Tag Archives: CSP

Manage Office 365 with PowerShell

The core components of Office 365 are Exchange Online, Lync Online and SharePoint Online, all are running on top of Windows Azure Active Directory as shown in the following figure:


All services can be managed from the Microsoft Online Portal. When logged on to the portal you can select the various services under Admin in the navigation pane. It is also possible to manage Office 365 using PowerShell, but all services require a different approach or module.

Managing Windows Azure Active Directory using PowerShell

To manage Windows Azure Active Directory with PowerShell you have to install the Azure Active Directory Module for Windows PowerShell (64-bit version) but before you can use this you also have to install the Microsoft Online Services Sign-In Assistant. Continue reading Manage Office 365 with PowerShell

Create a new organization in Office 365

Creating a new organization in Office 365 is relatively easy. You need a valid domain, a unique tenant name and if you want to use it beyond the 30 days trial period a valid credit card.

Before creating (or provisioning) a new tenant you have to select the Business Plan that will match your business needs. You can find a nice overview of all Office 365 Business Plans on the Microsoft site via http://bit.ly/CompareAllO365BusinessPlans.

When you scroll down you’ll the Business Plans that have a free trial available. In this blog post I’ll focus on the Enterprise E3 plan.

When you click Free Trial at the bottom of the page you can configure a new tenant in Office 365 with a 30 days trial period. You need to enter you name, email address, telephone number and organization name as shown in the following figure.


The next step is to create your first user ID. This will automatically the Global Administrator of your Office 365. I always recommend not using a regular user for this, but create a dedicated administrator with an appropriate name like admin or administrator.

Continue reading Create a new organization in Office 365

Cloud identities, Linked Identities and Federated Identities

When you are using a cloud service, whether it be Office 365, Facebook, LinkedIn or Gmail you are using a user account, and these are also referred to as ‘identities’. Typically there are three types of identities in a cloud service: Cloud Identities, Synced Identities and Federated Identities.

  • Cloud Identity – a Cloud Identity is a user account that’s created and managed in the cloud service. In case of Office 365 this account is created and managed in the Microsoft Online Portal. Important to note is that when you access an Office 365 service, authentication takes place against the Windows Azure Active Directory Domain Controllers.
    In the Microsoft Online Portal these accounts are easily identifiable as Cloud Identities as can be seen in the following figure:
  • Synced Identity – a Synced Identity is created and managed in your local Active Directory and synchronized with the Cloud service. In Office 365 you can opt to synchronize the passwords as well, although not the actual password is synchronized but a hash of the password. Like Cloud Identities authentication takes place against the Windows Azure Active Directory Domain Controllers. These accounts are identified in the Microsoft Online Portal as ‘Synced with Active Directory’ as shown in the following figure:
    Although the username and password are identical in Office 365 and in the local Active Directory, this is not a Single Sign-On solution, but I always refer to this as a ‘Same Set of Credentials’ solution.
  • Federated Identity – a Federated Identity is a user account that’s created and managed in your local Active Directory and that’s synchronized with Office 365. When the account is synchronized an account in Office 365 (Windows Azure Active Directory) is created. When a service in Office 365 is accessed, the user is not authenticated against the Windows Azure Active Directory Domain Controllers, but the authentication request is redirected to your local Active Directory and Domain Controllers. To achieve this an Active Directory Federation Service (ADFS) needs to be in place. Since there’s only one set of credentials (all authentication takes place against your local Domain Controllers!) this is referred to as ‘Single Sign-On’.

Continue reading Cloud identities, Linked Identities and Federated Identities

Force DirSync to synchronize with Office 365

Sometimes it can be useful to manually force a Directory Synchronization between your on-premises Active Directory and Windows Azure Active Directory. Over the last couple of years Microsoft has released a couple of Directory Synchronization tools, and each version had its own way of manually forcing a Directory Synchronization.

These versions are:

  • DirSync (the original first version of Directory Synchronization).
  • Azure AD Sync or AADSync.
  • Azure AD Connect or AADConnect (the current version)

I’ll explain all three in the following sections below, starting with Azure AD Connect.

Azure AD Connect

The latest (current) version of the directory synchronization tool is Microsoft Azure AD Connect. Please note that this is the only officially supported version by Microsoft!

One remark in comparison with previous version of DirSync tools, the Azure AD Connect now synchronizes once every thirty minutes. If you enabled password synchronization, the official SLA mentions a 2 minute timeframe before the password is synchronized, but in a typical environment it is more like 30 seconds or so.

To force an incremental synchronization, open PowerShell on the Directory Synchronization server (or any other server where you installed Azure AD Sync) and execute the following command:

Start-ADSyncSyncCycle -PolicyType Delta

There’s not much to show here though Glimlach


Azure AD Sync

If you’re running Windows Azure Active Directory Sync Services you have to run a Command Line utility called the DirectorySyncClientCmd tool. You can find this tool in the C:\Program Files\Microsoft Azure AD Sync\Bin directory on the Directory Synchronization server. Run this command from a Command Prompt with elevated privileges and your local Active Directory is synchronized with Office 365 immediately:


This tool is configured as a Scheduled Task to run every three hours. You can also open the Scheduled Tasks in Administrative Tools and manually start the task (instead of starting the tool manually).


If you want to do a full synchronization between Active Directory and Office 365 (which is basically Azure Active Directory) you can logon to the DirSync Server, open a PowerShell windows (with elevated privileges), navigate to the C:\Program Files\Windows Azure Active Directory Sync\ directory and type the .\DirSyncConfShell.psc1 command. When done you can start the Start-OnlineCoexistenceSync cmdlet which will force replication.

When you have installed Windows Server 2012 R2 with the latest version of DirSync (I was running 1.0.6862.0 but I’ve seen this with 1.0.7020.0 as well) the DirSyncConfShell.psc1 file is missing.

In Windows 2012 R2 you can import the DirSync module directly in PowerShell using the Import-Module DirSync command. When imported you can run the Start-OnlineCoexistenceSync cmdlet to synchronize your Active Directory with Office 365.


Updated on January 19, 2017.