Setup Azure AD Connect With On-Premise Active Directory

Share This Article: Share on Facebook0Share on Google+0Tweet about this on TwitterShare on LinkedIn0Pin on Pinterest0Email this to someone

Azure Active Directory provides access control and identity management capabilities for Office 365 cloud services. Azure AD Connect is the new upgraded and latest version of DirSync application that let’s you synchronize on-premise active directory objects with Microsoft Office 365 cloud services. Before you Setup Azure AD Connect with On-Premise Active Directory it is good idea to know more about Azure AD Connect. Azure AD Connect is made up of three main components, Sync Services, AD FS and Health Monitoring.  Sync services is the old DirSync and is responsible for replicating on-premise Active Directory users and groups to Office 365 cloud. AD FS is optional component and can be used to setup Hybrid environment with Office 365. Features like SSO, sign-on policy, smart cards, etc. are available after Hybrid setup. Health Monitoring component of Azure AD Connect allows you to monitor on-premise active directory and synchronized objects using Azure AD Connect Health Portal.

Setup Azure AD Connect With On-Premise Active Directory

There are two different installation option in Azure AD Connect, Express and Custom. In Express installation, all the required components that are mostly used are installed with minimal user intervention. In Custom installation, you have option to change many settings manually. In this post, I will setup Azure AD Connect using Express installation option. In this Express installation option, the application is installed in “C:\Program Files\Microsoft Azure Active Directory Connect” location, SQL Server Express is installed, Synchronization service is installed, Microsoft Online Services sign-in assistance is installed, Azure AD Connect Health Agent is installed and password synchronization is enabled by default. This installation option is useful if you have single Active Directory forest. If you have multiple AD forest then, you have to go with custom installation option. You can install Azure AD Connect on domain joined or non-joined server. In this post, I will install Azure AD Connect in MBG-DC01 which is the domain controller of mustbegeek.com AD forest.

Office 365 Hybrid

The diagram above shows a simple scenario with one on-premise Active Directory and one Exchange Server. The goal of this scenario is to setup Exchange Hybrid and migrate on-premise mailboxes to Office 365. Most of the small organizations have this type of scenario. Now, let’s setup Azure AD Connect. Go to domain controller, MBG-DC01. Open Internet Explorer. Log on to Office 365 portal with Global Administrator account. Expand Users, click Active Users.

Setup Azure AD Connect With On-Premise Active Directory

On the Active Users, click set up Active Directory synchronization as shown above. Office 365 Setup page will pop up. In the first page titled Sync your local directory with the cloud, click Next.

step 2

On second page as shown above, click Next again. Make sure you meet above requirements before you click Next. Click Start scan to check your local active directory domain.

evaluation directory sync setup

Click Run checks.

Run Application

Click Run as shown above. It will download Microsoft Office 365 Support Assistant 3.5 from Microsoft. After download is complete, click Run to run the application. The application will scan the environment.

here is what we found

After the scan is complete, it will show the AD objects found. Click Next. Now add and verify domain names.

verify ownership of your domains

Since I already verified before, I got all three checks. Click Next. You can optionally download and run IDFix to look for problems in your active directory. I will skip this step. Click Next.

run azure active directory connect

Here, click Download to download the Azure Active Directory Connect application. After the download is complete, start installation of the application.

Welcome to Azure

In the Welcome page, read the information. Accept license terms and click Continue.

use express settings

Click Use express settings. If there are multiple forests then click Customize option.

connect to azure ad

Enter Office 365 Global Administrator credentials. Click Next.

connect to ad ds

Enter local active directory Administrator credential and click Next.

Ready to Configure

Check start the synchronization process as soon as the configuration completes and exchange hybrid deployment options and click Install.

configuration complete

After the configuration is complete, you can log on to Office 365 portal to verify the user accounts has been synchronized.

synced with AD

As you can see above, the on-premise user accounts are now shown in Office 365. Also, notice a service account is synced with AD. When you choose Express installation, the application will automatically create a Service Account in Azure AD. This service account will be used by Office 365 for synchronizing and accessing on-premise objects. Similarly, if you open Active Directory in on-premise server as shown below a service account is also created. This service account name starts with AAD* and the sync service will Run As this user account.

Azure AD Service Account

In addition, another service account is also created in local Active Directory as shown below and start with MSOL* and is used for synchronization.

MSOL

So basically, the Synchronization service will Run As AAD_* user account and MSOL_* and Sync_MBG will talk with each other about synchronization. To view existing Azure AD Connect configuration open Azure AD Connect application and click View Current configuration and click Next.

Azure AD Configuration

As you can see above, various services are enabled or disabled. Similarly, ImmutableID is generated from (source anchor attribute) objectGUID and user principal name for Office 365 user accounts is on-premise User Principal Name. Now, assign license to Office 365 users and start using Office 365.

The following two tabs change content below.
Bipin is a freelance Network and System Engineer with expertise on Cisco, Juniper, Microsoft, VMware, and other technologies. You can hire him on UpWork . Follow Bipin Giri on Google+. Bipin enjoys writing articles and tutorials related to Network technologies. Some of his certifications are, MCSE:Messaging, JNCIP-SEC, JNCIS-ENT, and others.