Issues with UCS and Office 365 Integration

jgriffin · July 31, 2024, 2:03am

I’m in the process of replacing an old Microsoft AD domain (example.local) with a new domain in UCS (example.com). The goal is to synchronize UCS passwords with Office 365 so that users have a single password for both UCS and Office 365 services. However, I’m encountering several issues:

1.Password Sync Issue: Users created in UCS cannot log in to Office 365 using their UCS passwords. Password changes in UCS do not update or synchronize with Office 365.
2. License Assignment: When creating new users in UCS, the users are created in Office 365, but they do not have licenses assigned, so their mailboxes are not created.
3. Existing Users: Existing Office 365 users, who have new UCS accounts created with matching details, still cannot use their UCS passwords to log into Office 365 services. The passwords set in UCS are not synchronized with their Office 365 accounts.

I have tried setting up the integration multiple times but the issues persist. Any guidance on how to resolve these problems and ensure proper synchronization between UCS and Office 365 would be greatly appreciated.

jgriffin · August 5, 2024, 5:11pm

Any joy here? If this is a feature that doesn’t work what is the intended purpose for the 365 connector.

Thanks

msi · August 6, 2024, 6:52am

Could it be that you are not being forwarded to the UCS SSO page when trying to sign into MS 365?

While it has been some time, since I last tested it, they still mention that they use the SSO functionality. So there is one one part provisioning users while authentication is done via UCS SSO services (basically they are likely using MS Graph API to create users etc.).

Unlike AAD Connect Sync (which can sync password hashes from an AD to Entra ID), no passwords are synchronized between UCS and Entra ID, even their current docs confirm that.

Unfortunately the docs don’t show the current full process, but if I remember correctly, at some point you had to tell Azure AD / Entra ID that it should use federated authentication or something alike for specific users or even a domain so that when a user provisioned by UCS in Azure would use the UCS SAML authentication (now via Keycloack) authentication and therefore be forwarded to your UCS SSO portal.

[1] “Authentication takes place against the UCS server, and no password hashes are transmitted to Microsoft Azure Cloud.” (10.1. Microsoft 365 Connector — Univention Corporate Server - Manual for users and administrators)

jgriffin · August 6, 2024, 4:48pm

So the whole goal here is to have password sync.is there no way to do this to where the actual password is synchronized without paying for Microsoft to host the DC in the cloud? i don’t know that it will be possible to do sso using ucs behind the reverse proxy that runs the network especially if it doesn’t work on port 80 or 443 but if it possible, will this work to allow login via the thick apps as well? The goal here is to make things easier for the users not harder so i want to ensure any solution does that

osfal · August 7, 2024, 3:12pm

As far as i know is there no password sync to Microsfot 365 (Entra ID).
You have to use SSO from Univention to Authenticate your users.

You can run Uninvetions Keycloak behind a reverse proxy as described here:
https://docs.software-univention.de/keycloak-app/latest/use-cases.html#single-sign-on-through-external-public-domain-name

After that you can login with your univention primary E-Mail at office.com and you should be redirected to your sso url.

If you want to connect existing Microsoft 365 Users in Entra ID with your Univention users you have to use an script
https://forge.univention.org/bugzilla/show_bug.cgi?id=48641

To add a licence to your users you can folow this guide:

msi · August 7, 2024, 3:22pm

Univention’s point is that you get to keep the control over authentication with UCS, however I see your issue - and which has been one reason in a setup to not recommend UCS for that particular reason.

there no way to do this to where the actual password is synchronized without paying for Microsoft
to host the DC in the cloud?

Just to be more precise, even with an MS AD that is synchronized to Entra ID (née AAD) using
Entra ID Connect Sync (née: AAD Connect) you do not synchronize passwords, but password hashes.

But yes, as far as I understood, UCS does not synchronize any hashes or passwords to Entra ID.

will this work to allow login via the thick apps as well?

That I can confirm from testing, it’s been quite some time, but thick apps from MS using OAuth worked.

If it works, it should be equally easy / difficult using UCS to end users to authenticate. But the one downside I see with how Univention does it, is that it heavily relies on your UCS authentication infrastructure being reachable over the internet. If your internet feed goes down or your Keycloack / OpenLDAP infra stopps running, (mostly) nobody can authenticate against your M365 services in your tenant.