Don’t lose your identity in the Cloud…

If you happen to log into your Office 365 Admin Portal on a regular basis good on you – though perhaps you can get most of your alerts through the Office 365 Admin app on your phone. If you do happen to log in though and you’re using Directory Synchronization by way of either Azure AD Connect or Microsoft Identity Manager, you hopefully don’t stumble upon a message like this on the Home page.

Screenshot 2018-03-24 23.31.07

If you do though, don’t worry, it’s not just a red highlighted bit of text, but it’s a link to your Directory Synchronization status (not DirSync is no longer around… AAD Connect is the way to go these days). What does it mean to your end users if Directory Synchronization is failing? Well, any change that they happen to make to their profile within your on-premises Active Directory won’t be synchronized with Azure Active Directory until the issue is resolved. Not a big deal – right? Well, just think if you changed your password on-premises, you’ll still be using your old password through Office 365.

If you happen to click the error message though you’ll come to a page with this displayed, you’ll note that you see something like this:

Screenshot 2018-03-24 23.28.11

If you’re not familiar with the above, it’s the Sync Status Health page. Typically if things are working good then you’ll see the last time that you sync’d successfully in addition to other pertinent information about your Office 365 tenant’s synchronization status as well as a less stormy picture of the cloud. 🙂

In this case though, the troubleshooting tips are fairly helpful and link to https://support.office.com/en-us/article/fixing-problems-with-directory-synchronization-for-office-365-79c43023-5a47-45ae-8068-d8a26eee6bc2?ui=en-US&rs=en-US&ad=US

In this case, it just happens to be that I turned off the server that the Azure AD Connect tool was running on. Turning the server back and on and the error messages go away and identity changes begin to synchronize once more – life is good.

Azure AD Connect – SSO

On a pretty regular basis I find myself discussing the merits of using AD FS with Office 365 when a customer or client has special requirements pertaining to their environment. Not only does it allow for instant user control ensuring a user authenticates against their local domain, but it also provides for capabilities pertaining to “complex” user scenarios.

One thing that AD FS does for user login’s is the idea of a “Simple Sign On” where the user’s identity is passed on their behalf in the background, similar to how a Kerberos ticket might be passed but in the terms of an authentication flow that ends up with the user having a resource token to pass to Office 365.

One of the downsides of AD FS is the requirement to have redundancy, proxies and oh right, still having Azure AD Connect running for identity synchronization from the on-premises environment to Office 365.

Enter the Pass-Through preview capability within Azure AD Connect.

Back in mid-December 2016, Microsoft introduced Azure AD Connect custom settings to allow for “Simple Sign On” through just using the Azure AD Connect preview functionality.

For more on this topic, I highly recommend reading the SSO / Pass-Through article Microsoft posted here:

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso