How to Install and Manage Azure AD Connect for directory Synchronisation

  • Post author:
  • Post category:Main
  • Post last modified:September 10, 2023
  • Reading time:13 mins read

Azure AD Connect allows you to synchronise your on-premise Active Directory identities to Azure AD or Microsoft 365. This allows you to manage your user settings and identities in one single location as well as many other benefits we will discuss in the post. Here we are going to go through how to install and manage Azure AD Connect in your on-premise and Azure cloud environment. 

What is Azure AD Connect and How does it work

Azure AD Connect allows you to synchronise attributes of your on-premise Active Directory users with Azure Active Directory. These attributes include the user Name, UserPrincipleName (or username), their email address and aliases, password and contact/personal information. The Azure AD Connect application gets installed on your on-premise domain controller or member server, users are then matched between your on-premise directory and the cloud, then synchronisation is enabled.

Manage Azure AD Connect

The Benefits of Using Azure AD Connect

If you are looking to start using Azure AD Connect it is likely that you have an on-premise Active Directory environment and also have (or looking to implement) an Azure Active Directory environment. There could also be a scenario where if you are not utilising Microsoft services for Email or Azure, you may be using Microsoft 365 for your application licensing, where it would also make sense to implement Azure AD Connect. If you would like to read more on Azure Active directory I recommend the article, What is Azure Active Directory?

Benefits for Active Directory Administrators

Azure AD Connect allows Administrators to manage their environment from a single place, that being their on-premise Active Directory. It will allow you to create users, set attributes , create groups and shared mailboxes all from the single Active Directory page. That combined with Dynamic Group memberships will really minimise your need to login to Azure AD. 

Your password policy will also be extended from your on-premise to Azure as passwords can be synchronised to Azure AD. You can reach mode on group memberships by reading: Creating and Understanding Microsoft 365 Groups.

Benefits for End Users

As for the end users, having their identities sync from on-premise to Azure AD will mean that only need to remember the single password which will act for their Windows login profile and Azure AD (or Microsoft 365). This will simplify tasks such as managing their Outlook for email, licensing their Office 365 applications and logging into Office.com remotely to access SharePoint or OneDrive online.

How to install Azure AD Connect

Pre-requisites

For Azure AD Connection to run how you would expect there is a little prep work you need to do in your on-premise Active Directory. Firstly you need to ensure you have your customer domain added to your Active Directory and that your user attributes you wish to sync are correct. 

Start by opening Active Directory Domains and Trusts, right click Active Directory Domains and Trusts and enter the alternative UPN suffix of your external domain. In my case it will be ourcloudnetwork.com and click OK.

Now head to Active Directory Users and Computers, right click on your user and click properties. Ensure the email field is filled out correctly, then go to the Account tab and change the user login name domain to the new domain you added. 

If you wish to add alias emails addresses for this user, go to View at the top of the Active Directory Users and Computers page and select Advanced Features. Right click on your user again and select properties, this time select the Attribute Editor tab and scroll down to proxy addresses. Add the primary email address is in the following format SMTP:*EMAIL ADDRESSES* then any alias addresses are to be added using lowercase smtp like follows.

Also in order to login to Azure AD Connect once the application is installed you also need to temporarily disable IE Enhanced Security Configuration in Server Manager. 

Installing Azure AD Connect

To start make sure you download the latest version of Azure AD Connect from the official Microsoft website: https://www.microsoft.com/en-us/download/details.aspx?id=47594.

Version 2 of Azure AD Connect requires you to be running Windows Server 2016 or higher. If you are not running Server 2016 or higher you will need to source Version 1 of Azure AD Connect. Version 2 also uses TLS1.2 to encrypt communications between the sync engine and Azure AD, so you will need to ensure this is enabled. Version 1 uses TLS1.1.

Once you have the application download, run the installer and accept the EULA

On the Express settings page, click Customise as we do not want to use the default installation and synchronisation settings.

At Install required components you can change your installation location, use an existing SQL server, use an existing service account, specify sync groups or import settings. We are going to leave all the settings unchecked and click Install.

The User sign-in page allows us to choose a sign-in method for our synchronised users. We are going to select Password Hash Synchronisation which will allow our used to sign into the cloud with the same password and their on-premise account.

Next Connect to Azure AD with your global administrator account. Once done you will be taken straight to the Connect your directories page. Ensure your forest is selected and click Add Directory. In the popup window select Create new AD Account and enter your domain administrator account information below, then click OK.

For the Azure AD sign-in configuration I can see my chosen UPN suffix of ourcloudnetwork.com is verified and I will choose the userPrincipleName attribute to use as the Azure AD username for my synced accounts. I have also selected the check box to continue without matching all UPN suffixes to verified domains.

Under Domain and OU filtering it is extremely important you only sync the specified OU’s that you wish to sync otherwise you risk deleting data or user accounts which are already in Azure AD. I have selected my Office 365 OU which contains a single user James Blue.

On the Uniquely identifying your users page I am leaving all settings as default and clicking next. As this is a new installation of Azure AD Connect I am going to allow Azure AD Connect to select the default recommended sync attributes for me. I will also do the same for the Filter users and devices page.

The Optional features page will lastly present any additional features you can enable. I am going to enable the Password writeback feature. This means if I change a user password in Azure AD, the password will write back to the on-premise directory user it is synced with, allowing user passwords to be updated in Azure AD or on-premise.

On the final page you can check the option Enable staging mode. By using staging mode you can review any changes that will occur in Azure AD once the sync is enabled without actually making the changes. With this setting you can review if the changes you are making are correct and will not have any adverse effects before going live. I am simple going to select Install without enabling staging mode.

Finally you can check the status of your users in the Microsoft 365 portal. Here you can see my user James Blue has been added with the correct username/email and his sync status is Directory Synced.

How to Manage Azure AD Connect

To start from the above information to can deduce how to add/remove users and change the user information. Most settings you change on the on-premise user account will sync to Azure AD. Microsoft have useful link here: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized which will list all the user attributes which are and are-not synced.

One of the most useful tools to Manage Azure AD Connect is the Synchronisation Server Manager that is installed along site Azure AD Connect. Open the application and you will be presented with a screen as follows.

If you select one of the connector operations in the list you will see the export statics appear at the bottom. Here I have selected my first export and you can see there has been 1 additional to my Azure Active Directory.

If you click on this 1 I have circled above, then double click on the Distinguished name you will see all of the information needed to troubleshoot or manage any change. This is exactly how we would use the Staging Mode feature. You will be able to see this information without the changes actually being copied to Azure AD.

How to remove Azure AD Connect from your environment

Removing Azure AD Connect involves to key steps. The first step it to convert all of your accounts from Directory synced, to in-cloud only. This will remove any link to Azure AD Connect from your cloud environment. It is good to know that no passwords either on-premise or in-cloud are changed during this process.

The next steps is simply to uninstall Azure AD Connect from your server through the control panel (which I will now go through here with you as it should be fairly self explanatory). 

Lets focus on disabling Azure AD Connect from your Azure AD Tenant. We are going to use PowerShell for this process. 

Start by running PowerShell as Administrator and installing the MSOnline PowerShell module with the following code, select Yes to the prompts.

install-module msonline

Once the module is installed you need to connect to your Microsoft cloud environment. Run the following code, you will then be prompted to sign in with your global administrator account.

connect-msolservice

To view your current synchronisation status fun the following. You will see the result simply show True.

(Get-MsolCompanyInformation).DirectorySynchronizationEnabled

To disable the directory sync run the following and select Yes.

Set-MsolDirSyncEnabled -EnableDirSync $false

Directory sync will now take up to 72 hours to be completely disabled. You can run the previous command above to view the status again, in which it will show as false. You can also view the sync status column of your users in the Microsoft 365 portal and it will show the cloud symbol once complete.

Summary

We hope you found this post informative, now you should be able to install Azure AD Connect, Manage Azure AD Connect and also remove it from your environment if it is no longer required. If you have any questions feel free to post below and we will respond.

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply