In part 1 of this Office 365 migration series, we looked at the possible scenarios for upgrading to the cloud and how important it is to plan it before executing. As I continue to migrate my SharePoint to Office 365, my next step is to make sure my Active Directory Users are available online.
In this article we'll cover:
- Getting started with Active Directory Synchronization
- Getting SharePoint on Office 365 Configured with Password Sync
- Configure SharePoint on Office 365 with Single Sign On
- Migrating to Office 365 – What Should you Do?
Active Directory Synchronization or "Dir sync": Allows you to sync your Active Directory Objects, such as users and groups, to your Office 365 account.
This is a one-way synchronization, which means you continue to manage users On-Premises, and your changes will appear on your Office 365 SharePoint. However, authentication and passwords are managed by Office 365. It will be required for Password Sync and Single Sign On (see below).
Password Synchronization: Allows you to build on top of Active Directory Synchronization by also synchronizing passwords. It's not a form of Single Sign On, as you are still authenticating users with Office 365 and not your own Active Directory.
Single Sign On: Though you can choose a different provider, the most common provider is Active Directory Federation Services (or ADFS). In this scenario, your On-Premises AD and your Office 365 share tokens, allowing your users to use the same credentials to access both On-Premises objects and Online objects.
Though probably the best solution, it requires a few extra considerations, like an extra server to avoid downtime. Otherwise users will not be able to authenticate when accessing online resources.
Getting started with Active Directory Synchronization
Where do I start? We know that SharePoint On-Premises uses an Active Directory for users, so our first step in the migration process should be to make sure they are available on Office 365.
Here are our options:
Though the TechNet documentation recommends configuring Single Sign On first, I decided to configure Directory Synchronization and make sure it was working.
Office 365 shows us a checklist to follow:
The first two steps were easy, check the documentation and validate domains. What's confusing here, though, is that the third step asks us to “Activate” Active Directory synchronization, even though we haven’t done anything yet.
So I started to wonder, was I supposed to do the Single Sign On first? Then I thought it couldn’t be since it’s not a requirement. So I pressed it and nothing happened except a message saying it has been activated. I didn’t think too much of it and continued on to install the Directory Sync tool on my server.
I let the installer run with the default settings until it started Installing the Components.
This tool is important, as it is it maintaining the integrity of my users and groups online by synchronizing the objects and their attributes.
Once it was done installing, it asked me if I wanted to configure it now with the wizard, I left it on and clicked next.
The wizard starts out by asking administrator credentials for my Office 365 environment.
Next, I entered my Active Directory credentials and arrived in front of the Password Synchronization screen. As mentioned earlier in this article, by default, the Directory Sync tool will only sync the objects, with their basic attributes, to your Office 365.
The Password Sync is something that was added and allows your users to login with the same password that they use On-Premises. This is very practical in a SharePoint Migration to Office 365, as it provides a seamless transition to the users. For now, I will leave it off and keep it to the bare minimum.
And I was ready to synchronize my Directories to Office 365.
Sure enough, my On-Premises Active Directory users were ready and Synced to my Office 365.
Of course the only thing we've done is tell Office 365 that these users exist, but we haven't assigned any licenses to them yet. Therefore, we need to go through each user and assign the licenses for the services that we wish them to have.
From what we've learned so far, we should be able to use our Active Directory users to log in to Office 365 using a different password than the one they are using On-Premises. They must use the one assigned in Office 365 and only then will they be able to use the SharePoint Online.
Getting SharePoint on Office 365 Configured with Password Sync
Now that we know our Active Directory Users synchronize towards Office 365, our next step is to make sure they can use the same passwords as On-Premises. Even though we're not configuring Single Sign On yet, we need to go back to the Directory Synchronization tool and include the Password hash in the sync.
Then, launch the synchronization again to make sure the new password properties are brought into the cloud.
After my first test, I was already able to log in using my Office 365 credentials and my On-Premises password.
As you may have noticed, this is still not Single Sign On, because my User Principle Name (UPN) is not the same as the one used On-Premises, which resembles something like email@example.com.
During a SharePoint Migration, I recommend going the extra step and configuring Single Sign On, because the Directory Synchronization, both with or without password, gives the user the sense that he is no longer in the same SharePoint.
On the other hand, with Single Sign On, you can easily change the top navigation and content in your On-Premises SharePoint to link to that of Office 365 or SharePoint Online. The user will have no idea he has switched to SharePoint on Office 365, as the transition is done through hyperlinks.
Over time, you can give a smoother experience to the users while upgrading SharePoint to Office 365.
Configure SharePoint on Office 365 with Single Sign On
I do recommend you follow the TechNet articles and recommendations to configure Single Sign On. I skipped ahead and already configured Directory Synchronization, which is required by SSO.
However, Microsoft recommends going through the checklist provided in your Office 365 dashboard.
So I went back to step 1 and made sure my server had the ADFS Role installed and configured.
Be sure to have properly configured the ADFS 2.0 on your server or you will not be able to continue configuring Single Sign On.
Once I had gone through the first two steps and installed the Azure AD Module in Step 3, I was ready to configure the trust between my ADFS and the Office 365. To do this, Microsoft has provided an article that helps to configure it.
Make sure to run the correct commands for your scenario, because it isn't the same for everyone. That’s it; you now have a Single Sign On for your SharePoint on Office 365.
Migrating to Office 365 – What Should you Do?
As part of this migration series focused on SharePoint, we saw in our first article different scenarios to migrate to SharePoint Online and Office 365, and in this article, how to configure Office 365 to use your Active Directory.
Based on the scenarios available and what we've learned to configure the Synchronization and Single Sign On, I think your chances for a successful migration are greatly increased with SSO. You can now have an easy transition for both you and your users.
If you can, try configuring your On-Premises SharePoint to work with the Office 365 Single Sign On. Change hyperlinks gradually to point them to your Office 365 portal until all content is moved over.
This blog is part of a series of 4 articles aiming to help you migrate to Office 365 or SharePoint Online by providing all of the necessary steps and available scenarios.
In the next article I will start to look at migrating some of my content.
PREVIOUS ARTICLES IN THE SERIES
1. SharePoint to Office 365 Migration – Supported Scenarios