Finally, your organization is moving to Office 365! That sounds exciting and daunting at the same time. But now comes the task of connecting Azure AD to Office 365. Do you know how to connect Azure Ad to Office 365?
Not a reader? Watch this related video.One of the first things that would probably come to mind is how do you make sure that users are only using one credential to access on-premise and cloud resources. This is where Azure AD Connect comes into play.
With Azure AD Connect, your user accounts will be synchronized to Office 365, including their passwords. This means that whether your users are accessing network printers or accessing their emails in Office 365 they will only have to use one credential.
In this article, you will learn how to install Azure AD connect and enable directory synchronization for your Office 365 tenancy.
Requirements
Since this is a step-by-step article, you need to have some requirements available if you plan to follow along with the examples.
- An Azure AD Tenant. You can request for a free trial if you do not have a tenant yet.
- Access to an On-Premise Active Directory. If you don’t have one, you can also use an Azure trial subscription to build a test server.
- A server where Azure AD Connect will be installed.
- Download the Azure AD Connect installer.
- A Global Administrator account in your Azure AD tenant.
- An Enterprise Administrator account in your on-premises Active Directory.
- Ensure that the Azure AD Connect and Azure AD ports are allowed in your network.
- The MSOnline module must be installed on your management PC.
For a comprehensive list of requirements, you may visit Prerequisites for Azure AD Connect
Checking the Pre-Installation Directory Synchronization Status
Before starting with the Azure AD Connect setup, let’s look at how to check the current status of directory synchronization in your tenant.
Using PowerShell
To view the current DirSync status, you must first connect to Azure AD. Then, use the command below to retrieve the information relevant to your organization’s directory sync status.
Get-MsolCompanyInformationAfter running the command above, you should see similar output in PowerShell, as shown below. As you can see for the below image, the value of DirectorySynchronizationEnabled is False.
Other attributes, such as the DirSyncServiceAccount, LastDirSyncTime, and LastPasswordSyncTime, are not expected to have any values since directory sync has never been run.
Using the Admin Center
You can also check the current DirSync in the Azure Active Directory Admin Center.
First, log in to the portal. Then, go to Azure Active Directory —> Azure AD Connect. Under the Azure AD Connect sync section, you should see the current status of the directory sync.
As you can see from the image below, it shows that the Azure AD Connect is Not installed, the Last Sync status value states that the Sync has never run. Lastly, the Password Hash Sync value is disabled.
Installing Azure AD Connect
Assuming that you’ve already met all the requirements, you’re ready to install Azure AD Connect on your server.
First, log in to the server where you plan to install Azure AD Connect. Run the installation file and follow the instructions presented.
The image below shows the Welcome to Azure AD Connect page. Take note of what’s being said (or don’t) and make sure to put a check of I agree to the license terms and privacy notice. Then, click on Continue.
The next page is where you can choose the installation type. You can choose whether to Customize or Use express settings. In this example, Azure AD Connect will be installed using the express settings.
Choosing the express installation will:
- Configure synchronization of identities.
- Configure password synchronization from on-prem AD to Azure AD.
- Execute initial sync.
- Enable Auto Upgrade.
Next, in the Connect to Azure AD page, enter the credential of the Global administrator account. As mentioned earlier in this article, a Global administrator account is required.
Once you’ve entered the credential, click Next.
If the installer could use the Global admin credential you provided, you will be taken to the Connect to AD DS page.
You need to enter the account credential with enterprise administrator rights to your on-premise Active Directory. Then, click Next.
After the credential is confirmed, you will be taken to the ready to configure page where you are presented with the list of actions that will be performed. These actions are:
- Install the synchronization engine (local SQL express).
- Configure Azure AD Connector.
- Configure the <domain> Connector.
- Enable Password hash synchronization.
- Enable Auto Upgrade.
- Configure the synchronization services.
- Execute the initial synchronization process.
To proceed with the installation, click on Install.
At this point, you only need to wait for the installation to complete.
Finally, after the installation, configuration, and the initial synchronization is complete, you will see a status page similar to the image below. Take note of the reminders and recommendations, then click Exit.
Verifying the Azure AD Connect Installation
Now that you’ve installed Azure AD Connect on your server, you will want to make sure the installation was successful, and that directory synchronization is working. In this section, you will learn several ways to confirm that Azure AD Connect synchronization is functional.
Verifying Azure AD Connect in the Microsoft 365 Admin Center
The Azure AD Connect status is available by a default card in the Microsoft 365 admin center.
First, log in to the Microsoft 365 admin center portal. Once you’re logged in, you should see the Azure AD Connect status under the User management card. See the screenshot below for reference.
As you can see from the screenshot above, Azure AD Connect status shows that the recent Directory Sync was run 17 minutes ago. Additionally, Password sync is enabled.
Verifying the User Account Sync Status in the Microsoft 365 Admin Center
You can also check whether the accounts in your On-Premise Active Directory are synchronized to Office 365.
To check the user account sync status, in the Microsoft 365 admin center, go to Users —> Active Users. When you look at the list of users, you would see the Sync status column showing whether the account is In Cloud or Synced from on-premise.
Obviously, the accounts that are in the cloud are those accounts provisioned directly in Office 365 and does not exist in your on-premise Active Directory.
While the Synced from on-premise accounts exists on-premise and synchronized to the cloud.
Verifying Azure AD Connect in the Azure AD Admin Center
First, log in to the portal. Then, go to Azure Active Directory —> Azure AD Connect. Under the Azure AD Connect sync section, you should see the current status of the directory sync.
As you can see from the image below, it shows that the Azure AD Connect Sync status is Enabled, the Last Sync status value states that it was Less than 1 hour ago. Lastly, the Password Hash Sync value is Enabled.
Verifying the User Account Source in Azure AD Admin Center
Another way to verify that synchronization is working is by checking the user account source.
First, log in to the portal. Then, go to Users —> All users. Under the list of users, you’ll see under the Source column whether the account is from the Windows Server AD – which indicates that the account is synced from the on-premise Active Directory.
Verifying the Directory Synchronization Status using PowerShell
To view the current Azure AD sync status, you must first connect to Azure AD. Then, use the command below to retrieve the information relevant to your organization’s directory sync status.
Get-MsolCompanyInformationAfter running the command above, you should see similar output in PowerShell, as shown below. As you can see for the below image:
- The value of
DirectorySynchronizationEnabledisTrue. - The account configured as the synchronization service account is shown.
LastDirSyncTimeandLastPasswordSyncTimeDateTime values are populated.PasswordSynchronizationEnabledvalue isTru
Verifying Azure AD Connect Sync Cycle Schedule
When you install Azure AD Connect, the AdSync PowerShell module is also installed along with it. Using the AdSync module, you can also check the current Azure AD Connect synchronization status on your server.
First, open PowerShell and then run this command below.
Get-ADSyncSchedulerAfter running the code above, the result would show you the following:
- The scheduled sync cycle interval (
AllowedSyncCycleInterval) - Whether the sync cycle schedule is enabled (
SyncCycleEnabled) - When the next sync is scheduled (
NextSyncCycleStartTimeInUTC) - The type of sync that is scheduled to run next (
NextSyncCyclePolicyType)
Running a Delta Sync Manually
Running manual delta sync is one way of determining whether the synchronization is working as expected. Delta sync means you are only synchronizing changes that were made after the last directory sync has run.
To test delta sync, choose an account from your on-premise Active Directory and change its display name value. In this example, the user account AdSync will be used, and the display name will be changed to AdSync1.
Then, in PowerShell, run this command below.
Start-ADSyncSyncCycle -PolicyType DeltaAfter running the above command, wait for it to return the result, as shown in the image below.
Then, go to the Azure AD admin center to confirm that the display name has changed. The image below shows the display name of the user AdSync before and after the delta sync was run.
Removing Azure AD Connect
There may be a time when you will decide to remove Azure AD Connect and disable directory synchronization for your organization.
Suppose that you have a small organization, and you have already migrated all your users to the cloud. You no longer need to want to maintain any servers in your data center. That’s one reason to remove Azure AD connect.
Uninstalling Azure AD Connect from the Server
To remove Azure AD Connect, follow these steps. First, uninstall Azure AD Connect from your server.
When the Uninstall Azure AD Connect window shows up, make sure to select Also uninstall supporting components. Then, click Remove.
Wait for the uninstall process to complete, and you should see a confirmation page like the one below.
Disabling Directory Synchronization
Once Azure AD Connect has been uninstalled from the server, the last action is to disable DirSync.
You must first connect to Azure AD using PowerShell. Next, use the command below to disable the directory synchronization for your Azure AD tenant.
Set-MsolDirSyncEnabled -EnableDirSync $falseOnce you run the command, you may get an error similar to the screenshot below.
The error above means that you are not yet allowed to disable the synchronization. It may take several minutes to several days, depending on your tenant’s size, before you can disable DirSync.
When this happens, all you can do is wait and try the same command again. In this example, it took about 15 minutes of waiting. Running the command to disable DirSync this time was successful.
After disabling DirSync and removing Azure AD Connect, the previously synchronized accounts from your on-premise AD to Azure AD will be converted to a cloud account. These converted accounts will no longer show as being synced from on-premise.
It may take several hours for the accounts to be fully converted from on-prem to cloud. In this article, it took approximately thirty-six (36) hours for the conversion to finish after disabling the directory synchronization. See the before and after comparison below.
Conclusion
Azure AD Connect is an excellent tool that allows your on-prem user accounts to be synchronized to your Azure AD / Office 365 tenancy. When properly configured, your users will not have to be provisioned with separate accounts to access on-premise and cloud resources.
More configurations can be done with Azure AD Connect than what’s covered in this article. Azure AD Connect can be customized to change the sync cycle’s interval or disable the auto-upgrade when you want more control over upgrades.
I hope that what you’ve learned in this article, although as basic as possible, could help you get a better understanding of how to install, configure and use Azure AD Connect for your Office 365 tenancy.
