Directory Synchronization and Service Provisioning
Applies to: Office 365 Dedicated Plans
Topic Last Modified: 2013-03-14
To provision services for Microsoft Office 365 users, Microsoft requires that a mail-enabled user account that is disabled for logon be created for each user in the Microsoft Managed Forest. The system that performs this task is called the Microsoft Managed Solutions Service Provisioning Provider (MMSSPP). The MMSSPP system name is commonly referred to as “Mississippi.”
Built on Microsoft Forefront Identity Manager (FIM) 2010, MMSSPP enables directory synchronization and automated service provisioning between your Customer Forest and the Microsoft Managed Forest. MMSSPP reads user account and other identity data (object attributes) from the Customer Forest, creates logon disabled copies of the user accounts in the Microsoft Managed Forest via synchronization, and then provisions services for those user accounts in the Microsoft Managed Forest.
MMSSPP does not support synchronization from any source directory other than Active Directory and does not write any data to your on-premises forests. The following describes the key characteristics of MMSSPP:
- Your directory data is authoritative. The user account and other identity data that resides in the Customer Forest is the source of all information that is synchronized by MMSSPP to the Microsoft Managed Forest.
- MMSSPP associates an identity object with its objectGUID value in the Customer Forest. As long as the objectGUID does not change, MMSSPP can re-establish provisioning services related to the object if it is accidentally moved out-of-scope or moved across domains. The objectGUID value is only changed when a new object is created for the same user or if an object is moved across forests. If the objectGUID is altered (for example, a new object is created to represent that identity), MMSSPP can automatically reconnect the managed services to this object utilizing the Automated Services Reconnection (ASR) feature. For more information regarding the format of the objectGUID, see the MSDN article Object-Guid attribute.
- Directory synchronization and provisioning is an integrated process. MMSSPP synchronizes a defined set of Active Directory attributes for each identity object (users, groups, contacts). After MMSSPP provisions objects that are in scope from the Customer Forest to the Microsoft managed domain, it automatically provisions or deprovisions services for users that meet specific conditions based on your on-premises object’s Active Directory attribute values.
- MMSSPP does not write to your Active Directory environment. For synchronization purposes, MMSSPP only reads Active Directory data from your domains that are within scope of Microsoft Office 365 subscriptions. The tool then writes the data to the Microsoft managed Active Directory environment.
- Customer Forest objects must be in the appropriate state. Your organization must ensure that Active Directory objects in the Customer Forest meet the requirements for synchronization. If not, objects will be in a synchronization error state that will stop the flow of any changes made to the object.
- MMSSPP is utilized only by the Exchange Online and Lync Online services. If you are subscribed only to SharePoint Online services, your organization will not have MMSSPP deployed.
Your organization is provided with the MMSSPP Customer Deployment Guide prior to the Office 365 onboarding process. The guide contains a checklist of requirements that you must complete.
Complete the MMSSPP configuration checklist in the MMSSPP Customer Deployment Guide.