DirSync

Manage Office365 Via PowerShell (Step 1. Connect to Office365)

Carlos A Lopez (Twitter: @CLopezDC) AAD Connect, Azure, DirSync, Office365

The Microsoft’s Software as a Services (SaaS) offering is a set of different components, that I like to call building block, that sits on top of what is called Office365.
The basic components are:

  1. Office365 (Main Component to manage Domains, Users, Licenses, etc)
    1. Exchange Online
    2. SharePoint Online
    3. Skype for Business
    4. Office ProPlus
    5. Yammer

In this particular guide, we will be connecting to Office365 (the main building block) via PowerShell where we will be able to automate the licenses assignment, manage our domain or change the login name of our users.

To connect to Office we just need to follow three basic steps:

  1. Install the required software:
  2. Open the Windows Azure Active Directory Module: Search for the Windows Azure Active Directory Module for Windows PowerShell
  3. Connect to your Office365 Tenant
$UserCredential = Get-Credential
Connect-MsolService -Credential $UserCredential 

After running the last command you will see no response. Therefore, I suggest you to request any information to the Office365 servers to confirm the connection. For instance, you can do Get-MsolAccountSku to return your current Office365 subscriptions.

 

Interested in deploying multi-factor authentication for your business? It is now part of Office 365

Carlos A Lopez (Twitter: @CLopezDC) DirSync, Exchange, Exchange Online, Office365 ,

Multi-factor authentication is now part of Office 365 and available for all users. Any of the following may be used for the second factor of authentication.

  1. Call my mobile phone. The user receives a phone call that asks them to press the pound key. Once the pound key is pressed, the user is logged in.
  2. Text code to my mobile phone. The user receives a text message containing a six-digit code that they must enter into the portal.
  3. Call my office phone. This is the same as Call my mobile phone, but it enables the user to select a different phone if they do not have their mobile phone with them.
  4. Notify me through app. The user configured a smartphone app and they receive a notification in the app that they must confirm the login. Smartphone apps are available for Windows Phone, iPhone, and Android devices.
  5. Show one-time code in app. The same smartphone app is used. Instead of receiving a notification, the user starts the app and enters the six-digit code from the app into the portal.

For more information about Multi-Factor Authentication for Office 365 please read the TechNet article Multi-Factor Authentication for Office 365

How to filter Active Directory attributes with Windows Azure Active Directory Sync tool

Carlos A Lopez (Twitter: @CLopezDC) Azure, DirSync, Office365 ,

I ran into a customer this week that had a requirement to partially synchronize certain user’s attribute to the cloud due to security concern without interrupting or degradation the service.

I found the following three filtering configuration types that can be applied to the Directory Synchronization tool: (TechNet Article:http://technet.microsoft.com/en-us/library/jj710171.aspx)

  • Organizational-unit (OU)–based: You can use this filtering type to manage the properties of the SourceAD Management Agent in the Directory Synchronization tool. This filtering type enables you to select which OUs are allowed to synchronize to the cloud.
  • Domain-based: You can use this filtering type to manage the properties of the SourceAD Management Agent in the directory synchronization tool. This type enables you to select which domains are allowed to synchronize to the cloud
  • User-attribute–based: You can use this filtering method to specify attribute-based filters for user objects. This enables you to control which objects should not be synchronized to the cloud.

However I could not find some information about how to filter some attributes and partially synchronize the objects. After some testing I found there is an easy way to accomplish that.

Thought of writing the step-by-step process, which might be helpful for some of you.

1. After having installing Windows Azure Active Directory Sync tool and From your DirSync Server navigate to <Drive>\Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell
2. Double click on miisclient.exe
3. This opens a console something similar to the below screen capture

image002

4. Click on Management Agents
5. Double click on Active Directory Connector (see next screenshot)
6. Click on Configure Extensions (see next screenshot)
7. Search for the attributes that you are not interested in synchronizing and click delete (see next screenshot) – You may re-add the attribute if needed.

image004

8. Perform a full sync

  • On the Management Agent tab, right-click Active Directory Connector, click Run, click Full Import Full Sync, and then click OK.
  • Right Click on Windows Azure Active Directory Connector, click Run, click Full Import Full Sync Sync, and then click OK.
  • Right Click on Windows Azure Active Directory Connector, click Run, click Export, and then click OK.

9. You can also force run DirSync using the following PowerShell command.

  • From your dirsync server open PowerShell console as Administrator
  • Navigate to “C:\Program Files\Microsoft Online Directory Sync”
  • Run .\DirSyncConfigShell.psc1
  • Now execute Start-OnlineCoexistenceSync commendlet.

10. Verify only the Filtered users’s attributes are populated to Office365 from office365 user management.
Note: It is very important to remember that Filtering configurations applied to your directory synchronization instance aren’t saved when you install or upgrade to a newer version. If you are upgrading to a newer version of directory synchronization, you must re-apply filtering configurations after you upgrade, but before you run the first synchronization cycle.

ltering configurations after you upgrade, but before you run the first synchronization cycle.