Migrating your organization to the cloud can be quite confusing to users. It is rare to have a complete on-premises to cloud migration. In most cases, apps and services left on-premises still require Active Directory integration.
Don’t add to the users’ dilemma by not asking them to keep two different credentials—on-prem and cloud. How can you help? Install Azure AD Connect and synchronize your identities to the cloud.
This way, the users will only need to maintain one credential to access both on-prem and cloud resources.
Requirements
- An Azure Active Directory tenant with Global administrator access.
- An Active Directory server with Enterprise administrator access. This guide will be using a Windows Server 2019 computer.
- A server where you’ll install Azure AD Connect. You can use the same Active Directory server in this exercise.
- Windows PowerShell 5.1.
- The MSOnline PowerShell module must be installed on the Azure AD Connect server or your management server.
- Ensure that ports 80 and 443 are open between your Azure AD Connect server and Azure AD (refer to the Azure AD Connect and Azure AD article in Microsoft).
Verify the Azure AD Connect Status
First, you must ensure that directory synchronization is not yet enabled in your tenant. There are two ways to do this.
From PowerShell
Assuming that you already have the MSOnline module installed, you can run the following commands to determine the directory synchronization status.
# Connect to Azure AD PowerShell (login with your Global admin account) Connect-MsolService # Get Directory Sync status Get-MsolCompanyInformation | Format-List ` DirectorySynchronizationEnabled, ` LastDirSyncTime, ` PasswordSynchronizationEnabled, ` LastPasswordSyncTime, ` DirSyncServiceAccount
The DirectorySynchronizationEnabled and PasswordSynchronizationEnabled values should be False. Additionally, the LastDirSyncTime, LastPasswordSyncTime, and DirSyncServiceAccount, should be blank.
If any of these three properties aren’t blank, Directory Sync may have been enabled at some point and was later disabled.
From the Azure Active Directory Admin Center
You can also verify the Azure AD Connect status from the Azure AD admin center.
Log in to the Azure AD admin center. Go to the AAD Connect Sync blade, and you should see that the Azure AD Connect sync status is Not installed.
Install Azure AD Connect
Let’s now install and set up Azure AD Connect on the server.
- First, log in to the Azure AD Connect server.
- Get the installer from this Azure AD Sync download link.
- Once downloaded, locate the installer and run it.
- The installation only takes a few seconds. Once installed, the Azure AD Connect application window automatically opens. Click I agree to the license terms and privacy notice check box and click Continue.
- On the next page, choose whether to setup Azure AD sync using express settings or to customize the components. Since we’re only installing to this one server, have no separate SQL server instance, and installing for the first time on a single AD forest, let’s choose Use express settings.
- Next, enter your Azure AD global administrator username and password and click Next. This step will validate the account to use to connect to your Azure AD tenant.
- Enter the Enterprise administrator account to connect to the Active Directory Domain Services on-premises, and click Next.
- On the last page, leave the Start the synchronization process when the configuration completes box checked, and click Install.
- Wait for the configuration to finish. The configuration and initial synchronization may take several minutes, depending on the size of your Active Directory.
Note. The Azure AD Connect installation process automatically creates a service account credential for the AD to Azure AD synchronization.
Suppose your Azure AD tenant has a conditional access policy that requires ALL users to use MFA. In that case, the installation will fail with an error saying “Unable to create the synchronization service account for Azure Active Directory”.
The solution is to exempt the newly created service account from the conditional access policy and retry the Azure AD Connect installation.* - Finally, click Exit when you see the Configuration complete message.
Note. The Azure AD Connect installation process automatically creates a service account credential for the AD to Azure AD synchronization.
Post-Install Azure AD Connect Verification
So you’ve completed the installation of Azure AD Connect. How do you know it worked? There are several ways to verify.
Check the Directory Sync Status in PowerShell
Like the pre-installation verification you did, you can run the same command to view the
# Get Directory Sync status Get-MsolCompanyInformation | Format-List ` DirectorySynchronizationEnabled, ` LastDirSyncTime, ` PasswordSynchronizationEnabled, ` LastPasswordSyncTime, ` DirSyncServiceAccount
This time, the DirectorySynchronizationEnabled and PasswordSynchronizationEnabled values should be True. The LastDirSyncTime and LastPasswordSyncTime time stamp must be recent.
Check the Azure AD Connect Status in the Azure AD Portal
Go to the AAD Connect blade in the Azure AD portal. As you can see below, the Sync Status and Password Hash Sync are both enabled. The Last Sync value said Less than 1 hour ago.
Note. Azure AD Connect runs the delta synchronization every 30 minutes.
Check the User Account Source in the Azure AD Portal
Go to the All Users blade in the Azure AD Portal. You’ll see the On-premises sync-enabled status for each user.
Check the Azure AD Connect Status in the Microsoft 365 Admin Center
Log in to the Microsoft 365 Admin Center, and you can see the Azure AD Connect card on the home page.
Check the User Account Source in Microsoft 365 Admin Center
Go to the Active User page in the Microsoft 365 Admin Center. You’ll see the Sync Status column showing the user account source.
Conclusion
When you install Azure AD Connect, you are doing an excellent job of alleviating a pain point of users, which is having separate credentials for on-prem and Azure AD.
If you setup Azure AD Connect for your organization, there are many customizations you can configure post-installation. You can change the sync schedule, update which OUs will be included and not included in the directory synchronization, and even enable group synchronization.
- How to Search and Delete Malicious Emails in Office 365? - January 29, 2023
- How to Install Google Chrome for Fedora? - January 29, 2023
- Lens Kubernetes IDE — Opensource Lens Desktop - January 27, 2023
Excellent article! Very well described and shown. Please keep adding articles the way you have done so far, they are very well explained, easy to understand and very useful/helpful in the real environments for the people looking for such stuff over the internet.