How to Sync Active Directory to Office 365 or Google Apps

There are multiple ways of accomplishing account synchronization from your local Active Directory to Office 365. I prefer the simple and adjustable solution provided by a tool called ActivePasswords (KISS). In essence it’s a password complexity management tool. It makes it possible to setup more dynamic password rules for user accounts. Things like:

  • Minimum password length
  • Maximum password length
  • Maximum number of repeated characters (prevents a password like ‘Aaaaaaa1’)
  • Maximum number of consecutive ascending or descending characters (prevents ‘1234Cba’)
  • Minimum number of upper case letters
  • Minimum number of lower case letters
  • Minimum number of special characters (like @, %)
  • Disallow spaces
  • Does not contain any part of the username or user first or last name
  • Does not contain any custom forbidden/illegal words
  • Does not contain any obfuscations/alterations of forbidden words or name
  • Validate the password against a regular expression (‘abC’ will pass ‘[a-z]b[A-Z]’; ‘abc’ won’t)

Since it captures password change events and queries your AD for changes it can be extended to act as a customizable Office 365 account and groups sync tool.

Setup is quite easy:

  1. Install the following MS Office365 PowerShell addons on each domain controller (which are just libraries for PowerShell usage):
    • Microsoft Online Services Sign-In Assistant for IT Professionals
    • Azure Active Directory Module for Windows PowerShell
    • Windows Management Framework 4
  2. Install ActivePasswords.msi on each domain controller
  3. Disable the added scheduled task “ActivePasswordsAdQuery” on all domain controllers except ONE
  4. Create a new ActivePasswords group policy object at the Domain Controllers OU.
  5. Configure the new policy by entering your license and User Sync Folder (%windir%\wsap\sync) at Computer Configuration/Adm. Templ./ActivePasswords/Common Settings
  6. Setup “Password Settings 1” to your liking
  7. Copy & paste c:\windows\wsap\sync\-o365sync.ps1 and edit the file in notepad to include your Office 365 administration credentials. Remove the – file name prefix to enable the script. This script does the work of changing your Office 365 accounts and groups depending on what changes did occur in your AD network.

The results:

  • Create related Office 365 user when a new AD user is created
  • Adds an e-mail alias for all available Office 365 web domains automatically
  • Changes to an AD group (adding or removing users) are synced to Office 365 security or distribution groups
  • Sync AD user password changes to the related Office 365 account within 5 minutes

Since the tool is transparant in what is going on at all time it’s relatively easy to add new features or see where things go wrong. Best of all: it works with other services like Google Apps too. It’s possible to sync to multiple cloud services at once.



About Stoomkracht

Scripter, programmer, Windows administrator, network/wifi engineer, thinker

One comment

  1. Pingback: Office 365 slow and unresponsive | Stoomkracht

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: