Azure AD Connect

Azure AD Connect

Azure AD Connect is a synchronization tool that connects your local on-premises Active Directory with the Office 365 Azure Active Directory. Integrating your local domain with the Office 365 Azure Active Directory will allow your users to access Office 365 resources with a unified identity, i.e. a single username and password.

Azure AD Connect

This article will give you a good understanding of Azure AD Connect and help you be successful when implementing and managing this vital Office 365 integration tool.

The following sections are covered:

  1. Prepare Azure AD Connect installation
  2. Install and configure Azure AD Connect
  3. Synchronize Azure AD Connect
  4. Verify your installation

1. Prepare Azure AD Connect Installation

First and foremost you need an Azure subscription to which you are going to synchronize selected users and groups from your local Active Directory.

To make sure your Azure AD Connect can perform a trouble free synchronization of local accounts you need to make sure the accounts adhere to certain requirements. The most common errors that need to be fixed are the following:

  • No non-routable mail addresses (e.g. no use of your .local mail suffix in mail addresses)
  • No duplicate mail addresses
  • No illegal characters (e.g. trailing spaces in mail addresses)

Use the IdFix tool from Microsoft to make a quick and efficient review of the compliance of your user attributes. The IdFix tool will identify any issues and suggest automated solutions. Make sure to do a thorough review of the suggested solutions before applying them.

  • Tip! We strongly advise to export all proxyAddresses attributes before making any changes with IdFix. Use something like this PowerShell script for a full export: 
Import-Module ActiveDirectory
"sAMAccountName;proxyAddress" | Out-File ".\proxyAddressesBackup.txt"
$Users = Get-ADUser -LDAPFilter "(proxyAddresses=*)" -Properties proxyAddresses
ForEach ($User In $Users) {
  ForEach ($proxyAddress in $User.proxyAddresses) {
    $Output = $User.sAMAccountName + ";" + $proxyAddress
    Write-Host $Output
    $Output | Out-File ".\proxyAddressesBackup.txt" -Append
  }
}

In case of problems you can use the output to restore affected user attributes.

You should also set the country information on all user accounts. This is not a requirement by IdFix and Azure AD Connect but it’s needed later when you want to enable Office 365 licenses on users.

2. Install and Configure Azure AD Connect

Once all is nicely prepared it’s time to set up the  synchronization between your local Active Directory and your Office 365 Azure Active Directory. Follow the download link in the beginning of the article to download Azure AD Connect and run the installation.

The Azure AD Connect wizard will guide you through the installation which is pretty straight forward. I recommend you choose a customized installation (instead of using the express settings).

These are the most important things you need to address during the installation:

  • Select the desired sign-in option – for most basic setups this will be “Password synchronization” with “Single sign-on”
  • Provide global admin account credentials for your Office 365 Azure AD
  • Provide enterprise admin account credentials for your local Active Directory
  • Select the desired local AD to synchronize (most organizations have just one so that’s easy)
  • Select which OU’s to synchronize (initially you should select a test OU with a few test users to verify the synchronization)

The above basic settings will fit most scenarios. Once the wizard is completed you can start the synchronization.

3. Synchronize Azure AD Connect

Azure AD Connect has it’s own data store called the Metaverse. When Azure AD Connect synchronizes your local AD with the Office 365 Azure AD it actually:

  1. Synchronizes your local Active Directory into the Azure AD Connect Metaverse
  2. Synchronizes your Azure AD Connect Metaverse into the Office 365 Azure AD

The Metaverse get’s populated by the initial synchronization which can be started either from the Azure AD Connect installation wizard or fired using the following PowerShell command:

Import-Module ADSync
Start-ADSyncSyncCycle -PolicyType Initial

Once the Metaverse has been populated, future synchronizations can be run as delta synchronizations which only synchronize changes made since the last synchronization:

Start-ADSyncSyncCycle -PolicyType Delta
  • Tip! Make sure that the Azure AD Connect configuration tool is not open (on any server) - otherwise Start-ADSyncSyncCycle will be blocked from performing synchronizations.

The easiest way to trigger an Azure AD synchronization is to use Easy365Manager.

With Easy365Manager, you can start a synchronization directly from AD user properties (right after making the changes you want to synchronize):

By default the synchronization on Azure AD Connect will run every 30 minutes.

The following shows you how sample attributes are replicated from your local Active Directory to the Azure AD Connect Meta Verse to Office 365 Azure AD:

Azure AD Connect Attributes renaming

It’s important to notice that some of the attribute names may change during synchronization. Otherwise, this may lead to some confusion.

Another potential point of confusion is the latency sometimes experienced in Azure AD Connect synchronization. Azure AD Connect only connects with one domain controller in your Active Directory. So attribute changes made on any other domain controller must first be replicated to the domain controller connected to Azure AD Connect before it can be synchronized to Office 365 Azure AD.

In the “other end” of the line you may also experience latency: Some attributes are replicated from Azure AD to Azure/Office 365 services like Exchange, Sharepoint, etc. So you may see further latency before an Azure object attribute is finally replicated to e.g. Exchange.

4. Verify Your Installation

When Azure AD Connect has successfully synchronized objects to Azure you should start seeing user and groups being created in the Microsoft Admin Portal (or Azure Portal). Verify that all relevant objects have been created and that the correct attribute values are set.

You can confirm user passwords by attempting a login to Office.com. When all is looking good you can broaden the scope of user synchronization by including more OU’s in your synchronization scope in the Azure AD Connect configuration.

Once all relevant users and groups are migrated you can start planning your email migration which includes assigning Office 365 mailboxes/licenses and migrating email, calendar and contact information across. A full blown migration of hundreds or thousands of Exchange mailboxes, including shared mailboxes and distribution groups, requires extensive planning and coordination. You need a lot of skills on your migration team to minimize or completely avoid user downtime.

Summary

I hope your visit to this site was able to provide you with needed information about Azure AD Connect, how it works and how to set it up.

User and mailbox management in a hybrid environment (on-premises AD and Office 365 living side by side) is a very fragmented setup which requires a lot of different administration tools.