A topnotch site

Directory synchronization for Office 365

Leave a comment

Plan for directory synchronization for Office 365:

Depending on business needs, technical requirements, or both, directory synchronization is the most common provisioning choice for enterprise customers who are moving to Office 365. Directory synchronization allows identities to be mastered on-premises and all updates to that identity are synchronized to Office 365.

There are a couple of things to keep in mind when you plan an implementation of directory synchronization, including directory preparation, and the requirements and functionality of the Windows Azure Active Directory. Directory preparation covers quite a few areas. They include attribute updates, auditing, and planning domain controller placement. Planning requirements and functionality includes determining the permissions that are required, planning for multiforest/directory scenarios, capacity planning, and two-way synchronization.


Directory Synchronization and Source of Authority

In an Office 365 environment, source of authority refers to the location where Active Directory service objects, such as users and groups, are mastered (an original source that defines copies of an object) in a cross-premises deployment.

You can change the source of authority for an object by using one of these scenarios—activate, deactivate, or reactivate directory synchronization from within Office 365 or with Windows PowerShell. Source of authority is transferred from Office 365 to your on-premises directory service after you perform the first sync.

Domain Controller Requirements

The on-premises Active Directory forest must meet specific requirements. They include requirements for the schema master, global catalog servers, and domain controllers. It’s important to carefully read the latest requirements and ensure that your on-premises directory servers meet those requirements. 

Active Directory Cleanup

To help ensure a seamless transition to Office 365 by using synchronization, we highly recommend that you prepare your Active Directory forest before you begin your Office 365 directory synchronization deployment.

Your directory remediation efforts should focus on the following tasks:

  • Remove duplicate proxyAddress and userPrincipalName attributes.
  • Update blank and invalid userPrincipalName attributes with valid userPrincipalName attributes.
  • Remove invalid and questionable characters in the givenName, surname (sn), sAMAccountNamedisplayNamemailproxyAddressesmailNickname, anduserPrincipalName attributes.


Active Directory Auditing


  • Your organization may want to use Active Directory auditing to capture and evaluate the events that are associated with directory synchronization, such as user creation, password reset, adding users to groups, and so on.
  • By implementing directory synchronization, auditing captures directory services logs from your Active Directory domain controllers. Note that security logging may be disabled by default; you have to understand how to enable it for your organization.


Multiforest Deployment Considerations

The Directory Sync tool synchronizes with a single sign-on (SSO) on-premises Active Directory forest. If your organization has multiple forests for authentication (logon forests) and would like to use the Directory Sync tool, we highly recommend the following:

  • Evaluate consolidating your forests. In general, there’s more overhead required to maintain multiple forests. Unless your organization has security constraints that dictate the need for separate forests, consider simplifying your on-premises environment in advance of deploying the Directory Sync tool.
  • Use only in your primary logon forest. Consider deploying Office 365 only in your primary logon forest for your initial rollout of Office 365.

About the Directory Sync tool

Directory synchronization is the synchronization of directory objects (users, groups, and contacts) from your on-premises Active Directory environment to the Office 365 directory infrastructure. The Directory Sync tool performs this synchronization. You install this tool on a dedicated computer in your on-premises environment.

When user accounts are synchronized with the Office 365 directory for the first time, they are marked as non-activated. They cannot send or receive email, and they don’t consume subscription licenses. When you’re ready to assign Office 365 subscriptions to specific users, you must select and activate them by assigning a valid license.

The Directory Sync tool is required for the following features and functionality:

  • SSO.
  • Lync coexistence.
  • Exchange hybrid deployment, including:
    • Fully shared global address list (GAL) between your on-premises Exchange environment and Exchange Online.
    • Synchronizing GAL information from different mail systems.
    • The ability to add users to and remove users from Office 365 service offerings. This requires the following:
      • Two-way synchronization must be configured during Directory Sync tool setup. By default, the Directory Sync tool writes directory information only to the cloud. When you configure two-way synchronization, you enable write-back functionality so that the Directory Sync tool copies a limited number of object attributes from the cloud, and then writes them back to your local Active Directory. Write-back is also referred to as Exchange hybrid mode in the context of Directory Sync tool configuration. More information about the attributes that are synchronized during write-back is discussed later in this topic.
      • An on-premises Exchange hybrid deployment 
    • The ability to move some user mailboxes to Office 365 while keeping other user mailboxes on-premises.
    • Safe senders and blocked senders on-premises are replicated to Exchange Online.
    • Basic delegation and send-on-behalf-of email functionality.
  • Synchronization of photos, thumbnails, conference rooms, and security groups.

Required Permissions for Installation


  • To install the Directory Sync tool, you need enterprise admin rights during only the installation process. When you’ve installed the tool, a non-privileged Active Directory account will be required. This non-privileged account is created automatically when the Directory Sync tool is being installed.


Capacity Planning


  • To implement the Directory Sync tool, you need to plan synchronization and database capacity. In most organizations, user objects make up the bulk of the synchronization payload and influence both synchronization times as well as the database sizing for your Directory Sync tool server.


Two-Way Synchronization


  • Two-way synchronization (write-back) is required if your organization plans to take advantage of Office 365 features and functionality, such as online archiving, configuring safe and blocked senders, and cloud voice mail. Write-back copies the necessary attributes from the Office 365 directory infrastructure to your on-premises Active Directory environment.



Write-Back–To Attribute

Filtering Coexistence

Writes-back on-premises filtering and online safe/blocked sender data from clients.




Online archive

Enables your organization to archive email in Office 365.


Mailbox removal

Enables your organization to move mailboxes from the cloud to your on-premises organization.

ProxyAddresses(LegacyExchangeDN) (onlineLegacyDN) as X500

Enable Unified Messaging (UM) online voice mail

Enables you to integrate UM and Lync to indicate to Lync on-premises that the user has voice mail in Office 365. (This is a new attribute. It can be used only for this integration.)



Enables users to manage other users’ mailboxes



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s