Sync On-Premises AD with Azure AD using Azure AD Connect
Microsoft has had an evolution of tools over the past few years that allows syncing on-premises Active Directory users with their Azure AD cloud directory service. This has include the legacy Forefront Identity Management product, DirSync, and others. Now, the tool is Azure AD Connect which is a locally installed tool that you install on-premises on a Windows Server and have Azure AD Connect sync with on-premises AD. This is fairly straightforward to configure, however, let’s take a look at how to sync on-premises AD with Azure AD using Azure AD Connect. We will see how this tool is loaded and configured to synchronize your local Active Directory environment with Azure AD.
Why Synchronize On-Premises AD with Azure AD?
You may wonder why you would want to synchronize your on-premises Active Directory environment with Azure AD. There are many reasons to do this in this day and time.
Cloud is becoming the central focal point for most businesses today. If you don’t already have a cloud presence of some type, most likely you are currently looking at migrating to the cloud, or already have a migration underway.
One of the popular reasons driving the configuration of Active Directory synchronization is a migration to Microsoft Office 365 for cloud email and storage.
Synchronizing your directory service on-premises with Azure AD allows you to configure hybrid identity which allows your end users to have a seamless experience between using on-premises resources and those resources that are located in the cloud.
This includes at a very basic level, being able to use the same password in the cloud as they do on-premises. This is an important basis requirement for most businesses. Configuring the directory synchronization between on-premises Active Directory and Azure AD is the mechanism that makes this possible.
Configure Azure AD and Download Azure AD Connect
Before configuring Azure Ad Connect, you need to actually have an Azure AD environment configured. In the lab environment, I simply have an Azure AD free subscription along with my Visual Studio subscription for testing. You need to start the free subscription or one of the paid directory services with your Azure environment.
You will notice there is an entire “blade” underneath Azure AD dedicated to Azure AD Connect. If you click on this blade, you will see the option to download Azure AD Connect as well as the configuration information regarding any current synchronization services configured.
Azure AD Connect Requirements
The Azure AD Connect utility is a service that you run on-premises. So, you will need a server/VM to run the service. What are the requirements for installing the Azure AD Connect synchronization utility?
Server OS | Other software |
---|---|
Windows Server 2012 R2 and later | – PowerShell is installed by default, no action is required. – Net 4.5.1 and later releases are offered through Windows Update. Make sure you have installed the latest updates to Windows Server in the Control Panel. |
Windows Server 2008 R2 with Service Pack 1 (SP1)** or Windows Server 2012 | – The latest version of PowerShell is available in Windows Management Framework 4.0. Search for it on Microsoft Download Center. – .Net 4.5.1 and later releases are available on Microsoft Download Center. |
Windows Server 2008 | – The latest supported version of PowerShell is available in Windows Management Framework 3.0, available on Microsoft Download Center. – .Net 4.5.1 and later releases are available on Microsoft Download Center. |
Azure AD Connect Installation
Once you have downloaded the Microsoft Azure AD Connect setup file, run the setup. Click Next.
You are presented with the Azure AD Connect Welcome screen. The screen gives you an overview of the Azure AD Connect tool and also the EULA checkbox.
For many the Express Settings will be what they want to configure. The page gives you an overview of what the Express Settings actually do. This includes:
- Configure synchronization of identities in the current AD forest
- Configure password hash synchronization from on-premises AD to Azure AD
- Start an initial synchronization
- Synchronize all attributes
- Enable Auto Upgrade
You may also see a warning about a routable domain if you are using a .local or some other domain as I am in the lab environment. Keep in mind you will need to be able to synchronize a domain with the same UPN suffix both on-premises and in your Azure AD environment or the synchronization between them will not work.
Provide your Azure AD global administrator credentials.
Provide your local on-premises Active Directory credentials.
As mentioned above, you will need to have the same UPN suffixes between on-premises and your Azure AD environment.
Ready to begin the configuration of the synchronization between on-premises and Azure AD. You can check the box to Start the synchronization process when configuration completes as well as you have the option to select the Exchange hybrid deployment if you are setting up hybrid mailflow between on-premises and Office 365.
Configuration finishes. You will see a few checks and warning on certain things such as AD Recycle Bin, synchronization status, etc, depending on settings you chose in the configuration as well as the current settings of your on-premises Active Directory environment.
Sync On-Premises AD with Azure AD using Azure AD Connect
If you want to reconfigure any of the settings you may have chosen in the initial setup and configuration, just relaunch the Azure Active Directory Connect tool and choose to Configure. Here I am configuring the Domain/OU Filtering options. This allows you to scope down the OUs/users that you want to synchronize between on-premises and Azure AD.
Optional features screen allows you to select other options as relevant to your particular environment.
I am selecting the Start the synchronization process when configuration completes option so the initial sync will begin as soon as you click the Configure button.
The configuration begins and processes through the synchronization of user objects. I also launched the Synchronization Service Manager utility which is installed in the program group for Azure AD Connect.
I have it overlaid on top of the Azure Active Directory Connect tool. As you can see, you can click the Operations button and see the current operations as they complete in the process.
For those that may be familiar with the previous tools, this looks very familiar (identical) with FIM and other tools.
Sure enough, I navigate to the Default Directory, All Users area and I see the two “testusers” that I had housed in the OU I targeted for the synchronization process.
Azure AD PowerShell Tools
It is worth mentioned and noting here that PowerShell is a great way to interact with Azure AD. You can install the Azure AD PowerShell module by typing in the following:
install-module -Name MSOnline
Additionally, you then connect to your Azure AD environment by the cmdlet:
connect-msolservice
Wrapping Up
If you are looking to Sync On-Premises AD with Azure AD using Azure AD Connect, the process is fairly straightforward. I think Microsoft has made strides in making this process easier and better than it used to be with some of the older tools.
Most likely if you are not already doing this, you will be required to synchronize your on-premises environment with the cloud at some point to support hybrid identity initiatives like Office 365 and others.