Created by Aaron Whittaker. Not to be reproduced without prior permission.
What do you do if you have ‘In Cloud’ identities that you wish to link to a managed Active Directory user accounts? You can perform a smtp softmatch as described in this Microsoft article here.
Before we give this a go, let’s look at why you need to be a Domain Administrator and a Schema admin.
The installer affects these security groups:
- Schema Admins
- Enterprise Admins
- Cert Publishers
- Domain Admins
- Account Operators
- Print Operators
- Administrators (domain local)
- Server Operators
- Backup Operators
DC: It installs an Active Directory Group called MSOL_AD_Sync_RichCoexistence. Inside the group it adds a user that it creates called MSOL_XXXX. (I have 2 as i didn’t uninstall a previous DirSync install, it can be deleted)
DirSync: After opening the Miisclient, to change the OU filters, select the Management Agents, right click Active Directory Connector, properties, Configure Directory Partitions, Containers, remove the MSOL user account and enter your own FIMAdmin credentials (these are not replacing the MSOL account). You can see here that I have filtered out unnecessary OU’s from my Active Directory syncing (only selecting the test OU).
Let’s look at my new ‘In Cloud’ user in Bruce Wayne in Office 365.
Here you can see his email address of Bruce@bnehyperv.onmicrosoft.com.
DC: Back in Active Directory I have a new user. I want this Active Directory password and UPN to be the same in Office 365 linking the 2 accounts.
DC: After the user account is created, add the email address to the mail properties (username/email address from Office 365) Active Directory User object (exchange does not need to be installed and no schema extensions are required).
Now we are set up and ready for a sync.
DirSync: This error shouldn’t be ignored as the sync did fail. There are 2 reasons a manual sync would be failing. You turned the DirSync services off, or you are not in the FIMAdmins group. Also I could not open the miisclient as below.
DirSync: After adding my user to the FIMAdmins group, and logging off and on I could proceed with the sync.
DirSync: Here you can see the successful ‘1 Add’, and you can drill down and see the synced user that was written (Bruce Wayne).
Now let’s check the user in Office 365.
We can see the user is now ‘Synced with Active Directory’. Bruce’s username and password is now exactly the same as On Prem (you may need to change your AD UPN’s to a publicly routable domain name, i skipped this step in my lab).
This should be implemented with caution and after testing. Doubling the identities in Office 365 would not be a good situation to be in.
“That’s great but my ‘In Cloud’ identities are completely different to my Active Directory user accounts.”
Let’s link 2 different user accounts together. My new ‘In Cloud’ user is Able Alf. He has an email address of firstname.lastname@example.org.
I have added a new user called Barry Black. I have added the email address email@example.com to Barry’s Active Directory user account.
Here you can see Barry’s user accounts UPN. This is different to Able’s Office 365 UPN.
I started another sync. Now you can see that the Office 365 user account has changed display names and password. The username is the only thing that remains the same. This can also be verified through PowerShell.
Any comments are welcome!