How to Sync Active Directory with Office 365 with Azure AD Connect
This guide will show the steps to sync Active Directory with Office 365 / Azure AD using Azure AD Connect Sync Server in Azure. First step is to install Azure AD Connect sync server from the Azure marketplace. Click the link below to deploy straight to your Azure tenant.
Install Azure AD Connect
- Users can use a single identity to access on-premises applications and cloud services such as Office 365.
- Single tool to provide an easy deployment experience for synchronization and sign-in.
- Provides the newest capabilities for your scenarios. Azure AD Connect replaces older versions of identity integration tools such as Dir Sync, and Azure AD Sync.
- Filtering is used when you want to limit which objects are synchronized to Azure AD. By default all users, contacts, groups, and Windows 10/11 computers are synchronized. You can change the filtering based on domains, OUs, or attributes.
- Password hash synchronization synchronizes the password hash in Active Directory to Azure AD. The end-user can use the same password on-premises and in the cloud but only manage it in one location. Use your own password policy.
- Password writeback will allow your users to change and reset their passwords in the cloud and have your on-premises password policy applied.
- Device writeback will allow a device registered in Azure AD to be written back to on-premises Active Directory so it can be used for conditional access
- The prevent accidental deletes feature is turned on by default and protects your cloud directory from numerous deletes at the same time. By default it allows 500 deletes per run. You can change this setting depending on your organization size.
- Automatic upgrade is enabled by default for express settings installations and ensures your Azure AD Connect is always up to date with the latest release.
Table of Contents
Getting Started with Azure AD Connect Sync
Once you have deployed Azure AD Connect sync server the following link explains how to login via RDP.
After logging into your Azure VM, the following steps will explain how to sync Active Directory with Office 365.
Azure AD Connect Prerequisites
Before getting started, make sure you have these in place:
- Azure AD Tenant
- Access to Azure Portal
- Access to Office 365 portal
- Add and verify the domain you plan to use in Azure AD. For example, if you plan to use contoso.com for your users, make sure this domain has been verified and you’re not using only the contoso.onmicrosoft.com default domain.
- An Azure AD tenant allows, by default, 50,000 objects. When you verify your domain, the limit increases to 300,000 objects. If you need even more objects in Azure AD, open a support case to have the limit increased even further. If you need more than 500,000 objects, you need a license, such as Microsoft 365, Azure AD Premium, or Enterprise Mobility + Security.
Azure AD Connect Express Installation
- If you have a single forest AD then this is the recommended option to use.
- User sign in with the same password using password synchronization.
Note: If you use multiple AD forests or want to customize your sign-in option such as pass-through authentication, ADFS for federation or use a 3rd party identity provider, then refer to the Customized settings installation.
Launch Azure AD Connect Sync
To start the installation, click on Azure AD Connect shortcut on the desktop
Connect to Azure AD
On the ‘Connect to Azure AD‘ screen enter the username and password of a global administrator for your Azure AD tenant and then click Next.
Connect to AD DS
On the next screen ‘Connect to AD DS‘, enter the username and password for an enterprise admin account and click Next
Azure AD Sign-in Configuration
If you see this configuration page, then review every domain marked Not Added and Not Verified. Make sure those domains you use have been verified in Azure AD. Click the Refresh symbol when you have verified your domains.
Ready to configure and Install
On the Ready to configure page, click install
- Optionally on the Ready to configure page, you can unselect the Start the synchronization process as soon as configuration completes checkbox. You should unselect this checkbox if you want to do additional configuration, such as filtering. If you unselect this option, the wizard configures sync but leaves the scheduler disabled. It does not run until you enable it manually by rerunning the installation wizard.
- Leaving the Start the synchronization process as soon as configuration completes checkbox enabled will immediately trigger a full synchronization to Azure AD of all users, groups, and contacts.
- If you have Exchange in your on-premises Active Directory, then you also have an option to enable Exchange Hybrid deployment. Enable this option if you plan to have Exchange mailboxes both in the cloud and on-premises at the same time.
Once the installation is complete, you can click Exit
Sign off and sign back in again, before using Synchronization Service Manager or Synchronization Rule Editor
Customized Settings (Requires VM to be domain joined)
- Used when you have multiple forests. Supports many on-premises topologies.
- Customize your sign-in option, such as pass-through authentication, ADFS for federation or use a 3rd party identity provider.
- Customize synchronization features, such as filtering and writeback.
Custom installation of Azure Active Directory connect guide:
Azure AD Connect Firewall Ports
If you have a hybrid environment and there is a firewall between your on prem environment and Azure. The following ports will need to be opened:
Verify Azure AD Connect Synchronization
Once you have everything configured, now its time to assign licences to your users and verify that sync is working and users can login to Office365 / Azure AD.
Azure AD Connect Support
If you would like us to implement the AD connect server into your environment and fully configure and sync your on prem Active Directory to Azure AD, get in contact with us and we will get you up and running asap.