Archives December 2021

Configuring and Managing Directory Synchronization by Using Azure AD Connect– Implementing and Managing Identity Synchronization with Azure AD

Azure AD Connect has a long history, originally starting as DirSync to support the deployment of Microsoft Business Productivity Online Suite (BPOS) in 2007.

If you are familiar with Microsoft Identity Manager(MIM), you’ll notice a lot of similarities shared with the current Azure AD Connect platform. Azure AD Connect (rebranded as Microsoft Entra Connect) allows you to connect to multiple directory sources and provision those objects to Azure Active Directory.

Planning and Sizing

Depending on your organization’s requirements for onboarding to Microsoft 365, as well as additional features or services that are included with your subscription, you may want (or need) to enable or configure additional Azure AD Connect features.

Table 4.2 illustrates the features that can be enabled through an Azure AD Connect setup:

FeatureDescription
  
Device writebackSynchronizes Azure AD-joined devices back to on-premises
 Active Directory
  
Directory extensionsEnables the synchronization of additional on-premises attributes
  
FederationEnables authentication federation with Microsoft  AD Federation
 Services (FS) or PingFederate
  
Hybrid Azure AD joinEnables on-premises domain-joined devices to be synchronized
 and automatically joined to Azure AD
  
Password hash synchronizationEnables the hash of an on-premises password to be synchronized
 to Azure AD; can be used for authentication, a backup option for
 authentication, or leaked credential detection
  
Pass-through authenticationAuthentication method where passwords are validated on-premises
 through the Azure AD Connect service’s connection to Azure
 Service Bus
  
Unified group writebackEnables cloud-based Microsoft 365 groups to be written back to
 on-premises Active Directory
  

Table 4.2 – Azure AD Connect features

There are several additional features available post-installation for Azure AD Connect, such as managing duplicate attribute resiliency and user principal name soft-matching, both of which are used to manage how Azure AD handles conflicts and connecting cloud accounts to on-premises accounts.

Further Reading

More detailed information about Azure AD Connect’s optional features, such as duplicate attribute resiliency, is available here: https://learn.microsoft.com/en-us/azure/ active-directory/hybrid/how-to-connect-syncservice-features.

Installing the Synchronization Service

The first step to deploying Azure AD Connect is gathering the requirements of your environment. These requirements can impact the prerequisites for deployment (such as additional memory or a standalone SQL Server environment). As part of the planning process, you’ll also want to identify which sign-in method will be employed (password hash synchronization, pass-through authentication, or federation).

Exam Tip

To perform the express installation, you’ll need Enterprise Administrator credentials to the on-premises Active Directory forest so that the installer can create a service account and delegate the correct permissions. You’ll also need an account that has either the Global Administrator or Hybrid Identity Administrator role in Azure AD, which Azure AD Connect will use to create a cloud sync service account.

With that information in hand, it’s time to start deploying Azure AD Connect:

1. On the server where Azure AD Connect will be deployed, download the latest version of the Azure AD Connect setup files (https://aka.ms/aad-connect) and launch the installer.

    2. Agree to the installation terms and select Continue. See Figure 4.4:

    Figure 4.4 – Azure AD Connect welcome page

    3. Review the Express Settings page, as shown in Figure 4.5. You can choose Customize if you want to configure Azure AD Connect to use pass-through or federated authentication methods, group-based filtering, or a custom SQL Server installation. While the sign-in methods and other features can be changed after installation, it is not possible to enable group-based filtering or change the SQL Server location after setup.

    Figure 4.5 – Azure AD Connect Express Settings page

    Installation Notes

    If you have other domains in your Active Directory forest, they must all be reachable from the Azure AD Connect server or installation will fail. You can perform a custom installation to specify which domains to include in synchronization.

    4. On the Connect to Azure AD page, enter credentials for either the Global Administrator or Hybrid Identity Administrator role in Azure AD. Click Next.

    5. On the Connect to AD DS page, enter Enterprise Administrator credentials and click Next.

    6. Verify the configuration settings. By default, the Exchange hybrid scenario is not enabled. If you have an on-premises Exchange environment that you will be migrating to Microsoft 365, select the Exchange hybrid deployment option to include the Exchange-specific attributes. If you want to perform additional configuration tasks prior to synchronizing users, clear the Start the synchronization process when configuration completes. checkbox.

    Figure 4.6 – Azure AD Connect Ready to configure page

    7. Click Install.

    8. Review the Configuration complete page, as shown in Figure 4.7, and click Exit:

    Figure 4.7 – Azure AD Connect Configuration complete page

    If you selected the Start the synchronization process when configuration completes checkbox, you can review the Azure AD portal to verify that users have been synchronized.