Parameters for the OLSync Hosted Management Agent for Live@edu
Applies to: Live@edu
Important
Outlook Live Directory Sync (OLSync) is the synchronization solution for Microsoft Live@edu customers. If you are running a cloud-based e-mail service with Microsoft Office 365 for enterprises, you must use the Microsoft Online Services Directory Synchronization tool to synchronize your directories.
Depending on your organizational requirements, you may have to create a number of parameters on the Hosted management agent for Outlook Live Directory Sync (OLSync). You can create these parameters when you configure the Hosted management agent for the first time, or you can add the parameters after you have run OLSync. With the exception of the ProvisioningDomain parameter, which is required, all the parameters described here are optional.
Important
Don't make other changes to the Hosted management agent without direction from a Microsoft representative. OLSync has been developed to support the Hosted management agent as it is configured when you import it. For example, if you change the name of the Hosted management agent, you will get synchronization errors.
If you have already run OLSync and synchronized with Outlook Live, you have to restart the service—for Forefront Identity Manager (FIM) 2010, start the FIM 2010 Synchronization Service, and for ILM 2007, start the Microsoft Identity Integration Server service. Then run a full synchronization after you create new optional parameters. For more information, see Perform a Full OLSync Synchronization to Outlook Live.
The following table describes the parameters for the Hosted management agent. To learn how to add parameters, see Configure the OLSync Hosted Management Agent.
| Parameter name | Default parameter? | Description | Recommendation |
|---|---|---|---|
ProvisioningDomain |
Yes. If you configured OLSync with a OLSync service account, the ProvisioningDomain parameter is set to the domain that you specified in the Microsoft ID for that account. If you configured OLSync to use certificate-based authentication instead of a service account the ProvisioningDomain parameter will be empty and you have to set it. Note Certificate authentication is no longer supported for new installations of OLSync. |
The ProvisioningDomain parameter is required. It must include at least one accepted domain in Outlook Live. The ProvisioningDomain parameter is used as a trigger to auto-provision mailboxes in Outlook Live. Only an accepted domain can be a provisioning domain. You can add multiple domains to this parameter separated by semicolons, for example, |
Do not remove domain entries from the ProvisioningDomain parameter after you have run a synchronization cycle. To change a provisioning domain, add a new domain name to this parameter. After users are provisioned, changing the value of the ProvisioningDomain parameter doesn't remove those user accounts. Accounts that have been created in Outlook Live will remain and are represented in Microsoft FIM 2010 or Microsoft ILM 2007 FP1 or by a GUID in the metaverse. Therefore, the user accounts will continue to be updated according to the changes on the source object in the on-premises Active Directory Domain Services (AD DS) or Active Directory directory service as long as the object exists in the FIM 2010 or ILM 2007 FP1 metaverse. |
ResetPasswordOnNextLogon |
Yes. Default is |
Setting this parameter to |
This parameter doesn't apply if you are running Outlook Live in a Connected Federation deployment. Connected Federation passwords are managed by the on-premises AD DS or Active Directory. As a security best practice, you shouldn't set this parameter to |
MVWindowsLiveIdAttributeName |
Yes. Default is |
The MVWindowsLiveIdAttributeName parameter defines how OLSync provisions the Microsoft account names in Outlook Live. By default, OLSync names new Microsoft accounts according to the userPrincipalName (UPN) attribute on the on-premises recipient object. Therefore, when OLSync provisions new accounts in Outlook Live, the new Microsoft ID matches the on-premises UPN for the corresponding account. The MVWindowsLiveIdAttributeName parameter takes any attribute name. For example, you can enter customAttribute1 if you are flowing a custom attribute from the on-premises extensionAttribute1 attribute. You must only enter attributes that hold a single SMTP address value. For this reason, don't enter the proxyAddresses attribute for this parameter. If you want to flow the primary SMTP address from the on-premises mail-enabled users or mailbox-enabled users, leave the MVWindowsLiveIdAttributeName parameter empty. The video demonstration at the end of this topic shows how to configure the primary SMTP address as the provisioning SMTP address. Do not remove the MVWindowsLiveIdAttributeName parameter from the Additional Parameters page. If the MVWindowsLiveIdAttributeName parameter is removed, OLSync uses the UPN value. |
In an environment in which Microsoft Exchange isn't installed on-premises, if the MVWindowsLiveIdAttributeName parameter is set to null, OLSync uses the mail attribute to name the accounts for the Outlook Live mailboxes that are provisioned. In an environment in which Microsoft Exchange is installed on-premises, and if the MVWindowsLiveIdAttributeName parameter is set to null, OLSync uses the primary SMTP Address in the proxyAddresses attribute on-premises to name the Microsoft IDs for the Outlook Live mailboxes that are provisioned. |
DisableWindowsLiveId |
Yes. Default is |
Set the DisableWindowsLiveId parameter to If you leave the DisableWindowsLiveId parameter set to |
The recommended setting for the DisableWindowsLiveId parameter is |
PasswordFile |
Yes. Default is |
Specify the name and location of the password file, for example, D:\admin\pwd.xml. If a file name is provided, the default path is <system drive>:\Program Files\Microsoft Identity Integration Server\MaData\Hosted\. When OLSync provisions a new Microsoft account in Outlook Live, the password for the new Outlook Live account is written to the file that is specified in this parameter. |
Initial passwords for each Outlook Live mailbox or Microsoft ID-enabled synchronized user are stored cumulatively in the password file. You must distribute the initial passwords to your users. By default, the ResetPasswordOnNextLogon parameter is set to We recommend you specify a secured directory for the password file. |
SyncProxyAddressProtocol |
No |
By default, OLSync synchronizes SMTP and X500 addresses in the ProxyAddresses attribute from the on-premises recipient object to the corresponding Outlook Live object. Set the SyncProxyAddressProtocol parameter to synchronize other protocol address types. For example, you can synchronize additional protocol address types such as SIP by setting the SyncProxyAddressProtocol parameter to You can add multiple protocol address types to this parameter separated by semicolons, for example, Valid values for this parameter are determined by the protocol address types that you have stored on the ProxyAddresses attribute on recipient objects in your on-premises Active Directory. If you remove an additional protocol address type from this parameter after you run a full synchronization, OLSync removes the addresses on the corresponding Outlook Live recipient object during the next full synchronization. |
Set the SyncProxyAddressProtocol parameter only if an additional protocol is required by your Outlook Live feature set. |
EvictLiveIdOnCreate |
No |
An e-mail as sign in ID (EASI ID) is a Microsoft ID that was created in a domain namespace before Outlook Live was deployed in the same domain namespace. For example, a student at Contoso University may have created a Microsoft ID, KwekuA@contoso.edu, before Contoso University enrolled in Outlook Live. After Contoso University establishes a contoso.edu Outlook Live domain, the Microsoft ID, KwekuA@contoso.edu, is an unmanaged EASI ID in the Outlook Live contoso.edu domain. By default, when OLSync tries to create a mail-enabled user or a mailbox-enabled user in Outlook Live in which a matching EASI ID already exists, an error is logged and a recipient object in Outlook Live isn't created. You can change this behavior by setting the EvictLiveIdOnCreate parameter to When a Microsoft account status is set to "evict," the account is in a state that forces the user to rename the Microsoft ID the next time the user signs in. After the user renames the Microsoft ID to an unmanaged domain name, the account is fully functional again. |
Set the EvictLiveIdOnCreate parameter to Setting the EvictLiveIdOnCreate parameter is recommended for organizations that are running in a Connected Federation environment. If your organization isn't running in a Connected Federation environment, you should consider importing existing Windows Live accounts for users in your organization that already have a Microsoft ID in your domain. For more information, see Import or Evict Existing Microsoft IDs in Live@edu. |
Watch this demo to learn how to set the MVWindowsLiveIDAttributeName OLSync parameter
In this video demo, you'll learn how to configure OLSync to use the on-premises primary SMTP address as the Microsoft account during user provisioning.
Read more
Implement Outlook Live Directory Sync for Live@edu
Plan Your Outlook Live Directory Sync Deployment for Live@edu
Deploy Outlook Live Directory Sync for Live@edu
Create an OLSync Service Account in Outlook Live for Live@edu
Specify the On-Premises Organizational Units that are Synchronized to Outlook Live
Configure Password Change Notification Service (PCNS) for use with OLSync for Live@edu (optional)
Perform Subsequent OLSync Data Synchronizations to Outlook Live