New Azure Active Directory Sync tool with Password Sync is now available
This release has been a capability which has generated a lot of interest with my customers going with Office 365 Education. I have put together a quick FAQ to help with this.
What is Azure Active Directory Dirsync with Password Sync?
Formerly known as Dirsync, this tool has been updated to allow for the synchronization of local Active Directory passwords to Azure Active Directory. in addition to the syncing of users, groups and contacts. This new feature will allow for Same Sign In with Microsoft cloud services such as Office 365 Education powered by Azure Active Directory since the username and the password from local AD will by synced up to Azure AD. See here on TechNet for more details.
Where can I get the new Dirsync with Password sync bits?
You can grab the latest version of Dirsync here or it is available in the Office 365 portal under ‘users' and then Dirsync.
What version of Dirsync has Dirsync with Password sync?
Dirsync with password sync is available in versions 1.0.6385.12 or newer version.
How can I quickly tell if I have the right version downloaded?
The first way you can tell is by size. The file size is about 183+MB vs. the older version is 99MB. The other way you can tell is by the icon. The application icon should be our new Windows logo with the four blue squares. The final way to confirm this is by hovering over the dirsync download and check the version the version with Dirsync with password sync or later is:
note: I renamed the default ‘dirsync’ filename since I already had the older dirsync in the same directory.
What do I need to do to replace my older dirsync?
You do have to remove the existing installation of Dirsync prior to installing the new version with password sync.
You don’t need to remove other components such as SIA or SQL express. I left everything else in place. Here is the setup I did on an existing Dirsync Server:
1) Important: If using ADFS with federated ID, you must first convert your domain namespace to managed ID PRIOR to installing and running Dirsync with password sync. See steps below under “What if I am federated…”
2) Remove existing Dirsync application from control panel.
3) I took screenshots of the rest:
What if I am federated and using ADFS and want to switch to Dirsync with Password Sync?
You will need to convert your domain from federated to managed. Using the
convert-msoldomaintostandard –domainname foo.edu –skipuserconversion $false –passwordfile c:\password.txt
Azure AD cmdlet. See here on TechNet for more details. Note: the password file is for dumping all users temporary passwords into.
How can I tell if it is configured correctly for Dirsync with Password Sync?
You should see event ID 656 and 657 in your application event log to show that it is syncing the password hash to the cloud.
What are the advantages of Dirsync with Password Sync vs. ADFS?
There are a couple of advantages of using Dirsync with Password Sync over using ADFS 2.1 with Dirsync:
1) A single server is needed vs. redundant and scaled out ADFS servers.
2) No dependency with on prem hardware/data center – if Dirsync with Password Sync server dies – just replace it. There is no impact accessing cloud services with an onprem outage because the identity is a managed identity in Azure AD vs. a federated identity using ADFS 2.1.
3) No complex ADFS architectures – No ADFS Proxies, load balancers, certificate management are required. It keeps the deployment less complex with fewer moving parts.
What are the disadvantages of Dirsync with Password Sync vs. ADFS?
ADFS 2.1 with federated login provides true Single Sign On (SSO) with Office 365 where as Dirsync with Password Sync allows for Same Sign On which implies users will be prompted for credentials when accessing Office 365 even in domain joined scenarios. ADFS 2.1 also allows for better access control based on IPs, etc.
Where can I find more information on troubleshooting Dirsync with Password Sync?
There is an excellent KB article here to help you.