Sync AWS Directory Service with Office 365 using Azure AD Connect

Sync AWS Directory Service with Office 365 using Azure AD Connect.  This guide will show the steps to setup Azure AD Connect in AWS on Windows Server to sync your onprem Active Directory or AWS Directory Service also known as AWS Microsoft AD to sync with Office 365 / Azure AD.  

 

AWS Microsoft AD makes it possible and easy for you to build a Windows environment in AWS Cloud, synchronize your AWS Microsoft AD users into Microsoft Azure AD, and use Office 365, all without needing to create and manage AD domain controllers. Now you can also benefit from the broad set of AWS Cloud services for compute, storage, database, and Internet of Things (IoT) while continuing to use Office 365 business productivity apps—all with a single AD domain.

Sync AWS Directory Service with Office 365

Azure AD Connect on Windows Server 2016

Azure AD Connect on Windows Server 2019

AD Connect on AWS

Use Azure AD connect with Active Directory Federation Services (ADFS) to provide single sign on for Office 365 users (password hash sync, pass-through authentication, federation with AD FS, or federation with PingFederate).


You will be able to filter AD Connect on what to sync, filtering based on domains, OUs, or attributes.  Password hash synchronization synchronizes the password hash in Active Directory to Azure AD. The end-user can use the same password on-premises and in the cloud but only manage it in one location. Since it uses your on-premises Active Directory or AWS AD as the authority, you can also use your own password policy.

Table of Contents

Once you have the AD Connect AWS VM installed, the following links will explain how to sync your on prem Active Directory or AWS Managed Active Directory to Azure AD.

AWS AD Connect Express Settings

  • If you have a single forest Active Directory then this is the recommended option to use.
  • User sign in with the same password using password synchronization.

 

Note: If you use multiple AD forests or want to customize your sign-in option such as pass-through authentication, ADFS for federation or use a 3rd party identity provider, then refer to the Customized settings installation.

 

From the desktop click on Azure AD Connect short cut

Connect to Azure AD

Connect to your Azure AD using your Global admin account and follow the steps in the following MS guide.

 

https://docs.microsoft.com/en-gb/azure/active-directory/hybrid/how-to-connect-install-express

Synchronize users from AWS Microsoft AD to Azure AD with Azure AD Connect

The following steps show how to customize Azure AD Connect to synchronize the AWS Microsoft AD identities to Azure AD for use with Office 365.

 

Open an RDP session to your ADSync instance by using your AWS Microsoft AD admin user account:

 

  1. Launch Azure AD Connect from the desktop icon.
  2. On the Welcome page of the Azure AD Connect Wizard, accept the license terms and privacy notice, and then choose Continue.
  3. On the Express Settings page, choose Customize.
  4. On the Install required components page, choose Install.
  5. On the User sign-in page, choose Do not configure and then choose Next.
  6. On the Connect to Azure AD page, enter your Office 365 global administrator account credentials and then choose Next.
  7. On the Connect your directories page, choose Active Directory as the Directory Type, and then choose your Microsoft AD Forest as your Forest. Choose Add Directory.
  8. At the prompt, enter your AWS Microsoft AD admin account credentials, and then choose OK.
  9. Now that you have added the AWS Microsoft AD directory, choose Next.
  10. On the Azure AD sign-in configuration page, choose Next.

 

Note: AWS recommends the userPrincipalName (UPN) attribute for use by AWS Microsoft AD users when they sign in to Azure AD and Office 365.

 

The UPN attribute format combines the user’s login name and the UPN-suffix of an AWS Microsoft AD user. The UPN suffix is the domain name of your AWS Microsoft AD domain and the same domain name you added and verified with Azure AD.

 

In the following example from the Active Directory Users and Computers tool, the user’s UPN is awsuser@awsexample.com, which is a combination of the user’s login name, awsuser, with the UPN-suffix, @awsexample.com.

Domain / OU Filtering

11. On the Domain and OU filtering page, choose Sync selected domains and OUs, choose the Users OU under your NetBIOS OU, and then choose Next.

Domain and OU filtering

12. On the Uniquely identifying your users page, choose Next.

13. On the Filter users and devices page, choose Next.

14. On the Optional features page, choose Next.

15. On the Ready to configure page, choose Start the synchronization process when configuration completes, and then choose Install.

16. The Azure AD Connect installation has now completed. Choose Exit.

 

NoteBy default, the Azure AD Connect sync scheduler runs every 30 minutes to synchronize your AWS Microsoft AD identities to Azure AD. You can tune the scheduler by opening a Windows PowerShell session as an administrator and running the appropriate Windows PowerShell commands.

For more information, go to Azure AD Connect Sync Scheduler.

 

Tip: Do you need to synchronize a change immediately? You can manually start a sync cycle outside the scheduled sync cycle from the Azure AD Connect sync instance. Open a Windows PowerShell session as an administrator and run the following Windows PowerShell commands:

				
					Import-Module ADSync
Start-ADSyncSyncCycle -PolicyType Delta
				
			

Customized Settings (Requires VM to be domain joined)

  • Used when you have multiple forests. Supports many on-premises topologies.
  • Customize your sign-in option, such as pass-through authentication, ADFS for federation or use a 3rd party identity provider.
  • Customize synchronization features, such as filtering and writeback.

 

https://docs.microsoft.com/en-gb/azure/active-directory/hybrid/how-to-connect-install-custom#user-sign-in

AD Connect Firewall Ports

If you have a hybrid environment and there is a firewall between your on prem environment and AWS. The following ports will need to be opened:

 

https://docs.microsoft.com/en-gb/azure/active-directory/hybrid/reference-connect-ports

AWS AD Connect Verify Sync

Once you have everything configured, now its time to assign licences to your users and verify that sync is working and users can login to Office365 / Azure AD

 

Post Installation Checks

 

https://docs.microsoft.com/en-gb/azure/active-directory/hybrid/how-to-connect-post-installation

AWS Support / Documentation

If you would like us to implement the AD connect server into your environment and fully configure and sync your on prem Active Directory to Azure AD, get in contact with us and we will get you up and running asap.

Avatar for Andrew Fitzgerald
Andrew Fitzgerald

Cloud Solution Architect. Helping customers transform their business to the cloud. 20 years experience working in complex infrastructure environments and a Microsoft Certified Solutions Expert on everything Cloud

3 2 votes
Article Rating
Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x