Export (0) Print
Expand All

Prepare to provision users through directory synchronization to Office 365

 

Applies to: Office 365 Enterprise

Topic Last Modified: 2014-08-26

Summary: Describes how to prepare to provision users to Office 365 by using directory synchronization and the long-term benefits of using this method.

Provisioning users with directory synchronization requires more planning and preparation than simply managing your organizational accounts directly in Office 365. The additional planning and preparation tasks are required to ensure that your on-premises Active Directory Domain Services (AD DS) synchronizes properly to Azure Active Directory. The added benefits to your organization include the following:

  • Reducing the administrative programs in your organization

  • Enabling single sign-on scenarios

  • Automating account changes in Office 365

For more information about the advantages of using directory synchronization, see Directory synchronization roadmap.

Before you install the Azure Active Directory Sync tool and begin synchronizing your directory, you need to clean up your directory as described in this topic.

WarningWarning:
If you don’t perform directory cleanup before you synchronize, there can be a significant negative effect on the deployment process. It might take days, or even weeks, to go through the cycle of directory synchronization, identifying errors, and re-synchronization.

In your on-premises directory, do the following clean-up tasks:

  • Ensure that each user who will be assigned Office 365 service offerings has a valid and unique email address in the proxyAddresses attribute.

  • Remove any duplicate values in the proxyAddresses attribute.

  • If possible, ensure that each user who will be assigned Office 365 service offerings has a valid and unique value for the userPrincipalName attribute in the user’s user object. If a user does not have a value for the userPrincipalName attribute, then the user object must contain a valid and unique value for the sAMAccountName attribute. Remove any duplicate values in the userPrincipalName attribute.

  • For optimal use of the global address list (GAL), be sure the information in the following attributes is correct:

    • givenName

    • surname

    • displayName

    • Job Title

    • Department

    • Office

    • Office Phone

    • Mobile Phone

    • Fax Number

    • Street Address

    • City

    • State or Province

    • Zip or Postal Code

    • Country or Region

Successful directory synchronization between your on-premises AD DS environment directory and Office 365 requires that your on-premises directory attributes are properly prepared. For example, you need to ensure that specific characters aren’t used in certain attributes that are synchronized with the Office 365 environment. Unexpected characters do not cause directory synchronization to fail, but may return a warning. Invalid characters will cause directory synchronization to fail. The attributes that you need to prepare are as follows:

displayName

  • If the attribute exists in the user object, it will be synchronized with Office 365.

  • If this attribute exists in the user object, there must be a value for it. That is, the attribute must not be blank.

  • Maximum number of characters: 255

  • Unexpected characters: ? @ \ +

givenName

  • If the attribute exists in the user object, it will be synchronized with Office 365, but Office 365 does not require or use it.

  • Maximum number of characters: 63

  • Unexpected characters: ? @ \ +

mail

  • If the attribute exists in the user object, it will be synchronized with Office 365, but Office 365 does not require or use it.

  • Maximum number of characters: 255

  • Invalid characters: [ \ ! # $ % & * + / = ? ^ ` { } ]

  • The attribute value must be unique within the directory.

mailNickname (Exchange alias)

  • Maximum number of characters: 63

  • Invalid characters: [ \ ! # $ % & * + / = ? ^ ` { } | ~ < > ( ) ‘ ; : , ] “ @

  • The attribute value must not contain a space “ “.

  • The attribute value may not begin or end with a period (.).

  • The attribute value must be unique within the directory.

proxyAddresses

  • Multi-value attribute

  • Maximum number of characters per value: 256

  • The attribute value must not contain a space “ “.

  • The attribute value must be unique within the directory.

  • Invalid characters: \ % & * + / = ? ‘ { } | < > ( ) ; : , [ ] “

    ImportantImportant:
    All Simple Mail Transport Protocol (SMTP) addresses should comply with email messaging standards. If duplicate or unwanted addresses exist, see the Help topic Removing duplicate and unwanted proxy addresses in Exchange.

sAMAccountName

  • Maximum number of characters: 19

  • The attribute value must be unique within the directory.

  • Invalid characters: [ \ “ | , / : < > + = ; ? * ]

  • If a user has an invalid sAMAccountName attribute but has a valid userPrincipalName attribute, the user account is created in Office 365.

  • If both sAMAccountName and userPrincipalName are invalid, the on-premises AD DS userPrincipalName attribute must be updated.

sn (surname)

  • If the attribute exists in the user object, it will be synchronized with Office 365, but Office 365 does not require or use it.

  • Maximum number of characters: 63

  • Unexpected characters: ? @ \ +

targetAddress

It’s required that the targetAddress attribute (for example, SMTP:tom@contoso.com) that’s populated for the user must appear in the Exchange Online GAL. In third-party messaging migration scenarios, this would require the Exchange schema extension for the on-premises directory. The Exchange schema extension would also add other useful attributes to manage Office 365 objects that are populated by using the Directory Synchronization tool from on-premises. For example, the msExchHideFromAddressLists attribute to manage hidden mailboxes or distribution groups would be added. For more information, see Third-party mail migration to Office 365 – fixes and tips.

  • Maximum number of characters: 255

  • The attribute value must not contain a space “ “.

  • The attribute value must be unique within the directory.

  • Invalid characters: \ % & * + / = ? ‘ { } | < > ( ) ; : , [ ] “

    All Simple Mail Transport Protocol (SMTP) addresses should comply with email messaging standards.

userPrincipalName

  • The userPrincipalName attribute must be in the Internet-style logon format where the user name is followed by the symbol @ and a domain name; for example, user@contoso.com.

    All Simple Mail Transport Protocol (SMTP) addresses should comply with email messaging standards.

  • The maximum number of characters for the userPrincipalName attribute is 113. A specific number of characters are permitted before and after the at sign (@), as follows:

    • Maximum number of characters for the user name that is in front of the at sign (@): 64

    • Maximum number of characters for the domain name following the at sign (@): 48

  • Invalid characters: \ % & * + / = ? ‘ { } | < > ( ) ; : , [ ] “

  • The @ character is required in each userPrincipalName value.

  • The @ character cannot be the first character in each userPrincipalName value.

  • The user name cannot end with a period (.), an ampersand (&), a space, or an at sign (@).

  • The user name cannot contain any spaces.

  • Routable domains must be used; for example, local or internal cannot be used.

  • Unicode is converted to underscore characters.

  • userPrincipalName cannot contain any duplicate values in the directory.

AD DS is designed to allow the end users in your organization to sign in to your directory by using either sAMAccountName or userPrincipalName. Similarly, end users can sign in to Office 365 by using the user principal name (UPN) of their Office 365 user ID. Directory synchronization attempts to create new users in Azure AD by using the same UPN that’s in your on-premises directory. The UPN is formatted like an email address. In Office 365, the UPN is the default attribute that’s used to generate the email address. It’s easy to get userPrincipalName (on-premises and in Azure AD) and the primary email address in proxyAddresses set to different values. When they are set to different values, there can be confusion for administrators and end users.

It’s best to align these attributes to reduce confusion. To meet the requirements of single sign-on with Active Directory Federation Services 2.0, you need to ensure that the UPNs in Azure AD and your on-premises AD DS match and are using a valid domain namespace.

You may need to add an alternative UPN suffix to associate the user’s corporate credentials with the Office 365 environment. A UPN suffix is the part of a UPN to the right of the @ character. UPNs that are used for single sign-on can contain letters, numbers, periods, dashes, and underscores, but no other types of characters.

For more information on how to add an alternative UPN suffix to AD DS, see Prepare for directory synchronization.

If you’ve already set up directory synchronization, the user’s UPN for Office 365 may not match the user’s on-premises UPN that’s defined in your on-premises directory service. This can occur when a user was assigned a license before the domain was verified. To fix this, use Windows PowerShell to update the user’s UPN to ensure that the Office 365 UPN matches the corporate user name and domain. If you are updating the UPN in the on-premises directory service and would like it to synchronize with the Azure AD identity, you need to remove the user’s license in Office 365 prior to making the changes on-premises.

After you’ve completed directory clean-up, you can go ahead with the steps to install and configure the IdFix tool . For information about the installation and configuration, see Install and run the Office 365 IdFix tool.

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft