Monday, August 31, 2015

Office 365 - Disable DirSync

After some reflection, I have decided to create a test environment in which a third-party service (OneLogin) will replace ADFS and also DirSync for Active Directory synchronization and SSO (Single Sign On) with Office 365. OneLogin is one of the primary players in the "Identity Provider" business, the other being Okta. I have selected OneLogin simply because I may have to work with the product in the future and want to become more familiar with it. So far, I have not worked with either OneLogin or Okta in a professional context and have no reason (other than the reason stated above) to favor one over the other.

Until now, I have used a combination of DirSync and ADFS to synchronize segments of my on-premises Active Directory database with Office 365 and provide SSO. I now will examine a scenario in which we would replace both ADFS and DirSync with OneLogin.

Please note that OneLogin may or may not be a satisfactory replacement for DirSync. OneLogin can sync many Active Directory object attributes (or properties) to Office 365 but not necessarily all those required by your organization. If necessary, your organization can use OneLogin instead of or as a replacement for ADFS and still use DirSync. That is indeed a possible combination. For further details, please consult this document (or contact OneLogin):

Provisioning User Attributes to Office 365

In my previous blog post, I disabled ADFS in preparation for the installation of the OneLogin Active Directory Connector (ADC) that will provide SSO functionality. In the following lines, I will disable DirSync as well (underlying once again that this is optional, OneLogin being perfectly compatible with DirSync).


If we opt to disable DirSync, we can do so at one of two locations: at the PowerShell command line or in the Office 365 Portal. I will use the PowerShell method here.

First, and as for disabling ADFS, we must have installed the "Windows Azure Active Directory Module for PowerShell" (the "basic" or "native" PowerShell commands that come with current server operating systems cannot manipulate elements of Office 365).

We first import the MS Online module and then connect to MS Online (in other words, Office 365):

PS C:\> Import-Module MSOnline
PS C:\>
PS C:\> Connect-MsolService

At this point, we are prompted for credentials. We should enter Global Admin credentials for our Office 365 account:

If we want to see the current status of DirSync (enabled or disabled) we can execute this command:

PS C:\> (Get-MsolCompanyInformation).DirectorySynchronizationEnabled

In other words, this displays the value of the  "DirectorySynchronizationEnabled" property of the "MsolCompanyInformation" object which happens to be "True".

We can adjust this value with the following cmdlet:

PS C:\> Set-MsolDirSyncEnabled -EnableDirSync $false

(We will be prompted for a confirmation).

There is no "command completed successfully" message but we can confirm the change with the command presented above. Now the value is "false":

PS C:\> (Get-MsolCompanyInformation).DirectorySynchronizationEnabled

If we prefer to make the change in the Office 365 portal, this is where we would go:

In my case, the screenshot reflects the change made above. The only option is to "Set up" synchronization, which means it is currently disabled.

No comments:

Post a Comment