One of the most frequently asked questions by new Azure AD users is how to connect the on-premise Active Directory to Azure AD. The answer to that is through the Azure AD Connet tool.
In this article, you will learn how more Azure AD Connect and how to install and configure it to your system. Let’s get started.
What is Azure AD Connect?
Azure AD Connect is a Microsoft tool that will enable you to connect your on-premises Active Directory to Azure AD. In addition, it will help you meet and accomplish your hybrid identity goals with the following features:
- Password hash synchronization: An extension to the directory synchronization feature that synchronizes a hash of a user’s on-premises AD password with Azure AD.
- Pass-through authentication: A sign-in method that enables users to sign in to both on-premises and cloud-based applications with the same password without the need for an additional infrastructure of a federated environment.
- Federation integration: Federation is an option of Azure AD Connect that will enable you to configure a hybrid environment using on-premises Active Directory Federation Services. This will allow you to sign in to Azure AD using on-premises passwords.
- Synchronization: Unlike federation integration, synchronization is one of the main components of Azure AD Connect and will enable you to sync identity data between your on-premises environment with Azure AD.
- Health monitoring: Azure AD Connect Health is a robust monitoring tool for your on-premises infrastructure and will enable you to maintain a reliable connection to Microsoft 365 and Microsoft Online Services.
Some of the benefits of using Azure AD Connect include:
- The ability for users to use a single identity to access on-premises services and applications like Microsoft 365.
- The tool will help users to easily deploy synchronization and sign-in.
What are the prerequisites for installing Azure AD Connect?
Before we discuss how to install the tool, you need to make sure first that you have the prerequisites needed to successfully install and use Azure AD Connect.
Hardware Prerequisites for Azure AD Connect:
- You need to have an Azure AD tenant.
- You must add and verify the domain that you will be connecting to.
- You must identify potential problems in your on-premises data like duplicates and formatting problems. For this, you can use the IdFix tool.
- Check out the optional sync features and evaluate which ones you need to use and enable them.
- Ensure that you are using Windows Server 2003 or later for your Active Directory schema version and forest functional level.
- If you want to use the password writeback feature, the domain controller has to be on a Windows Server 2012 or later.
- The domain controller used by Azure AD must be writable since the read-only domain controller is not supported.
- It is recommended to enable the recycle bin of the Active Directory.
- Make sure that your PowerShell execution policy allows the running of scripts (the recommended policy is “RemoteSigned”.
- Ensure that administrative access to the Azure AD Connect server is secured.
Installation Prerequisites for Azure AD Connect:
- Azure AD Connect must be installed on a domain-joined Windows Server 2012 or later (and not on a Small Business Server or Windows Server Essentials before 2019) with a full GUI installed.
- If MFA is enabled, make sure to add https://secure.aadcdn.microsoftonline-p.com to the trusted sites list. Remember that you can always turn MFA prompt off.
- If you plan on using the Azure AD Connect to manage Federation Services (AD FS) configuration, make sure to disable PowerShell Transcription Group Policy. You must also configure TLS/SSL certificates and configure name resolution.
With that, let us proceed with how to install this tool.
How to install Azure AD Connect?
To start, you must first download Azure AD Connect and run the installation on the server. Go here to download Microsoft Azure Active Directory Connect.
On the installation window, tick the box for the license terms and privacy notice. Then, click on the green “Continue” box to proceed.
Unless you want to install the tool with the express settings, you should click on the “Customize” box, where you can choose to sync your accounts.
The next step is to install the required components. The installation tool will detect whether or not there is a synchronization service in your unit.
There are three types of optional configuration:
- Custom installation location
- Existing SQL Server
- Existing service account
Assuming that you have an existing service account, enter your domain administration credentials on the form provided. Finally, click on the “Install” box.
After that, you will have to configure your single sign-on (SSO) method. There are three choices here:
- Password Synchronization: You will be able to sign in to the cloud with the same passwords you use on-premises. This will not store or send clear text passwords.
- Federation with AD FS: You will be able to do a federated sign-in using Active Directory Federation Services. While logged into your corporate network, you will be able to access cloud services without entering passwords again.
- Do not configure: You will be able to do a federated sign-in with a solution that is not managed by this wizard.
Once you have made your choice, simply tick the radio box and click on the “Next” box.
Connect to Azure AD
All you need to do here is provide your Active Directory credentials or your Office 365 administrator credentials.
The first one is connecting your directories. Here, you must provide your deployment directory information. Make sure to add the directory by clicking on the “Add Directory” box.
You will then have to provide additional credentials to add an Active Directory connection.
Proceed to the next step by clicking on the “Next” box.
The next step is about selecting the on-premises attribute to use as your Azure AD username. The default is userPrincipalName.
To prevent any errors, you must also tick the checkbox to continue even without matching all UPN suffixes to verified domains.
Leave this as it is if plan on using an exchange hybrid deployment features. However, make sure to run IdFix and align your primary SMTP address values to the UPN (or else you will receive a warning that your UPN is not registered in your Office 365 tenant).
In case you will not be able to match your User Principal Name to your custom domains, do not enable Exchange Hybrid immediately.
Click “Next” when you are ready to proceed.
The next part is about Domain and OU filtering. You can normally leave everything here as default in order to sync the entire directory data and click on the “Next” box.
However, for exchange hybrid and mail routing, you may not wish to sync leavers’ accounts, service accounts, built-in accounts, and non-mail enabled security groups. In this case, only select the OUs with valid recipients.
The next step is about identifying your users. Again, you can leave everything here on their default settings and click on the “Next” box.
On the next page, you can choose how you want your users and devices to be synced. Unless you want to specify a group, leave this as it is and click on the “Next” box.
The next step is about selecting additional features that you want to activate. All you need to do is to tick on their boxes and click on the “Next” box.
Finishing the Installation
Once you have configured everything above, all that is left is to finish the installation. If you want to start the synchronization process when the configuration is complete, simply tick on its appropriate box.
Click on “Install” to start the process.
Once the configuration is complete, the installation wizard will let you know and you can then exit it.
The next thing you must do is to check your Microsoft 365 admin center and validate the synchronization task. Make sure that it was completed successfully.
If you are not sure where to look, you should see it within the “Users” and “Groups” sections of your Active Directory objects.
If you think that there is something wrong, go to the Azure AD Connect Health portal. This will provide you an idea of any sync errors and mishaps that happened.
Installing Azure AD Connect
Azure AD Connect is a great tool that will help you connect your on-premises Active Directory to Azure AD easily. With it, you will also be able to configure your hybrid identity with the help of the tools synchronization features.
But before you rush into installing the said tool, make sure to check on the prerequisites first. If there was one of them that you did not meet, the installation wizard will detect and inform you that the installation can’t take place.
As for the installation itself, it is pretty simple. In fact, all you need to do is follow the steps provided in this article.
If you have any other questions, feel free to leave a comment below or send me a direct message via the contact page.