From ADFS to DirSync Password Sync

ScreenShot160

We are a big bunch of colleagues in Atea and often help each out. Here is how my colleague Jens Dale Røttereng did the transformation from ADFS to DirSync with Password Sync.

 

Disable ADFS, and fall back on Dirsync with Password Sync

With the new dirsync with password sync, some smaller companies might find ADFS a bit over-kill. It might even be a lot less reliable if they do not have enough servers for redundancy.  This post will describe how to disable ADFS, and have the users login directly to O365, with the same password they have in AD.

 

Prerequisites

  • You’ve already probably installed Dirsync on one of your servers when you enabled ADFS. You have to make sure that this version of Dirsync is up to date, so that it supports sync of passwords.
    You can download the newest version from the Office 365-portal. Uninstall your old Dirsync, and install the new one. Make sure you choose Sync passwords when you get the question in the install wizard.
  • Make sure your users know what username to use after the switch has been made. I am trying to standardize on UPN = E-mail address, but I know that a lot of people don’t do this. The advantage of this is that they can use their e-mail address as username both on O365 and on premise against AD. If this is not the case, hand out a list to the users in forehand with the new username to use on their email. In many cases this is something they will enter once in their outlook, and once on their phone, and will not think about again until the first time they have to login to webmail. And then they’ll phone you anyway ;)

 

The switch.

Now you are ready to do the switch.

Login to your ADFS-server, or another computer in the domain with Powershell and the MS Online services module.

Login to MSonline with
Connect-MsolService

Then run the following:

Set-MsolADFSContext -Computer <Incert your ADFS Server name>

The Computer is the internal name of the ADFS-server.

Convert-MSOLDomainToStandard -DomainName <Incert your federated domain name.com> -SkipUserConversion $false -PasswordFile C:UsersPassword.txt

And: 

Now, you’ll have to force a password sync, so that the users can use their on premise password. Else they’ll have to use the password generated by the last command and stored in the UsersPassword.txt.

Login to your dirsync server and do the following:

Run  C:Program FilesWindows Azure Active Directory SyncDirSyncConfigShell.psc1.

Run the following cmdlet
Set-FullPasswordSync

Open services.msc and restart Forefront Identity Manager Synchronization Service.

Your users should now be able to login to O365 with their cloud identity and password, synced from Active Directory.

1 Comment

  1. Pingback: Update: From ADFS to DirSync Password Hash Sync | Roy Apalnes's blogg

Leave a Comment