In this blog, I am going to show you how to connect Active Directory Domain Services (AD DS) with Azure Active Directory through AD Connector. Once we are able to configure this, on-premises Active Directory users can be synced with Azure AD and we can use the users to use this for the purpose of configuring Hybrid Azure AD.
What is Azure Ad Connect
Azure AD Connector is an application which is used to synchronize identity data between on-premises infrastructure and Azure AD. Its a sync engine, once installed and configured can be used to sync the users, groups, devices etc to Azure Active Directory. You may also use OU level scoping filter to synchronize specific OU’s only. This kind of approach is required for organizations going with Hybrid approach, hence allowing on-premises identities to synchronize with Azure AD, hence the term is called hybrid identity. This provides three authentication methods:
- Password hash synchronization (PHS)
- Pass-through authentication (PTA)
- Federation (AD FS)
Create Sync Account
Before starting, we need to have a Sync Account created on Azure Portal with role assigned as Global Administrator. This account will be responsible for syncing the on-premises AD with Azure AD. For this purpose, we are going to use the account name SyncAccount.
Login to https://portal.azure.com and create the SyncAccount.
Either assign Global Administrator or Hybrid Identity Administrator role to SyncAccount.
Configure AD synchronization with Azure AD Connect
Download Microsoft Azure Active Directory Connect (AzureADConnect.msi) from the following link https://www.microsoft.com/en-us/download/details.aspx?id=47594.
Once downloaded, initiate the install. This will bring up welcome page.
On the Welcome to Azure AD Connect page, select “I agree to the license terms” and click Continue.
On Express Settings page, click Customize.
On Install required components page, we are not going to select any option at the moment, select Install.
On User sign-in page, you will see certain options to select, we will go with default option ie Password Hash Synchronization, click Next.
On Connect to Azure AD page, provide username & password we created previously. Once provided it will connect
Under Connect your directories page, make sure your forest name is selected and click on Add Directory. You can have the option to use new AD Account (which is a recommended way) or an existing AD Account, however, it does not allow Enterprise or Domain Administrator account.
Once authenticated, you will be able to see Configured Directories marked as tick. Click Next.
On Azure AD sign-in configuration page, make sure to select userPrincipalName under USER PRINCIPAL NAME. Check the box Continue without matching all UPN suffixes to verified domains and then select Next.
On Domain and OU filtering page, select Sync selected domains and OUs and select the OU and containers you want to use for Sync. Click Next.
On Uniquely identifying your users page, click Next.
On Filter users and devices page, we will go with default option “Synchronize all users and devices” and click Next.
On Optional features page, click Next.
On Ready to configure page, we will go with Start the synchronization process when configuration completes option, click on Install.
This will take some time configuring synchronization account and other task as required. Once completed exit the configuration.
Download and install Microsoft Online Services Sign-In Assistant for IT Professionals RTW (msoidcli_64.msi) from the link https://www.microsoft.com/en-us/download/confirmation.aspx?id=41950.
Verify Synchronization on Azure Portal
Launch Azure Active Directory Portal, navigate to Azure Active Directory and click on Users.
We can see Azure Active Directory users as well as On-premises users. On-premises users are showing as Yes under Directory synced. We can see the On-Premises Directory Synchronization Service Account as well.
Verify Synchronization Service Manager on DC
On Domain Controller, click on the start menu and look for Synchronization Service under Azure AD Connect. This will launch the Synchronization Service Manager.
Click on tab Connectors, which will show both the connectors for Azure AD and On-premises AD. We have options on right side such as run, stop, configure Run Profile to customize the sync option. There are lots of other configuration you can do related to synchronization.
Click on Operations tab, all synchronized status will be visible here.
Azure AD connector provides seamless synchronization process which connects to Azure active directory to sync on-premises devices / users.
We have successfully Azure Active Directory through AD connector and we can see all On-premises users on azure portal’s user’s account. The next step would be to configure Hybrid Azure AD join steps.