When you are implementing Windows Intune with SCCM, you always come to the Point, where you got to install Azure Directory Synchronization, otherwise you will need to create your user account manually, and the users have also to manage two Passwords for their user account, one for on-premise and one for the cloud.
Two big questions in this Topic is, what attributes will be synchronized and from which objects?
The other part is how to manage the Password, either with ADFS or Password synchronization?
I would strongly recommend to read the TechNet article about Azure Directory Synchronization carefully (http://technet.microsoft.com/en-us/library/jj573653.aspx).
So the process of installing and configuring a DirSync is quite simple when you follow the available Guidelines. It is well described and really depends on your needs and Infrastructure (Multi Forest Design etc.) where and what kind of Software you need to install. But be aware of the last Screen, when you run the Windows Azure Active Directory Sync tool Configuration Wizard:
Be sure that you have unchecked the “Synchronize your directories now” box, otherwise the entire Directory will be synchronized. You can sync the directories afterwards through powershell or running the wizard again. Because after the configuration is done through the wizard, the initial configuration is not as what we need, so we don’t want to sync.
To modify the initial configuration, navigate to the Installation path of the DirSync tool, and start miisclient.exe:
“C:Program FilesWindows Azure Active Directory SyncSYNCBUSSynchronization ServiceUIShellmiisclient.exe”
This will open the Forefront Identity Manager Console, where you can check the config, and change it if wanted. The most common change is to select one or more specific Organizational Unit to sync with Azure Directory. You can achieve this, by clicking on “Management Agents”:
In the list of the Management agents, double-click the “Active Directory Connector” entry:
This will open the properties of this connector, and you have to navigate to “Configure Directory Partitions” and click on the “Containers …” button:
You will be asked for Domain credentials, the account which is shown was created when the wizard was run, thus you don’t know the Password. But you can simply use your credentials to connect to the AD. After this authentication, the following window is shown, where you can select or deselect OUs:
An other way to reduce the number of synced object is to exclude objects based on an Attribute. For this, you have to navigate to “Configure Connection filter” and select the object which you want to configure, in my case “user” and click on “new”:
You might recognize that there are already some entries in this list. In the “Filter for user” wizard, choose your Attribute, in my case “ExtensionAttribute13”, and define the rule “Equals NotForNSA”. All accounts that match this rule, will not be synced to Azure Directory:
Click on “Add Condition” and Close the Windows by clicking on OK twice.
Now you have set your Definition of what will be synchronized. Now we come to the which attributes part.
Let me say first, when you look at the list for the first time, it’s quite amazing how many attributes are selected by Default, but really necessary are only a few. I would not recommend to deselect some attributes. But if you want to, you can, except these 5:
-member (applies only to groups)
-samAccountName (applies only to users)
-alias (applies only to groups and contacts)
-displayName (for groups with an mail or proxyAddresses attribute populated)
Refer to this article for more Information about the attributes: http://support.microsoft.com/kb/2256198/en-us
This article contains also Information about the Attribute used in an Exchange Hybrid deployment, and which Attribute are used for read only, and which one are also written back from the Azure Directory to the On-Premise.
You can also get those Information by looking at the “Configure Attribute Flow” section in this wizard (As example a small list from the user):
So, the most important things are configured now, you can start your synchronization, as said, you can go through the wizard again, or use powershell:
You should receive a success Status on your operation, see Picture above.
Hope this helps someone 🙂