Tutorial: Integrate a single forest with a single Azure AD tenant

This tutorial walks you through creating a hybrid identity environment using Azure Active Directory (Azure AD) Connect cloud sync.

Diagram that shows the Azure AD Connect cloud sync flow.

You can use the environment you create in this tutorial for testing or for getting more familiar with cloud sync.


In the Azure Active Directory admin center

  1. Create a cloud-only global administrator account on your Azure AD tenant. This way, you can manage the configuration of your tenant should your on-premises services fail or become unavailable. Learn about adding a cloud-only global administrator account. Completing this step is critical to ensure that you don't get locked out of your tenant.
  2. Add one or more custom domain names to your Azure AD tenant. Your users can sign in with one of these domain names.

In your on-premises environment

  1. Identify a domain-joined host server running Windows Server 2016 or greater with minimum of 4-GB RAM and .NET 4.7.1+ runtime

  2. If there's a firewall between your servers and Azure AD, configure the following items:

    • Ensure that agents can make outbound requests to Azure AD over the following ports:

      Port number How it's used
      80 Downloads the certificate revocation lists (CRLs) while validating the TLS/SSL certificate
      443 Handles all outbound communication with the service
      8080 (optional) Agents report their status every 10 minutes over port 8080, if port 443 is unavailable. This status is displayed on the Azure AD portal.

      If your firewall enforces rules according to the originating users, open these ports for traffic from Windows services that run as a network service.

    • If your firewall or proxy allows you to specify safe suffixes, then add connections t to *.msappproxy.net and *.servicebus.windows.net. If not, allow access to the Azure datacenter IP ranges, which are updated weekly.

    • Your agents need access to login.windows.net and login.microsoftonline.com for initial registration. Open your firewall for those URLs as well.

    • For certificate validation, unblock the following URLs: mscrl.microsoft.com:80, crl.microsoft.com:80, ocsp.msocsp.com:80, and www.microsoft.com:80. Since these URLs are used for certificate validation with other Microsoft products, you may already have these URLs unblocked.

Install the Azure AD Connect provisioning agent

If you're using the Basic AD and Azure environment tutorial, it would be DC1. To install the agent, follow these steps:

  1. Sign in to the domain joined server with enterprise admin permissions.

  2. Open a web browser and sign-in to the Azure portal using cloud-only global admin credentials.

  3. On the left menu, select Azure Active Directory.

  4. Select Azure AD Connect, and then select Manage Azure AD cloud sync.

    Screenshot that shows how to download the Azure AD cloud sync.

  5. Select Download agent, and select Accept terms & download.

    Screenshot that shows how to accept the terms and start the download of Azure AD cloud sync.

  6. Once the Azure AD Connect Provisioning Agent Package has completed downloading, run the AADConnectProvisioningAgentSetup.exe installation file from your downloads folder.

  7. On the splash screen, select I agree to the license and conditions, and then select Install.

    Screenshot that shows the "Microsoft Azure AD Connect Provisioning Agent Package" splash screen.

  8. Once the installation operation completes, the configuration wizard will launch. Select Next to start the configuration.

    Screenshot that shows the "Welcome to Azure AD Connect provisioning agent configuration wizard".

  9. Sign in with your Azure AD global administrator account. If you have Internet Explorer enhanced security enabled, it will block the sign-in. If so, close the installation, disable Internet Explorer enhanced security, and restart the Azure AD Connect Provisioning Agent Package installation.

    Screenshot of the "Connect Azure AD" screen.

  10. On the Configure Service Account screen, select a group Managed Service Account (gMSA). This account is used to run the agent service. If a managed service account is already configured in your domain, you might skip this screen. If prompted, choose either:

    • Create gMSA which lets the agent create the provAgentgMSA$ managed service account for you. The group managed service account (for example, CONTOSO\provAgentgMSA$) will be created in the same Active Directory domain where the host server has joined. To use this option, enter the Active Directory domain administrator credentials.
    • Use custom gMSA and provide the name of the managed service account.

    Screenshot of the "Configure Service Account" screen.

    To continue, select Next.

  11. On the Connect Active Directory screen, if your domain name appears under Configured domains, skip to the next step. Otherwise, type your Active Directory domain name, and select Add directory.

    Screenshot that shows to add an Active Directory domain.

    Sign in with your Active Directory domain administrator account. The domain administrator account shouldn't have password change requirements. In case the password expires or changes, you'll need to reconfigure the agent with the new credentials. This operation will add your on-premises directory. Select OK, then select Next to continue.

    Screenshot that shows how to enter the domain admin credentials.

    The following screenshot shows an example of contoso.com configured domain. Select Next to continue.

    Screenshot of the "Connect Active Directory" screen.

  12. On the Configuration complete screen, select Confirm. This operation will register and restart the agent.

    Screenshot that shows the "Configuration complete" screen.

  13. Once this operation completes, you should be notified that Your agent configuration was successfully verified. You can select Exit.

    Screenshot that shows the "configuration complete" screen.

  14. If you still get the initial splash screen, select Close.

Verify agent installation

Agent verification occurs in the Azure portal and on the local server that is running the agent.

Azure portal agent verification

To verify the agent is being registered by Azure AD, follow these steps:

  1. Sign in to the Azure portal.

  2. On the left menu, select Azure Active Directory.

  3. Select Azure AD Connect and then select Manage Azure AD cloud sync.

    Screenshot that shows how to manage the Azure AD could sync.

  4. On the Azure AD Connect cloud sync screen, select Review all agents.

    Screenshot that shows the Azure AD provisioning agents.

  5. On the On-premises provisioning agents screen, you'll see the agents you've installed. Verify that the agent in question is there and is marked active.

    Screenshot that shows the status of a provisioning agent.

On the local server

To verify that the agent is running, follow these steps:

  1. Sign in the server with an administrator account

  2. Open Services by either navigating to it or by going to Start/Run/Services.msc.

  3. Under Services, make sure Microsoft Azure AD Connect Agent Updater and Microsoft Azure AD Connect Provisioning Agent are present and the status is Running.

    Screenshot that shows the Windows services.

Configure Azure AD Connect cloud sync

Use the following steps to configure and start the provisioning:

  1. Sign in to the Azure AD portal.

  2. Select Azure Active Directory

  3. Select Azure AD Connect

  4. Select Manage cloud sync

    Screenshot showing "Manage cloud sync" link.

  5. Select New Configuration

    Screenshot of Azure AD Connect cloud sync screen with "New configuration" link highlighted.

  6. On the configuration screen, enter a Notification email, move the selector to Enable and select Save.

    Screenshot of Configure screen with Notification email filled in and Enable selected.

  7. The configuration status should now be Healthy.

    Screenshot of Azure AD Connect cloud sync screen showing Healthy status.

Verify users are created and synchronization is occurring

You'll now verify that the users that you had in your on-premises directory have been synchronized and now exist in your Azure AD tenant. The sync operation may take a few hours to complete. To verify users are synchronized, follow these steps:

  1. Browse to the Azure portal and sign in with an account that has an Azure subscription.
  2. On the left, select Azure Active Directory
  3. Under Manage, select Users.
  4. Verify that the new users appear in your tenant

Test signing in with one of your users

  1. Browse to https://myapps.microsoft.com

  2. Sign in with a user account that was created in your tenant. You'll need to sign in using the following format: (user@domain.onmicrosoft.com). Use the same password that the user uses to sign in on-premises.

    Screenshot that shows the my apps portal with a signed in users.

You've now successfully configured a hybrid identity environment using Azure AD Connect cloud sync.

Next steps