Azure AD Connect is a tool for identity synchronization between on-premise AD and Azure AD. Azure Ad connect supports hybrid authentication which includes Password hash authentication (PHA), Pass-through authentication(PTA) and federation (ADFS). Hybrid authentication methods provide single-sign on capabilities.
Azure AD connect is completely free to use and synchronize even if we don’t own any cloud subscriptions. It is an upgraded version of Azure AD sync and Dirsync.
Requirement for Azure AD connect
- Azure AD tenant. (domainname.onmicrosoft.com)
- AD schema version and forest functional level (FFL) must be set to Server 2003 or higher.
- Domain Admin credential.
- Global Admin of the tenant.
- Add and verify the domain.
- Update the UPN name of the users in local AD to match the public domain name verified in the cloud. (UPN suffix to be updated from [email protected] to [email protected])
- SQL database (optional- To manage 100,000+ objects)
- Ports to be allowed in firewall – https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-ports
Microsoft recommends to use Idfix Dirsync error remediation tool before initial sync to remediate the object errors in the Active Directory preparation.
Installation of Azure AD connect
1. Download the latest Azure AD connect and double-click on the installed file for installation.
2. Read the license agreement and click ‘Continue’ if you agree.
3. Azure AD connect is available to install as ‘Custom installation‘ and ‘Express installation‘. Click ‘Customize‘ to enter custom installation.
- Custom installation provides option to specify custom location, sync only the selected OU, adding the SQL server instance. Proceed with custom installation to sync users only from the selected OU.
- Express installation is recommended by Microsoft for single server forest. By default, password hash sync and auto upgrade is enabled with express settings. Proceed with express installation to sync the entire domain. In this example, we installing with express install option.
4. Enter the credential of the Azure AD Global admin and click ‘Next‘.
5. Enter enterprise admin credential of on premise AD and click ‘Next’
6. In Next step, AD connect will verify that UPN suffix of local AD matches with added custom Azure AD domain. Verify your domain and click ‘Next’.
7. Configure: Select ‘Synchronization process’ to start sync immediately. Select ‘Exchange hybrid deployment’ if planning to migrate mailboxes (Recommended). Click ‘Install’
8. AD connect will install synchronization service and initiate sync between local AD and Azure AD.
9. Congrats! Configuration is completed successfully.
10. Verify the configuration : Login in to Microsoft 365 admin center – https://admin.microsoft.com with global admin credential to verify initial sync.
- Also verify the login of https://portal.office.com using on premise AD user credential.
- By default, sync between local AD and Azure AD occurs in every 30 minutes. To force AD sync Open Windows Azure Active directory powershell and run following commands:
Import-module Adsync
Start-ADSyncSyncCycle -PolicyType Delta # To initiate Delta Sync
< or >
Start-ADSyncSyncCycle -PolicyType Delta # To initiate Full Sync - An Azure AD tenant allows by default 50K objects and increased to 300K objects on domain verification.
To initial a full sync it should be ” start-ADSyncSyncCycle -PolicyType Initial