Office 365 Exchange Online ADFS to DirSync review

keithstorrs0472 · 2013-09-06T15:48:28.000Z

Anyone have first hand experience with migrating Office 365 Exchange Online authentication from ADFS to DirSync with password sync?

I’ve all but decided to go for it and not host ADFS servers internally anymore, but I would really like some validation out there either way.

It seems like a no brainer if you don’t consider the password sync a security risk. We are really trying to eliminate the dependency of our infrastructure on availability of Email.

So, let me have it. Do we like DirSync over ADFS?

Huw3481 · 2013-09-06T15:56:36.000Z

Yes,

I have done this for a client recently.

All mailboxes “lived” in O365 (no on-premise mailboxes).

You run a Powershell script to convert the O365 to standard rather than Federated. This resets all the users passwords so in this period people can’t authenticate.

Uninstall ADFS.

Uninstall any version of DirSync and install and configure the latest version. All users passwords will be re-synched.

scottalanmiller · 2013-09-06T16:22:48.000Z

Yup, as Huw points out, NTG does this.

alex3031 · 2013-09-07T13:57:07.000Z

Speaking of DIrSync, will this work if you are all on the same Office365 domain, but you have separate AD domains that make up all of the users? We have Office365 for all employess globally but the US and europe have their own domains. Currently there is no synch of passwords with Office365 which is a headache sometimes.

Huw3481 · 2013-09-07T18:44:59.000Z

Are we talking separate AD forests?

alex3031 · 2013-09-07T21:51:33.000Z

Completely separate domains, not even a trust relationship between them, only a couple of their IT people have admin accounts in our domain, we don’t have a single account on theirs.

Huw3481 · 2013-09-09T05:17:35.000Z

DirSync can’t help you then as it only supports a single AD forest.

alex3031 · 2013-09-09T17:04:21.000Z

Thanks

toddm9956 · 2013-09-09T19:03:42.000Z

If I am reading your post correctly, it sounds as if you are trying to get real SSO across mupltiple AD’s? Office 365 to my knowledge doesn’t support this. It may be a mute point if you already have O365 running, but EarthLink’s 365 solves those issues with email while supporting the rest (lync & sharepoint). Ping me if you have questions.

alex3031 · 2013-09-09T20:15:30.000Z

Yea that’s what I was asking about, Office365 is already deployed was before I came on, would just like to simplify things, as you can imagine some people have a hard time with the multiple passwords thing.

keithstorrs0472 · 2013-09-10T11:15:28.000Z

Huw3481 and Scott Alan Miller, I’m trying to gauge how long I should tell my users to expect Email to be unavailable until the DirSync is run after the conversion. I’m wondering if you could enlighten me on how long the domain conversion process would take on 450 mailboxes? I’m not finding anything out there, so wondering if some real world experience could give me a clue.

bizdps · 2013-09-11T10:00:32.000Z

Keith9035:

Huw3481 and Scott Alan Miller, I’m trying to gauge how long I should tell my users to expect Email to be unavailable until the DirSync is run after the conversion. I’m wondering if you could enlighten me on how long the domain conversion process would take on 450 mailboxes? I’m not finding anything out there, so wondering if some real world experience could give me a clue.

Plan for a weekend. It should take much less time than that, but you’ll have a bountiful window to work in without stressing over deadlines.