How to activate password sync from local Active Directory to Office 365

avatar Posted on by

One of the benefits of Exchange hybrid configuration is that it allows for central management of both systems – your on-prem server and Office 365 Active Directory. With the Microsoft DirSync tool you can also propagate user information from your local environment up to the Cloud. Its another great feature is that it also allows to sync users’ passwords.  Owing to this, they will have to remember only one password instead of two.

password sync1

The following article explains how to set up password sync and how to filter out unnecessary data leaving only passwords.

DirSync deployment

The first step is to download DirSync from Microsoft’s site. The program requires a 64-bit environment, preferably a server machine within your domain, however it should not be a domain controller. Additionally make sure that there are .NET 3.5 SP1 and .NET 4.0 libraries installed on the machine.

Next, log into your Office 365 administrator account. Navigate to Users, Active Users, and click the Active Directory synchronization Setup link on top of the list. On the list that shows up, in point “3” click the Activate button. An Active Directory synchronization is activated message should be displayed, as shown on the below image:

1You can use the Download button in point “4” to download the DirSync tool.

Now you can launch the DirSync setup file. Follow the standard installation wizard until finish. Once the process is complete mark the Start Configuration Wizard now before clicking Finish.

8

Once the wizard launches provide the Office 365 administrative user’s credentials, then click Next:

9

In the following step enter the on-prem administrative credentials. Then hit the Next button until you arrive at Password Synchronization (the Hybrid Deployment step is not relevant in this scenario – leave it unchanged). Mark the Enable Password Sync checkbox, then click Next.

11

The final step is to uncheck the Synchronize your directories now box, as there are a couple of other options we need to set before syncing. Click Finish to close the wizard.

12

Filtering out AD attributes

Since, in our example, we want to sync only passwords and leave other user attributes in the Cloud unchanged, we need to filter out these AD attributes from the syncing task. To do so, launch the Synchronization Service Manager console by navigating to the following path:

C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell

and running the miisclient.exe program. Once it is launched, click the Management Agents tab.

15

Right-click the Active Directory Connector item and then click Properties. In the new window, navigate to the Select Attributes option in the left pane.

1199

In the Select Attributes list, uncheck boxes next to attributes that you do not want to replicate to Office 365, e.g. contact details, company information etc. Confirm your choice by clicking the OK button. This setting is useful when the information present in the Cloud is not present in the local AD and you do not want to lose it. Synchronization works in one direction, from on-prem server to the Cloud, and always overwrites data in Office 365.

The final step is to start the synchronization task – to do so you need to right-click Active Directory Connector in the Management Agents tab and select Run.

19

Select Full Import Full Sync and confirm by clicking OK.

20

That’s it – your passwords are now in one-way sync between the on-prem server and the Office 365 organization.

What to be aware of?

There are a couple of options and limitations you need to bear in mind when setting up password sync with the DirSync tool:

  • All passwords synced to the Cloud are set to Password never expires. This might cause passwords synced from the local domain to be still valid in Office 365, even when they have already expired locally.
  • When changing a user’s password in the local AD, remember to uncheck the User must change password at next login option as it might cause the user to be unable to sign in to their Office 365 account.
  • When disabling an account in your local AD, keep in mind that this change is synced in a standard timeframe (which by default is three hours). Therefore, this might create a situation, where the user unable to login locally on a workstation is still able to login to their account in Office 365.

Suggested reading:

How to add and license users in bulk on Office 365

How to sync local Active Directory to Office 365 with DirSync

How to migrate mailboxes with x400 address to smtp addresses on Office 365

How to connect and remotely manage Office 365 with PowerShell

How to activate password sync from local Active Directory to Office 365 by

6 thoughts on “How to activate password sync from local Active Directory to Office 365

  1. I already have my local Active Directory synced with an Office 365 AD, but without password synchronization. If I activate the password synchronization with the writeback feature, what is going to happen? Which password would be valid to the users? The local or virtual? What is going to happen when I change the Office 365 password? How much time would it take to the Office 365 password be synced with my local AD?

    Reply

  2. If you did not have this setup, and wanted to added it years after you switched to Office 365, what issues could occur, or should I look for. We have 40+ O365 users with active accounts and permissions in SP, Exchange….etc. Can I sync them after the fact? Just trying not to be impact full to the users

    Thank you

    Reply

  3. Does the sync work when the internal domain is different from the external domain? (company.local internally and company.com externally)

    Reply

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*

*