Applies to: Centrify Identity Service with Office 365

Question:

The Centrify Office 365 + Provisioning app has been configured and synced users are able to sign in with no issues. 

What is the criteria to enable the Centrify provisioning engine to sync Active Directory Security and Distribution groups into O365 as well?


Answer: 

Centrify Cloud Service fully supports the syncing of AD groups into O365 and follows the same scoping rules as Microsoft DirSync. The following Microsoft Technet article describes the criteria by which an AD group may get skipped over from syncing:

• How directory synchronization determines what isn't synced from the on-premises environment to Windows Azure AD

A table of the default scoping rules that Office 365 needs can also be found in the following Microsoft KB:

• http://support.microsoft.com/kb/2643629

Since AD-to-O365 group syncing is dependent on AD attributes meeting requirements, Hybrid Mode needs to be enabled in the Centrify Office 365 app to allow detection and verification of the needed attributes. See the following KB for more info:

• KB-4901: List of AD attributes that are synced into Office 365 cloud with Centrify provisioning

When an AD group complies with the Microsoft scoping rules and Hybrid Mode is enabled, the AD group will be synced into O365 at the next sync interval.


Notes:

• AD groups created in Exchange Online should meet the Microsoft sync criteria by default and will immediately sync into O365 when Hybrid Mode is enabled.
• AD groups created in ADUC usually require some additional edits to meet the requirements. The most common attribute adjustments required for syncing are:
  • displayName
  • mail
  • proxyAddresses
• For further detail on these attribute requirements, see the following KB:
  • KB-5111: Group objects created in Active Directory fail to synchronize to Office 365

(All external links provided as a courtesy)