Azure AD Connect Setup

Synchronize network user accounts, passwords, and pasword policy with Microsoft 365.

Relevance

Last Review: March 30, 2021

Product(s): Windows Server 2019, Azure

Author(s): Cameron Smith

Delta

A cyberist created this article using the patented Delta Method by modernizing a typical approach.

Summary

Azure AD Connect is a free Microsoft download that synchronizes Active Directory user accounts, passwords, and password policy with Microsoft 365.

This service allows users to use the same password for Active Directory and Microsoft 365 with password policy and optional user account fields controlled by Active Directory.

Password hash is synced and Active Directory passwords are not stored in Microsoft 365.

Requirements

  • Microsft 365 Global Admin permissions
  • Domain admin access
  • Windows Server 2012 or greater
  • Azure AD Connect download from Microsoft
  • Active Directory user accounts to sync must be in an Organizational Unit (OU)
  • Security groups, service accounts, and admin accounts should not be synced and must be moved to separate OUs
  • Universal Principle Name (UPN) must be created in Active Directory Domains and Trusts and UPN must be changed for each user in Active Directory Users and Computers (no user impact)
  • E-mail primary any other aliases must be listed and edited as desired in Active Directory Users and Computers – Attributes – Proxy address
  • Avoid Express setup which syncs the entire domain requiring troubleshooting of various object conflicts
  • Announce to users that their Microsoft 365 password will be the same as their network password and passwords must be reset on smartphones and tablets
  • By default, AD Connect syncs user changes every 30 minutes
  • Setup requires 45 – 60 minutes and a restart may be required

Create Microsoft 365 Group

  1. Download AD Connect from https://www.microsoft.com/en-us/download/details.aspx?id=47594
  2. Install Azure AD Connect on a secondary Domain Controller for best performance and least network impact
  3. Choose Custom Settings during the install to select specific OUs
  4. Select the Active Directory Forest and click Next
  5. Sign in with Microsoft 365 Global Admin account when prompted. Let the software create the account for you, as it needs special permissions
  6. Enter Domain Admin credentials when prompted
  7. Select Continue without matching all UPN suffixes to verified domains
  8. Select Sync selected domains and OUs
  9. Select the specific department or location user OUs to sync
  10. Enable Password Writeback and Password Hash synchronization
  11. Start the Sync

Follow-up

Browse to portal.office.com, and users should be able to login with their Office 365 email address and matching domain password. To force immediate syncing, open Synchronization Service Manager and select Connectors – Adsync Profile – Run. Troubleshoot Azure AD Connect objects and attributes