Tech Talk Live Blog

Google Apps and Office 365 Integration

Brian Steigauf

Google Apps for Education and Microsoft Office 365 both have the ability to integrate into a district’s existing Active Directory environments with a common username and password or single sign-on (SSO). The approaches can be different, but in the end, the result is the same. . . your staff are able to login to the services using the same username and password they utilize for many other services. Also, there is no manual entry or importing of accounts for new staff.

Google Apps for Education

In order to synchronize accounts from your Active Directory environment to Google, the Google Apps Directory Sync (GADS) utility needs to be installed on one of your Active Directory domain controllers.

The key benefits of GADS, according to the GADS page, are that it:

  • Synchronizes your Google Apps user accounts to match the user data in an existing LDAP server.
  • Supports sophisticated rules for custom mapping of users, groups, nonemployee contacts, user profiles, aliases, calendar resources, and exceptions.
  • Performs a one-way synchronization. Data on your LDAP server is never updated or altered.
  • Runs as a utility in your server environment. There is no access to your LDAP directory server data outside your perimeter.
  • Includes extensive tests and simulations to ensure correct synchronization.
  • Includes all necessary components in the installation package.

The GADS utility syncs the user attributes, group information, and other Active Directory data to the Google cloud, but does not handle passwords. The Google Apps Password Sync (GAPS) utility performs synchronization of user passwords. This is a separate utility that must also be installed on a domain controller.

There are many scenarios that can be accounted for, including separate DNS domains for student email addresses and staff or hosting students’ mail accounts in Google mail, while keeping staff email on-premises.

Some caveats when using GADS and GAPS include:

  • Synchronizes with Google are one-way only (Active Directory to Google Apps).
  • Passwords can only be synced once they are changed. In other words, if GAPS is installed, the existing passwords will not be synced up to Google. A password change must take place for the passwords to be captured and synced to Google.
  • If users have already created accounts in Google using their school district email, their existing account will get renamed when the synchronization takes place. They should get a notification from Google with the new name, when this happens. Unfortunately, getting their information merged with the new account is not so straightforward.

Office 365

Microsoft has two options when deciding to integrate with Office 365; password synchronization and Active Directory Federation Services. Microsoft’s Azure Active Directory Connect application (formerly known as DirSync) is configured to synchronize Active Directory attributes and, if desired, passwords to Office 365. Microsoft also offers the ability to federate authentication using Active Directory Federation Services (ADFS). Federation is a true single sign-on (SSO) experience where no passwords are passed between the client and Office 365. It requires that the ADFS server(s) is(are) configured by the district. ADFS is more complicated to configure than syncing passwords, but can be used by other services that support SSO.

If you decide to federate using ADFS, the Azure Active Directory Connect application is still used to synchronize and provision accounts in Office 365, and the wizard will help you configure ADFS. The experience of signing into Office 365 using ADFS is different than if you decide to sync passwords. For Office 365 tenants that use ADFS, once the account name for a federated entity is entered in the Office 365 login page, you will be redirected to the ADFS site in order to enter your password. Upon successful login, you will be redirected back to the Office 365 site.

One possible benefit of using Azure Active Directory Connect is the ability to create a two-way synchronization with your Active Directory. This allows you to take advantage of some of the other offerings from Microsoft, including password resets.

Some caveats when configuring Azure AD Connect and ADFS include:

  • Make sure your users have a User Principle Name (UPN) that matches an actual DNS name your district owns, jsmith@district.org, and not just the AD domain name, jsmith@district.local. Ideally, you would want your UPNs to match the users’ email addresses for simplicity, but that is not required.
  • You must purchase a publicly trusted SSL certificate to use with ADFS.
  • When setting up ADFS, and to save some trouble in the future, create the federation to support multiple DNS domains using the following command:

Update-MSOLFederatedDomain –DomainName:<Federated Domain Name> –supportmultipledomain

This will allow your district to change DNS domains from district.k12.pa.us to district.org in the future or have separate DNS domains for staff and students, without having to reconfigure ADFS.

Happy integrating!

Tech Talk Live Blog Comment Guidelines:

One of our main goals at Tech Talk Live is to build a community. It is our hope that this blog can be a forum for discussion around our content. We see commenting as an integral part of this community. It allows everyone to participate, contribute, connect, and share relevant personal experience that adds value to the conversation. Respect counts. We believe you can disagree without being disagreeable. Please refrain from personal attacks, name calling, libel/defamation, hate speech, discriminatory or obscene/profane language, etc. Comments should keep to the topic at hand, and not be promotional or commercial in nature. Please do not link to personal blog posts, websites, or social media accounts that are irrelevant to the conversation. This is considered self-promotion. We welcome links that help further the conversation and reserve the right to delete those we deem unnecessary. The appearance of external links on this site does not constitute official endorsement on behalf of Tech Talk Live or Lancaster-Lebanon Intermediate Unit 13. You are solely responsible for the content that you post – please use your best judgment. We reserve the right to remove posts that do not follow these guidelines.

Leave a Reply

Your email address will not be published. Required fields are marked *


Tech Talk Live is the only conference of its kind in the region specifically designed for IT pros in education.

1020 New Holland Avenue, Lancaster, PA 17601

(717) 606-1770