Azure AD Connect and Azure AD Connect Health installation roadmap

Install Azure AD Connect


Microsoft doesn't support modifying or operating Azure AD Connect sync outside of the actions that are formally documented. Any of these actions might result in an inconsistent or unsupported state of Azure AD Connect sync. As a result, Microsoft can't provide technical support for such deployments.

You can find the download for Azure AD Connect on Microsoft Download Center.

Solution Scenario
Before you start - Hardware and prerequisites
  • Steps to complete before you start to install Azure AD Connect.
  • Express settings
  • If you have a single forest AD then this is the recommended option to use.
  • User sign in with the same password using password synchronization.
  • Customized settings
  • Used when you have multiple forests. Supports many on-premises topologies.
  • Customize your sign-in option, such as pass-through authentication, ADFS for federation or use a 3rd party identity provider.
  • Customize synchronization features, such as filtering and writeback.
  • Upgrade from DirSync
  • Used when you have an existing DirSync server already running.
  • Upgrade from Azure AD Sync or Azure AD Connect
  • There are several different methods depending on your preference.
  • After installation you should verify it is working as expected and assign licenses to the users.

    Next steps to Install Azure AD Connect

    Topic Link
    Download Azure AD Connect Download Azure AD Connect
    Install using Express settings Express installation of Azure AD Connect
    Install using Customized settings Custom installation of Azure AD Connect
    Upgrade from DirSync Upgrade from Azure AD sync tool (DirSync)
    After installation Verify the installation and assign licenses

    Learn more about Install Azure AD Connect

    You also want to prepare for operational concerns. You might want to have a stand-by server so you easily can fail over if there is a disaster. If you plan to make frequent configuration changes, you should plan for a staging mode server.

    Topic Link
    Supported topologies Topologies for Azure AD Connect
    Design concepts Azure AD Connect design concepts
    Accounts used for installation More about Azure AD Connect credentials and permissions
    Operational planning Azure AD Connect sync: Operational tasks and considerations
    User sign-in options Azure AD Connect User sign-in options

    Configure sync features

    Azure AD Connect comes with several features you can optionally turn on or are enabled by default. Some features might sometimes require more configuration in certain scenarios and topologies.

    Filtering is used when you want to limit which objects are synchronized to Azure AD. By default all users, contacts, groups, and Windows 10 computers are synchronized. You can change the filtering based on domains, OUs, or attributes.

    Password hash synchronization synchronizes the password hash in Active Directory to Azure AD. The end-user can use the same password on-premises and in the cloud but only manage it in one location. Since it uses your on-premises Active Directory as the authority, you can also use your own password policy.

    Password writeback will allow your users to change and reset their passwords in the cloud and have your on-premises password policy applied.

    Device writeback will allow a device registered in Azure AD to be written back to on-premises Active Directory so it can be used for Conditional Access.

    The prevent accidental deletes feature is turned on by default and protects your cloud directory from numerous deletes at the same time. By default it allows 500 deletes per run. You can change this setting depending on your organization size.

    Automatic upgrade is enabled by default for express settings installations and ensures your Azure AD Connect is always up to date with the latest release.

    Next steps to configure sync features

    Topic Link
    Configure filtering Azure AD Connect sync: Configure filtering
    Password hash synchronization Password hash synchronization
    Pass-through Authentication Pass-through authentication
    Password writeback Getting started with password management
    Device writeback Enabling device writeback in Azure AD Connect
    Prevent accidental deletes Azure AD Connect sync: Prevent accidental deletes
    Automatic upgrade Azure AD Connect: Automatic upgrade

    Customize Azure AD Connect sync

    Azure AD Connect sync comes with a default configuration that is intended to work for most customers and topologies. But there are always situations where the default configuration does not work and must be adjusted. It is supported to make changes as documented in this section and linked topics.

    If you have not worked with a synchronization topology before you want to start to understand the basics and the terms used as described in the technical concepts. Azure AD Connect is the evolution of MIIS2003, ILM2007, and FIM2010. Even if some things are identical, a lot has changed as well.

    The default configuration assumes there might be more than one forest in the configuration. In those topologies a user object might be represented as a contact in another forest. The user might also have a linked mailbox in another resource forest. The behavior of the default configuration is described in users and contacts.

    The configuration model in sync is called declarative provisioning. The advanced attribute flows are using functions to express attribute transformations. You can see and examine the entire configuration using tools which comes with Azure AD Connect. If you need to make configuration changes, make sure you follow the best practices so it is easier to adopt new releases.

    Next steps to customize Azure AD Connect sync

    Topic Link
    All Azure AD Connect sync articles Azure AD Connect sync
    Technical concepts Azure AD Connect sync: Technical Concepts
    Understanding the default configuration Azure AD Connect sync: Understanding the default configuration
    Understanding users and contacts Azure AD Connect sync: Understanding Users and Contacts
    Declarative provisioning Azure AD Connect Sync: Understanding Declarative Provisioning Expressions
    Change the default configuration Best practices for changing the default configuration

    Configure federation features

    Azure AD Connect provides several features that simplify federating with Azure AD using AD FS and managing your federation trust. Azure AD Connect supports AD FS on Windows Server 2012R2 or later.

    Update TLS/SSL certificate of AD FS farm even if you are not using Azure AD Connect to manage your federation trust.

    Add an AD FS server to your farm to expand the farm as required.

    Repair the trust with Azure AD in a few simple clicks.

    ADFS can be configured to support multiple domains. For example you might have multiple top domains you need to use for federation.

    If your ADFS server has not been configured to automatically update certificates from Azure AD or if you use a non-ADFS solution, then you will be notified when you have to update certificates.

    Next steps to configure federation features

    Topic Link
    All AD FS articles Azure AD Connect and federation
    Configure ADFS with subdomains Multiple Domain Support for Federating with Azure AD
    Manage AD FS farm AD FS management and customization with Azure AD Connect
    Manually updating federation certificates Renewing Federation Certificates for Microsoft 365 and Azure AD

    Get started with Azure AD Connect Health

    To get started with Azure AD Connect Health, use the following steps:

    1. Get Azure AD Premium or start a trial.
    2. Download and install Azure AD Connect Health Agents on your identity servers.
    3. View the Azure AD Connect Health dashboard at


    Remember that before you see data in your Azure AD Connect Health dashboard, you need to install the Azure AD Connect Health Agents on your targeted servers.

    Download and install Azure AD Connect Health Agent

    Azure AD Connect Health portal

    The Azure AD Connect Health portal shows views of alerts, performance monitoring, and usage analytics. The URL takes you to the main blade of Azure AD Connect Health. You can think of a blade as a window. On The main blade, you see Quick Start, services within Azure AD Connect Health, and additional configuration options. See the following screenshot and brief explanations that follow the screenshot. After you deploy the agents, the health service automatically identifies the services that Azure AD Connect Health is monitoring.


    For licensing information, see the Azure AD Connect Health FAQ or the Azure AD Pricing page.

    Azure AD Connect Health Portal

    • Quick Start: When you select this option, the Quick Start blade opens. You can download the Azure AD Connect Health Agent by selecting Get Tools. You can also access documentation and provide feedback.

    • Azure Active Directory Connect (sync): This option shows your Azure AD Connect servers that Azure AD Connect Health is currently monitoring. Sync errors entry will show basic sync errors of your first onboarded sync service by categories. When you select the Sync services entry, the blade that opens shows information about your Azure AD Connect servers. Read more about the capabilities at Using Azure AD Connect Health for sync.

    • Active Directory Federation Services: This option shows all the AD FS services that Azure AD Connect Health is currently monitoring. When you select an instance, the blade that opens shows information about that service instance. This information includes an overview, properties, alerts, monitoring, and usage analytics. Read more about the capabilities at Using Azure AD Connect Health with AD FS.

    • Active Directory Domain Services: This option shows all the AD DS forests that Azure AD Connect Health is currently monitoring. When you select a forest, the blade that opens shows information about that forest. This information includes an overview of essential information, the Domain Controllers dashboard, the Replication Status dashboard, alerts, and monitoring. Read more about the capabilities at Using Azure AD Connect Health with AD DS.

    • Configure: This section includes options to turn the following on or off:

      • The automatic update of the Azure AD Connect Health agent to the latest version: the Azure AD Connect Health agent is automatically updated whenever new versions are available. This option is enabled by default.
      • Access to data from the Azure AD directory integrity by Microsoft only for troubleshooting purposes: if this option is enabled, Microsoft can access the same data viewed by the user. This information can be useful for troubleshooting and to provide the necessary assistance. This option is disabled by default
    • Role based access control (IAM) is the section to manage the access to Connect Health data in role base.

    Next Steps