Introduction
This guide describes the steps to set up 2-way Global Address List (GAL) Synchronization between your Microsoft 365 Tenants, regardless of the tenant configuration, hybrid or cloud only.
Directory Sync supports Microsoft directories both on-premises and in the cloud. When setting up Global Address List (GAL) Synchronization there can be many different needs depending on where your Exchange Mailboxes reside and the project scope. These factors will determine the synchronization method for GAL sync. Below are two of the most common setups:
Cloud to Cloud
In most Microsoft O365 tenant setups, user mailboxes are exclusively hosted on Exchange Online, even when the user identities originate from On-Premises. In those cases, there is little need to set up local directory sync unless driven by other coexistence or migration needs, such as SID history or Password Sync. Cloud to Cloud is also the recommended configuration if you use Microsoft Entra ID to manage your user identities.
Local to Local
When you have a Microsoft O365 Hybrid tenant setup and have requirements to leverage On-Premises Active Directory to manage the user identities or have the need for SID History migration and Password Sync, then it is recommended to configure your GAL Synchronization with Local to Local setup.
To set up Directory Sync for GAL sync, 4 configurations must be completed prior to the first synchronization.
- Set up Environments
- Set up Local Agents
- Set up Templates
- Set up Workflows
The next section will provide the list of requirements needed to set up GAL Sync for Microsoft 365 Hybrid Tenants.
Requirements
The following are a list of minimum requirements to get set up using Directory Sync with your Microsoft Entra ID. If you are only deploying Directory Sync between Cloud only directories, then skip the next section of requirements.
- One Global Administrator Account for each Microsoft 365 Tenant.
The following are a list of minimum requirements to get set up using Directory Sync with your Microsoft On-Premises Active Directory. If you are deploying Directory Sync between local directories for a hybrid deployment of Microsoft 365 then these additional items are required.
- One Local Administrator Account for each Microsoft Forest and/or Domain that has permissions to create, update or delete depending on the scope of your Directory Sync workflows.
- One Windows Server to install and host the Directory Sync Agent.
For more detailed information about agent installation and set-up requirements visit the On Demand Migration Active Directory User Guide.
The next section will provide a step-by-step guide on how to set up GAL Sync for Microsoft 365 Hybrid Tenants.
Setup
This section provides a step-by-step guide on how to set up GAL Sync for Microsoft 365 Hybrid Tenants.
Setup Environments
To begin at least twohybrid tenants must be configured in Directory Sync. Each hybrid tenant will consist a cloud environment and a local Active Directory environment. At the end of this section there will be two hybrid tenants with four local and cloud environments fully configured.
An environment is an end-point connection that can control the scope of objects read. This guide will walk through how to create the source and target hybrid environments.
To create a cloud environment, an Office 365 Global Administrator is required during set up for each tenant. During the initial set up, Directory Sync will create a new unlicensed user account within each tenant. This account is used to orchestrate some of the PowerShell automation related to directory synchronization services. This account will be created with the Exchange, User and Team Administrator Roles to facilitate its designated jobs.
The Global Administrator account used to set up the environments, is required for directory synchronization services, as it is used to facilitate Graph API related automation activities. The account role can be safely lowered to User, Team and Exchange Administrator once the previously mentioned PowerShell account is created.
To create a local AD environment for the hybrid tenant, the following are required
- One Local Administrator Account for each Microsoft Forest and/or Domain that has permissions to create, update or delete depending on the scope of your Directory Sync workflows.
- One Windows Server to install and host the Directory Sync Agent.
