This page is not available for the language you chose. Would you like to view a Google Translate version for pages lacking translation?

Guide d’intégration et de démarrage rapide d’itrezzo

CiraSync Service Account Requirements for Hybrid Environments

par | Mar 14, 2025 | Guide de démarrage rapide, Assistance

This guide provides a detailed breakdown of the CiraSync Service Account Requirements for Hybrid Environments:

Hybrid Environment

Hybrid environments involve synchronizing an on-prem AD with both Exchange on-prem and Office 365 mailboxes in Exchange Online.

Use Case 1: For reading an on-prem AD and syncing directly to Office 365 mailboxes

For syncing on-prem AD users to Office 365 mailboxes, a combination of an on-prem service account and an O365 service account is required.

  • NEED SERVICE ACCOUNT CREATED WITH: With access to the on-prem AD (we will use this user to run itrezzo services and read the on-prem AD)
  • Member of the “local administrator” group on the server where the software will be installed
  • Grant “log-on as service” rights on the server where the software will be installed
  • Mail enabled (on-prem service account needs to have a mailbox.) – will be used to store majority of the itrezzo UCM software configuration, including licenses
  • Able to receive mail from internet (for licensing)
  • With Application Impersonation role (needs to be assigned to this service account)
  • All retention policies and archiving must be disabled on this mailbox. ( this is needed for basic configuration but also this on-prem service account will be used to open targeted user mailboxes that reside in exchange on premise) this is necessary to sync to those mailboxes
  • If you are reading on-prem and need to sync to 2 mailboxes on prem and in the cloud you just need 1 service account with a mailbox with exchange on premise. And the way to make sure service can access the mailboxes that are in exchange online is with app consent that will create in CiraSync on-prem administratorWe have two options for authenticating access to targeted user mailboxes:

Authentication Methods:

  1. CiraSync Application Consent
  2. Certificate-Based Authentication

With Certificate-Based Authentication:

  • A certificate can be created using the Itrezzo Admin tool and configured with a desired expiration date.
  • Global Admin approval is required for certificate creation.
  • For a detailed overview, visit: Certificate-Based Authentication Overview
  • Once the initial setup is complete, the Application Impersonation role can be removed from the O365 service account.

Use Case 2: For reading an on-prem AD and syncing directly to both Exchange on-prem and O365 mailboxes

In this scenario, targeted mailboxes exist both on-prem and in Exchange Online.

Service Account Requirements

The service account must be created with the following:

  • Access to the on-prem AD – This account will be used to run Itrezzo services and read the on-prem AD.
  • Member of the “Local Administrators” group on the server where the software will be installed.
  • « Log on as a service » rights must be granted on the server where the software will be installed.
  • Mail-enabled (the on-prem service account must have a mailbox) – This mailbox will store the majority of the Itrezzo UCM software configuration, including licenses.
  • Able to receive mail from the internet (required for licensing).
  • Application Impersonation role must be assigned to this service account.
  • All retention policies and archiving must be disabled on this mailbox. This is necessary for basic configuration, as well as for enabling the on-prem service account to open targeted user mailboxes residing in Exchange on-premise, allowing synchronization with those mailboxes.

Note: If you are reading from an on-prem AD and need to sync to two mailboxes—one on-prem and one in the cloud—you only need one service account with a mailbox in Exchange on-premise. To ensure that the service account can access mailboxes in Exchange Online, App Consent must be set up in CiraSync On-Prem Administrator.

Authentication Options 

We offer two authentication methods:

1. Microsoft Access Token (used for the initial setup)

    • Issued using the Azure Consent Framework.

2. Certificate-Based Authentication

    • A certificate can be created using the tool available in Itrezzo Admin and set with a desired expiration date.
    • Global Admin approval is required for certificate creation.
    • Certificate Overview: https://itrezzo.com/support/certificate-based-authorization-with-itrezzo-ucm/
    • With this option, after the initial setup, the Application Impersonation role can be removed from the O365 service account.
    • CiraSync Application Consent setup

Hybrid Authentication

  • To sync both on-prem and Office 365 mailboxes, the service account with a mailbox in Exchange on-prem will be used to sync on-prem mailboxes.
  • To access Office 365 mailboxes, App Consent in CiraSync on-prem Administrator must be set up.

 

[gtranslate]