DirSync, now called ‘Azure AD Connect’ is a free Microsoft product that synchronises traditional Active Directory (whether it be on-premise or IaaS) with Azure AD.
Azure AD is the Active Directory that manages your Office 365 / Exchange Online identities. Businesses use DirSync to accomplish simple SSO, and to allow management of identities in Active Directory.
What if you wanted to create a brand-new Active Directory using your Office 365 identities and then setup DirSync after that? Well… DirSync is one-way only, designed for a specific purpose, and while the underlying engine (Forefront Identity Manager) is capable of doing just about any identity management project, that requires some setup costs.
Why might you want to do this? You could be wanting to setup a new Active Directory and use your Office 365 users as a reference. Faced with this challenge recently, we established some scripts to setup Active Directory initially, and then installed and configured Azure AD Connect.
We will walk through the steps:
- Make sure your Azure AD is healthy and as you want it. It might be necessary to do some directory ‘cleaning’ in which you make sure relevant attributes are well formed (for example UPNs and aliases matching naming standards.
- Create your new ‘pristine’ traditional Active Directory. In our case we built this on Server 2012 R2 in Azure IaaS.
- Run the export script to extract identities out of your Azure AD. To do this you need to connect to your Office 365 tenant with PowerShell, and extract the identity data to a CSV file. Use the export-azad script at the end of this blog.
- Now that you have your CSV, you can make some mods as needed, but take care – it would be better to fix any attributes in Office 365 Azure AD and export clean data.
- Now you are ready to populate your AD users using the import-AD Run this using PowerShell on your AD domain controller.
Once you have successfully populated your AD, consider the following before you turn on DirSync and sync back up to Azure AD:
- Take the usual care with domain suffix and UPN and setup accordingly.
- We haven’t covered distribution lists here; you could either setup a similar script system, or do these manually afterwards (viable if you have say < 20 groups).
- Take care with Proxy SMTP addresses; the system described here only covers your primary SMTP; again setup additional scripts or do manually as appropriate.
- When you start DirSync it’s going to take charge of your Office 365 identities. If there are issues with identity replication, this could result in negative implications for your production Office 365 – so take good care.
Please note: The export script below includes a random password generator written by a 3rd party. The passwords created tend not to be compliant with the standard AD password policy. You can either enhance this yourself, modify the password policy, or set the password in the CSV as appropriate.
For more on Office 365, Azure and cloud in general: Red Bass Consulting; Office 365; and get in touch!