Installing and Configure DirSync with OU level filtering for Office365


Recently I had worked with one of our customer, who was looking for OU level filtering to import selected users from On-Premises active directory to Office365.

Thought of writing the step-by-step process, which might be helpful for some of you.

 

Note: -  

         a.  You can install ADFS and DirSync on the same box, IT IS NOT RECOMMENDED BY MICROSOFT

         b.  You can’t install DirSync on a Domain Controller.

 Installing and activating DirSync for your Office365 Portal.

 1.      Login to your Office365 Portal with Tenant admin credentials. (The username and password which you provided while provisioned your Office365 Portal)

2.      On the Admin page, in the left pane, under Management, click Users, and then click setup next to Active Directory® synchronization.

3.      Scroll down to step 3 and 4, as shown below in the screen capture.  

                    i.     Activate DirSync for your Office365 Portal from step 3 (This might take a while to get activated)

                   ii.      Download DirSync 64 Bit from step 4

 

4.      Run the downloaded DirSync.exe

5.      Click on Next button in welcome screen

6.      Accept the License Terms and Click Next

7.      Click next on the “Select Installation Folder” if you don’t want change the location.

8.      This Installs DirSync in your local machine

9.      Click Next to start the DirSync Configuration wizard.

                   a.   Ensure the “Start Configuration Wizard now” is checked.

10.  Click Next on the “Welcome Configuration wizard”

11.  Enter your Office365 Tenant admin account and password and click next.

12.  Enter your local Active Directory account who is part of enterprise admin group.

13.  If you have Exchange Server on-Premise and planning to implement a hybrid configuration, then select “Enable rich coexistence” and click next.

                 i. Nothing to worry if it is greyed out for you, which means you don’t have on Exchange On-Premises deployed.

 14.  Uncheck the Synchronize directories now from the DirSync Finish window and click Next.

 

 Configure OU level filtering for Office365 directory synchronization.

1.      Logged in to your Domain controller

2.      Created an OU (Organisational Unit) from your AD (Active Directory)

                 a.       In my case I named it “DirSync

3.      Move all those users you want to sync, to that DirSync OU.

4.      From your DirSync Server navigate to <Drive>\Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell

5.      Double click on miisclient.exe

6.      This opens a console something similar to the below screen capture 

 

 7.      In Identity Manager, click Management Agents, and then double-click SourceAD.

8.      Click Configure Directory Partitions, and then click Containers, as shown in the below screen capture.

9.    When prompted, enter your domain credentials for the on-premises Active Directory forest.

10.  In the Select Containers dialog box, clear the OUs that you want skip from syncing to Office365, and then click OK. Something similar to below screen capture.

11.  Click OK on the SourceAD Properties page.

12.  Perform a full sync: on the Management Agent tab, right-click SourceAD, click Run, click Full Import Full Sync, and then click OK.

If you would like to know more about DirSync filtering refer the TechNet article here

13.  You can also force run DirSync using the following PowerShell command.

                       i.      From your dirsync server open PowerShell console as Administrator

                       ii.      Navigate to  “C:\Program Files\Microsoft Online Directory Sync”

                       iii.      Run .\DirSyncConfigShell.psc1

                       iv.      Now execute Start-OnlineCoexistenceSync commendlet.

14.  To confirm the sync job, open your event log and look for Event ID’s 1 & 2.

                        v.      Event ID 1 says If configuration Import started

                        vi.      Event ID 2 says if configuration Import has completed.

15.  To verify from Office365 Portal

                        vii.      Login to your Office365 Portal with Tenant admin credentials. (The username and password which you provided while provisioned your Office365 Portal)

                        viii.      On the Admin page, in the left pane, navigate to Users.

                         ix.      And you can verify the Last Synced status next to Active Directory® synchronization as shown below

16.  Verify only the Filtered users are populated to Office365 from office365 user management.

Note:-

 

Filtering configurations applied to your directory synchronization instance aren’t saved when you install or upgrade to a newer version. If you are upgrading to a newer version of directory synchronization, you must re-apply filtering configurations after you upgrade, but before you run the first synchronization cycle.

 

Comments (18)

  1. Steve says:

    Superb Article!!Written Really well..Thanks Buddy

  2. Grumpy Cat says:

    Your image in step #6 shows only one successful sync, I found this page looking up dirsync errors.  🙁

  3. PS says:

    What if we already have setup and have been running dirsync without filtering and want to clean things up a bit.  Is there a correct process by which to turn on filtering and remove the excess synced accounts without messing up the links between the accounts we actually want synced?

  4. Grumpy, sorry for the delay here. If you still have have this issue, can you please share the error screen capture, drop me an email at kanna.ganesh@hotmail.com

  5. Hi PS, guess Sheldon's point answerd your quesion..

  6. Hi PS,

    Hope Sheldon answerd your question, please let me know, if you still any questions.

  7. Hello Sheldon, thank you for answeing.

  8. Marty says:

    Very good article.

    I'm not 100% sure but does this process fall into the category of unsupported operations?

    The below quote is from a page which was written after this article: technet.microsoft.com/…/jj710171.aspx

    Microsoft does not support modification or operation of the Directory Sync tool outside of those actions formally documented. Unsupported actions include:

    * Opening the underlying FIM Sync Engine to modify Connector configuration

  9. TSO says:

    hi, how do I change the Azure/365 account used during sync / update the password of the account?

  10. Manish says:

    The DirSync tool available at go.microsoft.com/fwlink installs the miisclient.exe at :Program FilesWindows Azure Active Directory SyncSYNCBUSSynchronization ServiceUIShell

  11. Danny says:

    Do you have instructions, or advice for removing synced accounts from 0365 but not from AD? Thanks

  12. Nima says:

    Hi!

    There are different management agent names now, maybe new miisclient since your post.

    Windows Azure Active Directory Connector

    Active Directory Connector

    How to do this on is first run Active Directory Connector, full import full sync, and then run Windows Azure Active Directory Connector EXPORT. Then finally you will have all your users which you chose from this guide.

    A question though. Will this go automatically from now on, or is it just manual each time? Usually DirSync updates every three hours, but not sure when it's done like this.

  13. Cyp says:

    Hi,

    I added a DirSync Containers in this tool.

    The tool ask me to do a full import / full sync for first after the change.

    But for the second step (before the export), I currently do it with 'Windows Azure Active Directory connector Delpta Import / Delta Sync'.

    Is I do :

    1/ Active Directory Connectof : Full Import / Full Sync

    2/ Windows Azure Active Directory connector : Delta Import / Delta Sync

    3/ Windows Azure Active Directory connector : Export

    Or

    1/ Active Directory Connectof : Full Import / Full Sync

    2/ Windows Azure Active Directory connector : Full Import / Full Sync

    3/ Windows Azure Active Directory connector : Export

    Or something else?

  14. Aws says:

    i had an installed dirsync in my enviroment without the password sync and now, for the time being i want to start password sync but for the test user only,i am looking to create the test OU in the AD and choos it as the container in the dir sync, did the active user will be effected or the change will effect the password for the test user

  15. chatzki says:

    thanks a lot for the so well-written article!

  16. Mario P. says:

    Thanks for the time spent on this article.

    one point that I've found worth metioning is to tell users to make sure to run the IDfix tool before running the DirSync because some users do not have the right UPN setup or not even the Email account in the General tab for their active directory users.

    so it is worth mentioning this as a disclaimer ( Before you attempt to do this we are assuming that you have already cleared up the UPN by federating your domain) and that IDFix returns no errors)

    Thanks again.

    link to IDFix:

    support.office.com/…/Install-and-run-the-Office-365-IdFix-tool-f4bd2439-3e41-4169-99f6-3fabdfa326ac

  17. Mario P. says:

    An external Link I found very useful for step by stepL

    blog.ciaops.com/…/windows-azure-active-directory-sync.html

Skip to main content