Sync AWS Directory Service with Office 365 using Azure AD Connect. This guide will show the steps to setup Azure AD Connect in AWS on Windows Server to sync your onprem Active Directory or AWS Directory Service also known as AWS Microsoft AD to sync with Office 365 / Azure AD.
AWS Microsoft AD makes it possible and easy for you to build a Windows environment in AWS Cloud, synchronize your AWS Microsoft AD users into Microsoft Azure AD, and use Office 365, all without needing to create and manage AD domain controllers. Now you can also benefit from the broad set of AWS Cloud services for compute, storage, database, and Internet of Things (IoT) while continuing to use Office 365 business productivity apps—all with a single AD domain.
Sync AWS Directory Service with Office 365
AD Connect on AWS
Use Azure AD connect with Active Directory Federation Services (ADFS) to provide single sign on for Office 365 users (password hash sync, pass-through authentication, federation with AD FS, or federation with PingFederate).
You will be able to filter AD Connect on what to sync, filtering based on domains, OUs, or attributes. Password hash synchronization synchronizes the password hash in Active Directory to Azure AD. The end-user can use the same password on-premises and in the cloud but only manage it in one location. Since it uses your on-premises Active Directory or AWS AD as the authority, you can also use your own password policy.
Table of Contents
Once you have the AD Connect AWS VM installed, the following links will explain how to sync your on prem Active Directory or AWS Managed Active Directory to Azure AD.
AWS AD Connect Express Settings
- If you have a single forest Active Directory then this is the recommended option to use.
- User sign in with the same password using password synchronization.
Note: If you use multiple AD forests or want to customize your sign-in option such as pass-through authentication, ADFS for federation or use a 3rd party identity provider, then refer to the Customized settings installation.
From the desktop click on Azure AD Connect short cut
Connect to Azure AD
Synchronize users from AWS Microsoft AD to Azure AD with Azure AD Connect
The following steps show how to customize Azure AD Connect to synchronize the AWS Microsoft AD identities to Azure AD for use with Office 365.
Open an RDP session to your ADSync instance by using your AWS Microsoft AD admin user account:
- Launch Azure AD Connect from the desktop icon.
- On the Welcome page of the Azure AD Connect Wizard, accept the license terms and privacy notice, and then choose Continue.
- On the Express Settings page, choose Customize.
- On the Install required components page, choose Install.
- On the User sign-in page, choose Do not configure and then choose Next.
- On the Connect to Azure AD page, enter your Office 365 global administrator account credentials and then choose Next.
- On the Connect your directories page, choose Active Directory as the Directory Type, and then choose your Microsoft AD Forest as your Forest. Choose Add Directory.
- At the prompt, enter your AWS Microsoft AD admin account credentials, and then choose OK.
- Now that you have added the AWS Microsoft AD directory, choose Next.
- On the Azure AD sign-in configuration page, choose Next.
Note: AWS recommends the userPrincipalName (UPN) attribute for use by AWS Microsoft AD users when they sign in to Azure AD and Office 365.
The UPN attribute format combines the user’s login name and the UPN-suffix of an AWS Microsoft AD user. The UPN suffix is the domain name of your AWS Microsoft AD domain and the same domain name you added and verified with Azure AD.
In the following example from the Active Directory Users and Computers tool, the user’s UPN is firstname.lastname@example.org, which is a combination of the user’s login name, awsuser, with the UPN-suffix, @awsexample.com.
Domain / OU Filtering
11. On the Domain and OU filtering page, choose Sync selected domains and OUs, choose the Users OU under your NetBIOS OU, and then choose Next.
12. On the Uniquely identifying your users page, choose Next.
13. On the Filter users and devices page, choose Next.
14. On the Optional features page, choose Next.
15. On the Ready to configure page, choose Start the synchronization process when configuration completes, and then choose Install.
16. The Azure AD Connect installation has now completed. Choose Exit.
Note: By default, the Azure AD Connect sync scheduler runs every 30 minutes to synchronize your AWS Microsoft AD identities to Azure AD. You can tune the scheduler by opening a Windows PowerShell session as an administrator and running the appropriate Windows PowerShell commands.
For more information, go to Azure AD Connect Sync Scheduler.
Tip: Do you need to synchronize a change immediately? You can manually start a sync cycle outside the scheduled sync cycle from the Azure AD Connect sync instance. Open a Windows PowerShell session as an administrator and run the following Windows PowerShell commands:
Import-Module ADSync Start-ADSyncSyncCycle -PolicyType Delta
Customized Settings (Requires VM to be domain joined)
- Used when you have multiple forests. Supports many on-premises topologies.
- Customize your sign-in option, such as pass-through authentication, ADFS for federation or use a 3rd party identity provider.
- Customize synchronization features, such as filtering and writeback.
AD Connect Firewall Ports
If you have a hybrid environment and there is a firewall between your on prem environment and AWS. The following ports will need to be opened:
AWS AD Connect Verify Sync
Once you have everything configured, now its time to assign licences to your users and verify that sync is working and users can login to Office365 / Azure AD
Post Installation Checks
AWS Support / Documentation
If you would like us to implement the AD connect server into your environment and fully configure and sync your on prem Active Directory to Azure AD, get in contact with us and we will get you up and running asap.