Plan for directory synchronization for Office 365

Summary   : Describes directory synchronization with Office 365, Active Directory cleanup, and Azure Active Directory Connect tool.

Depending on business needs, technical requirements, or both, directory synchronization is the most common provisioning choice for enterprise customers who are moving to Office 365. Directory synchronization allows identities to be managed in the on-premises Active Directory and all updates to that identity are synchronized to Office 365 .

There are a couple of things to keep in mind when you plan an implementation of directory synchronization, including directory preparation, and the requirements and functionality of the Azure Active Directory. Directory preparation covers quite a few areas. They include attribute updates, auditing, and planning domain controller placement. Planning requirements and functionality includes determining the permissions that are required, planning for multiforest/directory scenarios, capacity planning, and two-way synchronization.

Office 365 identity models

Office 365 uses three main identity models: cloud identity, synchronized identity and federated identity. Synchronized identity and federated identity use directory synchronization.

ActiveDirectory Cleanup

To help ensure a seamless transition to Office 365 by using synchronization, we highly recommend that you prepare your Active Directory forest before you begin your Office 365 directory synchronization deployment.

When you set up directory synchronization in Office 365, one of the steps is to download and run the IdFix tool. You can use the IdFix tool to help with the directory cleanup.

Your directory cleanup should focus on the following tasks:

  • Remove duplicate proxyAddress and userPrincipalName attributes.

  • Update blank and invalid userPrincipalName attributes with valid userPrincipalName attributes.

  • Remove invalid and questionable characters in the givenName, surname (sn), sAMAccountName, displayName, mail, proxyAddresses, mailNickname, and userPrincipalName attributes. For details about preparing attributes, see List of attributes that are synced by the Azure Active Directory Sync Tool.

    Note: These are the same attributes that Azure AD Connect syncs.

Multiforest Deployment Considerations

For multiple forests and SSO options, use Custom Installation of Azure AD Connect.

If your organization has multiple forests for authentication (logon forests), we highly recommend the following:

  • Evaluate consolidating your forests.    In general, there’s more overhead required to maintain multiple forests. Unless your organization has security constraints that dictate the need for separate forests, consider simplifying your on-premises environment.

  • Use only in your primary logon forest.    Consider deploying Office 365 only in your primary logon forest for your initial rollout of Office 365.

If you can’t consolidate your multiforest Active Directory deployment or are using other directory services to manage identities, you may be able to synchronize these with the help of Microsoft or a partner.

For more information, see Multi-forest Directory Sync with Single Sign-On Scenario

Directory integration tools

Directory synchronization is the synchronization of directory objects (users, groups, and contacts) from your on-premises Active Directory environment to the Office 365 directory infrastructure. See directory integration tools for a list of the available tools and their functionality. The recommended tool to use is Azure Active Directory Connect.

When user accounts are synchronized with the Office 365 directory for the first time, they are marked as non-activated. They cannot send or receive email, and they don’t consume subscription licenses. When you’re ready to assign Office 365 subscriptions to specific users, you must select and activate them by assigning a valid license.

Directory synchronization is required for the following features and functionality:

  • SSO.

  • Lync coexistence.

  • Exchange hybrid deployment, including:

    • Fully shared global address list (GAL) between your on-premises Exchange environment and Office 365.

    • Synchronizing GAL information from different mail systems.

    • The ability to add users to and remove users from Office 365 service offerings. This requires the following:

      • Two-way synchronization must be configured during directory synchronization setup. By default, directory synchronization tools write directory information only to the cloud. When you configure two-way synchronization, you enable write-back functionality so that a limited number of object attributes are copied from the cloud, and then written them back to your local Active Directory. Write-back is also referred to as Exchange hybrid mode.

      • An on-premises Exchange hybrid deployment

    • The ability to move some user mailboxes to Office 365 while keeping other user mailboxes on-premises.

    • Safe senders and blocked senders on-premises are replicated to Office 365.

    • Basic delegation and send-on-behalf-of email functionality.

    • You have an integrated on-premises smart card or multi-factor authentication solution.

  • Synchronization of photos, thumbnails, conference rooms, and security groups.

See Also

Upgrade from Azure Active Directory sync (DirSync) to Azure AD connect

Azure AD Connect release history

Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!