How to connect AD DS with Azure AD through AD Connector

by | Azure, Cloud

In this blog, I am going to show you how to connect Active Directory Domain Services (AD DS) with Azure Active Directory through AD Connector. Once we are able to configure this, on-premises Active Directory users can be synced with Azure AD and we can use the users to use this for the purpose of configuring Hybrid Azure AD.

Table Of Contents
  1. What is Azure Ad Connect
  2. Create Sync Account
  3. Configure AD synchronization with Azure AD Connect
  4. Verify Synchronization on Azure Portal
  5. Verify Synchronization Service Manager on DC
  6. Conclusion

What is Azure Ad Connect

Azure AD Connector is an application which is used to synchronize identity data between on-premises infrastructure and Azure AD. Its a sync engine, once installed and configured can be used to sync the users, groups, devices etc to Azure Active Directory. You may also use OU level scoping filter to synchronize specific OU’s only. This kind of approach is required for organizations going with Hybrid approach, hence allowing on-premises identities to synchronize with Azure AD, hence the term is called hybrid identity. This provides three authentication methods:

  • Password hash synchronization (PHS)
  • Pass-through authentication (PTA)
  • Federation (AD FS)

Create Sync Account

Before starting, we need to have a Sync Account created on Azure Portal with role assigned as Global Administrator. This account will be responsible for syncing the on-premises AD with Azure AD. For this purpose, we are going to use the account name SyncAccount.

Login to https://portal.azure.com and create the SyncAccount.

ConnectADDSwithAzureAD 01

Either assign Global Administrator or Hybrid Identity Administrator role to SyncAccount.

Configure AD synchronization with Azure AD Connect

Download Microsoft Azure Active Directory Connect (AzureADConnect.msi) from the following link https://www.microsoft.com/en-us/download/details.aspx?id=47594.

Once downloaded, initiate the install. This will bring up welcome page.

On the Welcome to Azure AD Connect page, select “I agree to the license terms” and click Continue.

Welcome to Azure AD Connect

On Express Settings page, click Customize.

ConnectADDSwithAzureAD 03

On Install required components page, we are not going to select any option at the moment, select Install.

Install required components

On User sign-in page, you will see certain options to select, we will go with default option ie Password Hash Synchronization, click Next.

User Sign-in

On Connect to Azure AD page, provide username & password we created previously. Once provided it will connect

Connect to Azure AD

Under Connect your directories page, make sure your forest name is selected and click on Add Directory. You can have the option to use new AD Account (which is a recommended way) or an existing AD Account, however, it does not allow Enterprise or Domain Administrator account.

ConnectADDSwithAzureAD 07

Once authenticated, you will be able to see Configured Directories marked as tick. Click Next.

ConnectADDSwithAzureAD 08

On Azure AD sign-in configuration page, make sure to select userPrincipalName under USER PRINCIPAL NAME. Check the box Continue without matching all UPN suffixes to verified domains and then select Next.

Azure AD sign-in configuration

On Domain and OU filtering page, select Sync selected domains and OUs and select the OU and containers you want to use for Sync. Click Next.

Domain and OU filtering

On Uniquely identifying your users page, click Next.

ConnectADDSwithAzureAD 11

On Filter users and devices page, we will go with default option “Synchronize all users and devices” and click Next.

Filter users and devices

On Optional features page, click Next.

ConnectADDSwithAzureAD 13

On Ready to configure page, we will go with Start the synchronization process when configuration completes option, click on Install.

ConnectADDSwithAzureAD 14

This will take some time configuring synchronization account and other task as required. Once completed exit the configuration.

ConnectADDSwithAzureAD 15
ConnectADDSwithAzureAD 16

Download and install Microsoft Online Services Sign-In Assistant for IT Professionals RTW (msoidcli_64.msi) from the link https://www.microsoft.com/en-us/download/confirmation.aspx?id=41950.

Verify Synchronization on Azure Portal

Launch Azure Active Directory Portal, navigate to Azure Active Directory and click on Users.

ConnectADDSwithAzureAD 17

We can see Azure Active Directory users as well as On-premises users. On-premises users are showing as Yes under Directory synced. We can see the On-Premises Directory Synchronization Service Account as well.

ConnectADDSwithAzureAD 18

Verify Synchronization Service Manager on DC

On Domain Controller, click on the start menu and look for Synchronization Service under Azure AD Connect. This will launch the Synchronization Service Manager.

Synchronization Service Manager

Click on tab Connectors, which will show both the connectors for Azure AD and On-premises AD. We have options on right side such as run, stop, configure Run Profile to customize the sync option. There are lots of other configuration you can do related to synchronization.

ConnectADDSwithAzureAD 20

Click on Operations tab, all synchronized status will be visible here.

ConnectADDSwithAzureAD 21

Azure AD connector provides seamless synchronization process which connects to Azure active directory to sync on-premises devices / users.

Conclusion

We have successfully Azure Active Directory through AD connector and we can see all On-premises users on azure portal’s user’s account. The next step would be to configure Hybrid Azure AD join steps.

Trackbacks/Pingbacks

  1. Enable co-management SCCM | Configuration Manager ManishBangia - […] You must have configured hybrid Azure AD join using Azure AD Connect. […]
  2. Configure Hybrid Azure AD join - SCCM & Enterprise Client Management Blog - […] You need to install the AD connector. […]

Leave a Reply