There are multiple ways of accomplishing account synchronization from your local Active Directory to Office 365. I prefer the simple and adjustable solution provided by a tool called ActivePasswords (KISS). In essence it’s a password complexity management tool. It makes it possible to setup more dynamic password rules for user accounts. Things like:
- Minimum password length
- Maximum password length
- Maximum number of repeated characters (prevents a password like ‘Aaaaaaa1’)
- Maximum number of consecutive ascending or descending characters (prevents ‘1234Cba’)
- Minimum number of upper case letters
- Minimum number of lower case letters
- Minimum number of special characters (like @, %)
- Disallow spaces
- Does not contain any part of the username or user first or last name
- Does not contain any custom forbidden/illegal words
- Does not contain any obfuscations/alterations of forbidden words or name
- Validate the password against a regular expression (‘abC’ will pass ‘[a-z]b[A-Z]’; ‘abc’ won’t)
Since it captures password change events and queries your AD for changes it can be extended to act as a customizable Office 365 account and groups sync tool.
Setup is quite easy:
- Install the following MS Office365 PowerShell addons on each domain controller (which are just libraries for PowerShell usage):
- Microsoft Online Services Sign-In Assistant for IT Professionals
- Azure Active Directory Module for Windows PowerShell
- Windows Management Framework 4
- Install ActivePasswords.msi on each domain controller
- Disable the added scheduled task “ActivePasswordsAdQuery” on all domain controllers except ONE
- Create a new ActivePasswords group policy object at the Domain Controllers OU.
- Configure the new policy by entering your license and User Sync Folder (%windir%\wsap\sync) at Computer Configuration/Adm. Templ./ActivePasswords/Common Settings
- Setup “Password Settings 1” to your liking
- Copy & paste c:\windows\wsap\sync\-o365sync.ps1 and edit the file in notepad to include your Office 365 administration credentials. Remove the – file name prefix to enable the script. This script does the work of changing your Office 365 accounts and groups depending on what changes did occur in your AD network.
- Create related Office 365 user when a new AD user is created
- Adds an e-mail alias for all available Office 365 web domains automatically
- Changes to an AD group (adding or removing users) are synced to Office 365 security or distribution groups
- Sync AD user password changes to the related Office 365 account within 5 minutes
Since the tool is transparant in what is going on at all time it’s relatively easy to add new features or see where things go wrong. Best of all: it works with other services like Google Apps too. It’s possible to sync to multiple cloud services at once.