An administrator is using the LDAP Synchronization Tool (Schemus) and would like to set up the data sync to use the Microsoft Azure data source.
In order to synchronize data from Azure, a Service Principal account must be created on the Office 365 portal. The Service Principal account can be created either using the Microsoft Windows Azure Management portal or by using the Windows Azure PowerShell modules.
Schemus will require the Service Principal account ID and associated secret information in order to access the Azure online Active Directory.
In order to create a Service Principal account using the Microsoft Windows Azure Management Portal, the following subscriptions are required:
Note: A trial Windows Azure subscription is available, from which the Microsoft Windows Azure Management Portal can be accessed. In order to create a trial subscription, sign in to the Office 365 portal with an Administrator account at http://office.microsoft.com then go to the management portal https://manage.windowsazure.com.
At the time of writing, the trial is free of charge although credit card details may be required.
When signed into the Microsoft Windows Azure Management Portal, create the Service Principal account as follows:
Note: The key can not be accessed again after the page is closed, so be sure it is copied first.
In order to create a Service Principal in PowerShell, the following are required:
A Service Principal account can be created using the PowerShell commands below. This will create a principal named "Schemus" with the given password, which should be entered into the Symmetric Key field in the Schemus Azure configuration settings.
# import the Active Directory module and sign in import-module MSOnline $cred = get-credential connect-msolservice -credential $cred # import the Active Directory extended module, # required by New-MsolServicePrincipal import-Module MSOnlineExtended -force # create a Service Principal account $sp = New-MsolServicePrincipal -ServicePrincipalNames @("Schemus") -DisplayName "Schemus" -Type "Password" -Value "SecretPassword01" # grant Read access to the Office 365 Active Directory Add-MsolRoleMember -RoleMemberType ServicePrincipal -RoleName "Directory Readers" -RoleMemberObjectId $sp.ObjectId # display the information required by Schemus $c = get-msolcompanyinformation "Tenant Context ID: " + $c.objectId "Principal ID: " + $sp.AppPrincipalId