everyone to understand your identity in Office 365 isn't driven by Office 365, but by Azure Active Directory. This means you not only get the benefits of Office 365, but can also take advantage of Azure AD when you're using Office 365.
Dan: I'm hopeful IT pros and Office 365 administrators will come and learn how to tune their on-premises Active Directory to help their Office 365 users have the appropriate experience because they have a fully populated profile. I'd also hope they realize that setting up AAD Connect doesn't just empower Office 365 users, but they're setting the stage to transition more on-premises applications into the cloud and make use of the same identity and rich information that's stored in Azure Active Directory.
Find out more about Live! 360 2016 in Orlando here.