Azure & Active Directory Center

In the previous part of this article series, we've taken a first look at Azure AD Connect and reviewed what a default installation looks like using the express settings. In this part, we'll dive deeper into the advanced options of the installation wizard. The express settings option likely meets the needs for most organizations looking into deploying directory synchronization alone. However, if you are looking at a more complex synchronization scenario, like a multi-forest environment or if you would like to deploy and configure Active Directory Federation Services, the advanced options are what you are looking for!

Microsoft released Azure AD Connect to the public on June 24. The long-anticipated tool is the successor to Azure AD Sync and DirSync. But it’s much more than that.

Although a large part of Azure AD Connect still revolves around directory synchronization, I like to look at it more as a "Cloud Identity Enablement" — a solution rather than just a synchronization component. This is because Azure AD Connect not only allows you to deploy directory synchronization for almost every possible identity scenario you can dream of, but it also enables you to set up and configure identity federation through Active Directory Federation Services from within the same wizard.

Yesterday, Microsoft announced the General Availability (GA) of Azure AD Connect. Azure AD Connect is considered to be the successor to DirSync/AADSync. However, it is much more than just a synchronization engine. The tool allows customers to use a single wizard to configure various aspects of identity synchronization and authentication with Microsoft's Online Services.

The question "which federation protocol should I use" comes up frequently when talking to developers in my company. Fortunately MS has a PFE who has blogged on the subject.

The article is fantastic and technically accurate in the details. I highly recommend reading it. But I disagree at a higher level with the conclusions the author makes. I think I can explain that disagreement by examining the PFE’s situation. Firstly, he wrote this 5 months ago, and the situation changes quickly in federation. Secondly, he works for Microsoft and as a PFE the scenarios he encounters are likely more Microsoft focused than those of us in the “wild”. Thirdly, he is focused on ADFS as his technical area, it is the focus of his blog and he is quite clear on that.

Many companies have business relationships with SaaS partners that use SAML for authentication. ADFS works very well for many as a SAML WS-* federation infrastructure, although we have had some hiccups and incompatibilities along the way. One thing that comes up every now and then is applying business rules to the federation trust with a partner. Microsoft has done a very good job of explaining how to implement certain business rules for Office365 in some of their official blog posts by PFE’s. But what I have not seen is some of that practical help applied to non Microsoft services that we rely on.

As mentioned in my 2015 New Year in Review "Here We Are" blog article, the purpose of this article series is to explore 3rd-party federation solutions that work with Office 365 and which can be an alternative to a Windows’ built-in ADFS server role. In this first article however, I will be discussing a solution which is somewhat different from the others that I will be looking into.

Last year, Exchange Server MVP Mike Crowley wrote a script which would interactively report on the Office 365 Directory Synchronization tool. In the meantime –last September to be more exact – Microsoft released the new “Azure AD Sync Service” tool which seems deemed to replace DirSync at some point in the future. As I do see the tool being used in production from time to time, effectively already replacing DirSync, I thought it would be useful to “upgrade” Mike’s script to work with the new kid on the block.

In Exchange 2010 users can create distribution lists that are visible to the whole organization through Outlook Web App in the user Options.  By default these are created in the Users OU in Active Directory.

After preparing federation between Office 365 and the on-premise Active Directory and configuring the Office 365 tenant in the previous post, this article describes the installation of the Microsoft Online Services Directory Synchronization Setup (DirSync).

DirSync is required to synchronize your on-premise accounts and security groups to Office 365.

After preparing the AD FS requirements and installing the AD FS Server Role in part 1, this article describes the steps to configure the Active Directory Federation Services for further use and the eventual integration with Office 365.