Edit

Deploy Microsoft 365 Directory Synchronization in Microsoft Azure

  • Article

Azure Active Directory (Azure AD) Connect (formerly known as the Directory Synchronization tool, Directory Sync tool, or the DirSync.exe tool) is an application that you install on a domain-joined server to synchronize your on-premises Active Directory Domain Services (AD DS) users to the Azure AD tenant of your Microsoft 365 subscription. Microsoft 365 uses Azure AD for its directory service. Your Microsoft 365 subscription includes an Azure AD tenant. This tenant can also be used for management of your organization's identities with other cloud workloads, including other SaaS applications and apps in Azure.

You can install Azure AD Connect on an on-premises server, but you can also install it on a virtual machine in Azure for these reasons:

  • You can provision and configure cloud-based servers faster, making the services available to your users sooner.
  • Azure offers better site availability with less effort.
  • You can reduce the number of on-premises servers in your organization.

This solution requires connectivity between your on-premises network and your Azure virtual network. For more information, see Connect an on-premises network to a Microsoft Azure virtual network.

Note

This article describes synchronization of a single domain in a single forest. Azure AD Connect synchronizes all AD DS domains in your Active Directory forest with Microsoft 365. If you have multiple Active Directory forests to synchronize with Microsoft 365, see Multi-forest Directory Sync with Single Sign-On Scenario.

Overview of deploying Microsoft 365 directory synchronization in Azure

The following diagram shows Azure AD Connect running on a virtual machine in Azure (the directory sync server) that synchronizes an on-premises AD DS forest to a Microsoft 365 subscription.

Azure AD Connect tool on a virtual machine in Azure synchronizing on-premises accounts to the Azure AD tenant of a Microsoft 365 subscription with traffic flow.

In the diagram, there are two networks connected by a site-to-site VPN or ExpressRoute connection. There's an on-premises network where AD DS domain controllers are located, and there's an Azure virtual network with a directory sync server, which is a virtual machine running Azure AD Connect. There are two main traffic flows originating from the directory sync server:

  • Azure AD Connect queries a domain controller on the on-premises network for changes to accounts and passwords.
  • Azure AD Connect sends the changes to accounts and passwords to the Azure AD instance of your Microsoft 365 subscription. Because the directory sync server is in an extended portion of your on-premises network, these changes are sent through the on-premises network's proxy server.

Note

This solution describes synchronization of a single Active Directory domain, in a single Active Directory forest. Azure AD Connect synchronizes all Active Directory domains in your Active Directory forest with Microsoft 365. If you have multiple Active Directory forests to synchronize with Microsoft 365, see Multi-forest Directory Sync with Single Sign-On Scenario.

There are two major steps when you deploy this solution:

  1. Create an Azure virtual network and establish a site-to-site VPN connection to your on-premises network. For more information, see Connect an on-premises network to a Microsoft Azure virtual network.

  2. Install Azure AD Connect on a domain-joined virtual machine in Azure, and then synchronize the on-premises AD DS to Microsoft 365. This involves:

    Creating an Azure Virtual Machine to run Azure AD Connect.

    Installing and configuring Azure AD Connect.

    Configuring Azure AD Connect requires the credentials (user name and password) of an Azure AD administrator account and a AD DS enterprise administrator account. Azure AD Connect runs immediately and on an ongoing basis to synchronize the on-premises AD DS forest to Microsoft 365.

Before you deploy this solution in production, you can use the instructions in The simulated enterprise base configuration to set up this configuration as a proof of concept, for demonstrations, or for experimentation.

Important

When Azure AD Connect configuration completes, it does not save the AD DS enterprise administrator account credentials.

Note

This solution describes synchronizing a single AD DS forest to Microsoft 365. The topology discussed in this article represents only one way to implement this solution. Your organization's topology might differ based on your unique network requirements and security considerations.

Plan for hosting a directory sync server for Microsoft 365 in Azure

Prerequisites

Before you begin, review the following prerequisites for this solution:

  • Review the related planning content in Plan your Azure virtual network.

  • Ensure that you meet all Prerequisites for configuring the Azure virtual network.

  • Have a Microsoft 365 subscription that includes the Active Directory integration feature. For information about Microsoft 365 subscriptions, go to the Microsoft 365 subscription page.

  • Provision one Azure Virtual Machine that runs Azure AD Connect to synchronize your on-premises AD DS forest with Microsoft 365.

    You must have the credentials (names and passwords) for a AD DS enterprise administrator account and an Azure AD Administrator account.

Solution architecture design assumptions

The following list describes the design choices made for this solution.

  • This solution uses a single Azure virtual network with a site-to-site VPN connection. The Azure virtual network hosts a single subnet that has one server, the directory sync server that is running Azure AD Connect.

  • On the on-premises network, a domain controller and DNS servers exist.

  • Azure AD Connect performs password hash synchronization instead of single sign-on. You don't have to deploy an Active Directory Federation Services (AD FS) infrastructure. To learn more about password hash synchronization and single sign-on options, see Choosing the right authentication method for your Azure Active Directory hybrid identity solution.

There are other design choices that you might consider when you deploy this solution in your environment. These include the following:

  • If there are existing DNS servers in an existing Azure virtual network, determine whether you want your directory sync server to use them for name resolution instead of DNS servers on the on-premises network.

  • If there are domain controllers in an existing Azure virtual network, determine whether configuring Active Directory Sites and Services may be a better option for you. The directory sync server can query the domain controllers in the Azure virtual network for changes in accounts and passwords instead of domain controllers on the on-premises network.

Deployment roadmap

Deploying Azure AD Connect on a virtual machine in Azure consists of three phases:

  • Phase 1: Create and configure the Azure virtual network

  • Phase 2: Create and configure the Azure virtual machine

  • Phase 3: Install and configure Azure AD Connect

After deployment, you must also assign locations and licenses for the new user accounts in Microsoft 365.

Phase 1: Create and configure the Azure virtual network

To create and configure the Azure virtual network, complete Phase 1: Prepare your on-premises network and Phase 2: Create the cross-premises virtual network in Azure in the deployment roadmap of Connect an on-premises network to a Microsoft Azure virtual network.

This is your resulting configuration.

Phase 1 of the directory sync server for Microsoft 365 hosted in Azure.

This figure shows an on-premises network connected to an Azure virtual network through a site-to-site VPN or ExpressRoute connection.

Phase 2: Create and configure the Azure virtual machine

Create the virtual machine in Azure using the instructions Create your first Windows virtual machine in the Azure portal. Use the following settings:

  • On the Basics pane, select the same subscription, location, and resource group as your virtual network. Record the user name and password in a secure location. You will need these later to connect to the virtual machine.

  • On the Choose a size pane, choose the A2 Standard size.

  • On the Settings pane, in the Storage section, select the Standard storage type. In the Network section, select the name of your virtual network and the subnet for hosting the directory sync server (not the GatewaySubnet). Leave all other settings at their default values.

Verify that your directory sync server is using DNS correctly by checking your internal DNS to make sure that an Address (A) record was added for the virtual machine with its IP address.

Use the instructions in Connect to the virtual machine and sign on to connect to the directory sync server with a Remote Desktop Connection. After signing in, join the virtual machine to the on-premises AD DS domain.

For Azure AD Connect to gain access to Internet resources, you must configure the directory sync server to use the on-premises network's proxy server. You should contact your network administrator for any additional configuration steps to perform.

This is your resulting configuration.

Phase 2 of the directory sync server for Microsoft 365 hosted in Azure.

This figure shows the directory sync server virtual machine in the cross-premises Azure virtual network.

Phase 3: Install and configure Azure AD Connect

Complete the following procedure:

  1. Connect to the directory sync server using a Remote Desktop Connection with an AD DS domain account that has local administrator privileges. See Connect to the virtual machine and sign on.

  2. From the directory sync server, open the Set up directory synchronization for Microsoft 365 article and follow the directions for directory synchronization with password hash synchronization.

Caution

Setup creates the AAD_xxxxxxxxxxxx account in the Local Users organizational unit (OU). Do not move or remove this account or synchronization will fail.

This is your resulting configuration.

Phase 3 of the directory sync server for Microsoft 365 hosted in Azure.

This figure shows the directory sync server with Azure AD Connect in the cross-premises Azure virtual network.

Assign locations and licenses to users in Microsoft 365

Azure AD Connect adds accounts to your Microsoft 365 subscription from the on-premises AD DS, but in order for users to sign in to Microsoft 365 and use its services, the accounts must be configured with a location and licenses. Use these steps to add the location and activate licenses for the appropriate user accounts:

  1. Sign in to the Microsoft 365 admin center, and then click Admin.

  2. In the left navigation, click Users > Active users.

  3. In the list of user accounts, select the check box next to the user you want to activate.

  4. On the page for the user, click Edit for Product licenses.

  5. On the Product licenses page, select a location for the user for Location, and then enable the appropriate licenses for the user.

  6. When complete, click Save, and then click Close twice.

  7. Go back to step 3 for additional users.

See also

Microsoft 365 solution and architecture center

Connect an on-premises network to a Microsoft Azure virtual network

Download Azure AD Connect

Set up directory synchronization for Microsoft 365