Azure Active Directory is the service that manages all your Office 365 authentication and authorization functionalities. When you create a user or a group in Office 365, it is also created in the background on Azure AD. You opt for a cloud-only deployment when you use only Office 365 and Azure AD to create and manage your organization’s users, groups and contacts. In fact, no on-premises servers are required and it’s all handled in the cloud by Azure AD.
However, in medium and large environments, where you have an already installed and functional on-premise Active Directory infrastructure, you would want to integrate your domain directory service to Azure Active Directory. Unlike a cloud-only deployment, where all the identities are stored and managed in Azure Active Directory, integration allows the user, group and contact objects created on-premises to synchronize up to Office 365. This will also avoid the users in you organizations to use two usernames/passwords; one for the on-premise AD and the other for Office 365, and will allow them to access different resources with just a single set of credentials.
Azure Active Directory Connect is a tool from Microsoft to integrate your Active Directory infrastructure and sync your on-premise organization identities objects to Office 365. This tool makes the integration a painless task and support many optional features, like Password Writeback which allows users to change their passwords in the cloud and have the changed password written back to the on-premises Active Directory instance, or Directory extension attribute sync which allows you to extend Azure AD schema based on extensions made to your organization’s on-premises Active Directory instance. For a full description of Azure AD, check this link.
Installing Azure AD Connect
Azure AD Connect Prerequisites
Prior to proceed with a basic installation, there are some prerequisites that need to be met
The Active Directory infrastructure
- Must have the AD schema version and forest functional on Windows Server 2003 or later.
- Must have a writable domain controller. Using a RODC (read-only domain controller) is not supported.
The Azure AD Connect server
- Must be a fully patched Windows Server 2008 or later and have a full GUI installed.
- Must have .NET Framework 4.5.1 or later and Microsoft PowerShell 3.0 or later installed.
- Must not have PowerShell Transcription Group Policy enabled.
SQL Server used by Azure AD Connect
- Azure AD Connect requires a SQL Server database to store identity data. By default a SQL Server 2012 Express LocalDB is installed that enables you to manage approximately 100,000 objects. For a higher volume of directory objects, you need to point the installation wizard to a different installation of SQL Server.
For more customized installations to add support features like the use Multi-factor Authentication (MFA) or group managed service account, see the full list of prerequisites here.
Azure AD Connect Installation
Note that that Azure AD Connect must be installed on domain-joined server.
If all prerequisites are met, download the Azure AD Connect, navigate to Windows Installer Package (.msi) and start the installation.
Agree to the license terms by checking the box. Click Continue.
The AD Connect Wizard will then suggest to choose one of the these two deployment options: Express and Custom.
The Express option is typically used when you have a single on-premise AD forest, less than 100,000 users in your environment, a verified domain and you are using an enterprise administrator account for the installation. If one of these conditions is not met, you should select the custom installation. Note though, that the customized path allows many more options than express.
I will choose the Express installation in this example
Provide your Azure AD admin account credentials
Once your authenticated. Provide your Azure AD admin account credentials
In case you haven’t added or verified your domain in Azure AD, you will see the Azure AD sign-in configuration section in the wizard. Check out this link for the instructions on how to do it.
We are not doing any Exchange hybrid deployment, so we may click on Install. At this stage, you may go ahead and start the synchronization process after the installation is done. If you do not want to start the replication straightaway and filter which objects will be synchronized, uncheck the Start the synchronization… option.
I have two users created in my Active Directory lab environment that will be replicated along with their hashed password to Office 365 after installation and configuration of Azure AD connect is done.
After synchronization is finished, we will be able to see both users replicated to Office 365. Thus, allowing them to have a single user and password to connect to both on-premise and Office 365. Note that the Sync Type is Synced with Active Directory, which is different form In cloud.
Customizing Azure AD Connect Default Installation
The default configuration of Azure AD Connect takes all objects in the on-premise Active Directory and replicate them in Azure AD. In some cases, you might want to customize which objects are replicated. For this, you can enable filtering at any time and specify which AD containers are replicated
Several types of filtering configuration can be applied to the directory synchronization tool:
- Group-based: Filtering based on a single group. This filtering type can only be configured on initial installation by using the installation wizard.
- Domain-based: If you have a multi-domain forest, you can select which domains synchronize to Azure AD.
- Organizational unit (OU)–based: By using this option, you can select which OUs including the objects they contain synchronize to Azure AD.
- Attribute-based: Use this filtering method to filter objects based on attribute values on the objects.
To configure domain-based filtering, launch the Azure AD Connect tool and select Connectors, then select the Connector with the type Active Directory Domain Services. In Actions, select Properties.
Click Configure Directory Partitions, the Check and Uncheck domains as needed.
Organizational unit (OU)–based Filtering
The most common filtering method is the Organizational unit (OU)–based where you can filter which Organization Units will be synchronized.
To enable this option, launch the Azure AD Connect tool and select Connectors, then select the Connector with the type Active Directory Domain Services. In Actions, select Properties. Click Configure Directory Partitions, select the domain that you want to configure, and then click Containers.
Uncheck the OU’s which you don’t want to synchronize. By default all OU’s will be selected.