Azure Directory Sync Initial Configuration

When you are implementing Windows Intune with SCCM, you always come to the Point, where you got to install Azure Directory Synchronization, otherwise you will need to create your user account manually, and the users have also to manage two Passwords for their user account, one for on-premise and one for the cloud.
Two big questions in this Topic is, what attributes will be synchronized and from which objects?
The other part is how to manage the Password, either with ADFS or Password synchronization?

I would strongly recommend to read the TechNet article about Azure Directory Synchronization carefully (http://technet.microsoft.com/en-us/library/jj573653.aspx).
So the process of installing and configuring a DirSync is quite simple when you follow the available Guidelines. It is well described and really depends on your needs and Infrastructure (Multi Forest Design etc.) where and what kind of Software you need to install. But be aware of the last Screen, when you run the Windows Azure Active Directory Sync tool Configuration Wizard:
End of Wizard
Be sure that you have unchecked the “Synchronize your directories now” box, otherwise the entire Directory will be synchronized. You can sync the directories afterwards through powershell or running the wizard again. Because after the configuration is done through the wizard, the initial configuration is not as what we need, so we don’t want to sync.
To modify the initial configuration, navigate to the Installation path of the DirSync tool, and start miisclient.exe:
“C:Program FilesWindows Azure Active Directory SyncSYNCBUSSynchronization ServiceUIShellmiisclient.exe”
This will open the Forefront Identity Manager Console, where you can check the config, and change it if wanted. The most common change is to select one or more specific Organizational Unit to sync with Azure Directory. You can achieve this, by clicking on “Management Agents”:
FIM Console Management Agents
In the list of the Management agents, double-click the “Active Directory Connector” entry:
Active Directory Conector FIM
This will open the properties of this connector, and you have to navigate to “Configure Directory Partitions” and click on the “Containers …” button:
FIM AD Connector Partition
You will be asked for Domain credentials, the account which is shown was created when the wizard was run, thus you don’t know the Password. But you can simply use your credentials to connect to the AD. After this authentication, the following window is shown, where you can select or deselect OUs:
Select OU in FIM AD Connector

An other way to reduce the number of synced object is to exclude objects based on an Attribute. For this, you have to navigate to “Configure Connection filter” and select the object which you want to configure, in my case “user” and click on “new”:
DirSyncExlcusions
You might recognize that there are already some entries in this list. In the “Filter for user” wizard, choose your Attribute, in my case “ExtensionAttribute13”, and define the rule “Equals NotForNSA”. All accounts that match this rule, will not be synced to Azure Directory:
Filter for User
Click on “Add Condition” and Close the Windows by clicking on OK twice.

Now you have set your Definition of what will be synchronized. Now we come to the which attributes part.
Let me say first, when you look at the list for the first time, it’s quite amazing how many attributes are selected by Default, but really necessary are only a few. I would not recommend to deselect some attributes. But if you want to, you can, except these 5:
-cn
-member (applies only to groups)
-samAccountName (applies only to users)
-alias (applies only to groups and contacts)
-displayName (for groups with an mail or proxyAddresses attribute populated)
Refer to this article for more Information about the attributes: http://support.microsoft.com/kb/2256198/en-us
This article contains also Information about the Attribute used in an Exchange Hybrid deployment, and which Attribute are used for read only, and which one are also written back from the Azure Directory to the On-Premise.
You can also get those Information by looking at the “Configure Attribute Flow” section in this wizard (As example a small list from the user):
Attribute Flow

So, the most important things are configured now, you can start your synchronization, as said, you can go through the wizard again, or use powershell:
Add-PSSnapin Coexistence-Configuration
Start-OnlineCoexistenceSync

Start Azure Directory synchronization with powershell
You should receive a success Status on your operation, see Picture above.

Hope this helps someone 🙂
Martin

One thought on “Azure Directory Sync Initial Configuration

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s