Azure Active Directory provides access control and identity management capabilities for Office 365 cloud services. Azure AD Connect is the new upgraded and latest version of DirSync application that let’s you synchronize on-premise active directory objects with Microsoft Office 365 cloud services. Before you Setup Azure AD Connect with On-Premise Active Directory it is good idea to know more about Azure AD Connect. Azure AD Connect is made up of three main components, Sync Services, AD FS and Health Monitoring. Sync services is the old DirSync and is responsible for replicating on-premise Active Directory users and groups to Office 365 cloud. AD FS is optional component and can be used to setup Hybrid environment with Office 365. Features like SSO, sign-on policy, smart cards, etc. are available after Hybrid setup. Health Monitoring component of Azure AD Connect allows you to monitor on-premise active directory and synchronized objects using Azure AD Connect Health Portal.
Setup Azure AD Connect With On-Premise Active Directory
There are two different installation option in Azure AD Connect, Express and Custom. In Express installation, all the required components that are mostly used are installed with minimal user intervention. In Custom installation, you have option to change many settings manually. In this post, I will setup Azure AD Connect using Express installation option. In this Express installation option, the application is installed in “C:\Program Files\Microsoft Azure Active Directory Connect” location, SQL Server Express is installed, Synchronization service is installed, Microsoft Online Services sign-in assistance is installed, Azure AD Connect Health Agent is installed and password synchronization is enabled by default. This installation option is useful if you have single Active Directory forest. If you have multiple AD forest then, you have to go with custom installation option. You can install Azure AD Connect on domain joined or non-joined server. In this post, I will install Azure AD Connect in MBG-DC01 which is the domain controller of mustbegeek.com AD forest.
The diagram above shows a simple scenario with one on-premise Active Directory and one Exchange Server. The goal of this scenario is to setup Exchange Hybrid and migrate on-premise mailboxes to Office 365. Most of the small organizations have this type of scenario. Now, let’s setup Azure AD Connect. Go to domain controller, MBG-DC01. Open Internet Explorer. Log on to Office 365 portal with Global Administrator account. Expand Users, click Active Users.
On the Active Users, click set up Active Directory synchronization as shown above. Office 365 Setup page will pop up. In the first page titled Sync your local directory with the cloud, click Next.
On second page as shown above, click Next again. Make sure you meet above requirements before you click Next. Click Start scan to check your local active directory domain.
Click Run checks.
Click Run as shown above. It will download Microsoft Office 365 Support Assistant 3.5 from Microsoft. After download is complete, click Run to run the application. The application will scan the environment.
After the scan is complete, it will show the AD objects found. Click Next. Now add and verify domain names.
Since I already verified before, I got all three checks. Click Next. You can optionally download and run IDFix to look for problems in your active directory. I will skip this step. Click Next.
Here, click Download to download the Azure Active Directory Connect application. After the download is complete, start installation of the application.
In the Welcome page, read the information. Accept license terms and click Continue.
Click Use express settings. If there are multiple forests then click Customize option.
Enter Office 365 Global Administrator credentials. Click Next.
Enter local active directory Administrator credential and click Next.
Check start the synchronization process as soon as the configuration completes and exchange hybrid deployment options and click Install.
After the configuration is complete, you can log on to Office 365 portal to verify the user accounts has been synchronized.
As you can see above, the on-premise user accounts are now shown in Office 365. Also, notice a service account is synced with AD. When you choose Express installation, the application will automatically create a Service Account in Azure AD. This service account will be used for synchronizing on-premise objects to Azure AD. Similarly, if you open Active Directory in on-premise server as shown below a service account is also created. This service account name starts with AAD* and the sync service (service that is created after installing Azure AD Connect) will Run As this user account.
In addition, another account is also created in local Active Directory as shown below and start with MSOL* and is used for synchronization.
So basically, the Synchronization service will Run As AAD_* user account and MSOL_* and Sync_MBG-DC01* have special permission for synchronization. To view existing Azure AD Connect configuration open Azure AD Connect application and click View Current configuration and click Next.
As you can see above, various services are enabled or disabled. Similarly, ImmutableID is generated from (source anchor attribute) objectGUID and user principal name for Office 365 user accounts is on-premise User Principal Name. Now, assign license to Office 365 users and start using Office 365.