Any suggestions? Export (0) Print
Expand All

Directory synchronization roadmap

Published: April 16, 2012

Updated: June 22, 2015

Applies To: Azure, Office 365, Windows Intune

This topic might not be completely applicable to users of Microsoft Azure in China. For more information about Azure service in China, see

If your company has existing user and group accounts in an on-premises Active Directory environment when you subscribe to a Microsoft cloud service, there are tools for synchronizing those accounts to Microsoft Azure Active Directory (Microsoft Azure AD) where a copy of those accounts are also stored in the cloud.

By using the Microsoft Azure Active Directory Sync tool, your company’s administrators can keep your on-premises Active Directory continuously synchronized with Azure AD. Directory synchronization is intended as an ongoing relationship between your on-premises environment and Azure AD.

Active Directory synchronization should be considered a long-term commitment to coexistence scenarios between your on-premises Active Directory and cloud. After you have activated directory synchronization, you can only edit synchronized objects in your on-premises environment.

Using Office 365? Directory synchronization allows you to not only create synchronized versions of each user account and group, but also allows global address list (GAL) synchronization from your on-premises Microsoft Exchange Server environment to Microsoft Exchange Online.

Here are some important choices to consider before you set up directory synchronization:

  • Access Management solution: Are you going to synchronize passwords or enable Federated Authentication? Make sure, you decide which option you want to enable and refer to the content below as appropriate.

    • Password Sync: If you want to enable your users to log into Azure Active Directory and other services using the same username and password as they use to log onto your corporate network and resources. Password Sync is a feature of the Directory Sync tool. For instructions on deploying Password Sync, see Implement Password Synchronization.

    • Single sign-on: We recommend that before you set up directory synchronization, you set up single sign-on. It enables your users to sign in to the cloud service by using their corporate credentials. To get started, see Prepare for single sign-on.

      You must add and verify your company’s domains in order to use them in Azure Active Directory and Office 365. For more information, see Add your domain and Verify a domain.

  • Compliance: You should determine whether you require directory auditing to capture events such as creating users, resetting passwords, and adding users to groups. For more information about auditing, see Audit account management.

    Security logging may be disabled by default; you will have to understand how to enable it for your organization.

Using Office 365? Due to recent changes to the directory synchronization infrastructure, you now have more flexibility in how you use directory synchronization for email migration and single sign-on scenarios. For more information, see Directory synchronization and source of authority and Exchange Hybrid Deployment and Migration with Office 365.

Various Microsoft Online Services such as Exchange Online provide features that work best when certain directory information can be controlled by the online service. In these cases, directory objects (such as users) that are synchronized from your on-premises directory may be modified in the Azure Active Directory, and then these changes need to be written back to your on-premises directory for on-premises applications to consume.

The way to allow these changes to flow back to the on-premises directory is to enable the “Hybrid Deployment” feature in the Directory Sync tool. When enabled, the Directory Sync tool will be authorized to write back specific attributes on directory objects.

The Directory Sync tool will not be given the permission to modify all attributes in your directory. It will only have permission to modify those attributes that can be written back from Azure Active Directory. For more details, see Attributes that are written back to the on-premises AD DS from Azure Active Directory in an Exchange hybrid deployment scenario.

For more details about specific information regarding the Exchange Online Hybrid Deployment scenarios, see Exchange Hybrid Deployment and Migration with Office 365.

Perform the following steps to prepare for, implement, and manage directory synchronization for your organization:

Learn how to verify system requirements, create the right permissions, and allow for performance considerations. For more information, see Prepare for directory synchronization.

Then, learn how to activate directory synchronization for your company. For more information, see Activate directory synchronization.

Install the Microsoft Azure Active Directory Sync tool. If you’ve already done so, learn how to upgrade, uninstall, or move it to another computer. For more information, see Set up your directory sync computer.

Perform an initial sync and verify that the data synchronized successfully. You will also learn how to configure the Directory Sync tool to set up recurring synchronization and how to force directory synchronization. For more information, see Use the Configuration Wizard to sync your directories.

After you have synchronized your directories, you must activate the users before they can use the services you have subscribed to. You can do this individually or in bulk. For more information, see Activate synced users.

Learn how to maintain your directory synchronization, including how to update users and domains after synchronization has been activated. You’ll also learn how to change passwords and network proxy settings. For more information, see Manage directory synchronization.

© 2016 Microsoft