Azure AD Connect: Active Directory Synchronization with Azure AD/Office 365
Introduction
Active Directory in Windows Server is a service that keeps track of all the user accounts and passwords in an organization. It allows us to store the user accounts and passwords in one protected location, improving the organization's security. In today's technology scenarios we may be using On Premise Windows Servers to run an application in the local farm. At the same time we may also be leveraging the Cloud Infrastructure like Azure and Office 365 to host some services in the cloud. Maintaining identities at two locations might becomes cumbersome as we may have to update user identities multiple times so as to synchronize them.
So as to overcome the identity synchronization issues we will see how we can Synchronize a Windows Server Active Directory with Azure Active Directory/Office 365 Directory using Azure AD Connect in this article. As we can see below we have some sample users in the Windows Server Active Directory:
We will be synchronizing it with the Office 365 Active Directory using Azure AD Connect in this demo.
Fix Active Directory issues
Before synchronizing the active directory we have to make sure that the Windows Server active directory is devoid of errors like duplicates and formatting issues. IdFix is a tool that identifies issues with the active directory identity objects and provides remediation measures to overcome it. It can be downloaded from Microsoft site .
Once it is downloaded, unzip the file and run the IdFix tool.
Click on ‘Query’ option to start scanning of the Active Directory identity objects. You can see the number of objects scanned and errors returned in the bottom section of the tool.
In case of any errors, it will list out the errors and the remediation measures that need to be done. We can also get a verbose log file of the scan done by the IdFix tool in the location where IdFix is placed. The log file will give a detailed scan report.
Manage Office 365 Subscription Directory from Azure
So as to start the synchronization of On-Premise Windows Server Active Directory with Office 365, we have to enable the management of Office 365 directory from Azure. By Default, when we create an Azure Subscription, the Service admin will have an access to the default directory, which gets created along with Azure subscription. In addition to it, we will create a mirror copy of the Office 365 Directory in Azure, so that we can manage and synchronize On-Premise directory with Office 365 Directory in Azure AD. This has been covered in this wiki article.
Active Directory Synchronization using Azure AD Connect
Once the Active Directory is in a healthy state and assured to be devoid of identity object issues, we can plan to sync the on premise active directory with Office 365. Now, we really don’t have to manually recreate the on premise user accounts in Office 365 as it not only doubles the work but also adds up the risk of duplicating user accounts. Directory Synchronization comes into play as it mirrors the on premise directory in Office 365.
We have two types of Active Directory Sync.
- Directory Synchronization along with password synchronization: In this synchronization technique, the user accounts (Directory) are migrated to office 365 along with their passwords. This means the user will have the same password for On Premise environment as well as for Office 365. However the user will have to authenticate separately when logging into On Premise and Office 365 by providing the same credentials.
- Directory Synchronization with Single Sign On (SSO): In this synchronization mechanism the user logs into the On Premise environment and when they go to office 365 they are automatically logged in.
Directory Synchronization with Password Sync is the most common Active Directory synchronization used. We can use Azure Active Directory Connect to implement On Premise and Office 365 directory synchronization. Azure AD Connect can be downloaded from Microsoft Site.
Once it is downloaded, run the installer file.
This will spin up Azure Active Directory Connect Wizard. Accept the agreement and proceed.
Here we have two options.
- We can continue with Express settings, if we want to use Azure AD Connect to synchronize the directories (On Premise with Office 365 along with Password Synchronization.
- Click on Customize to set up Directory Synchronization with Single Sign On.
In this walk through we will continue with Express settings.
This will start installing the required components in the local machine.
Now in Azure Active Directory listing we can see the users who are the global administrators of the Office 365 directory added to Azure.
Enter the username and credential of the global administrator. Click on Next
Here you can see that in order to perform an Azure ad sign in, the UPN prefixes which we had added to the on premise Active directory should match with the verified public domain in azure (SharePointChronicle.com).
So we have to ensure two things here.
- The public domain is added as UPN in the local on premise directory
- The public domain is added and verified in azure
Once we have a verified domain listed, Click on Next.
Click on Install to start the synchronization process once Azure AD Connect installation completes.
Finally the configuration has completed.
Head over to office 365 to check the synchronization status. All the On Premise users have been added to Office 365 as part of the synchronization process.
We can go back to the Active Directory to see if the all the users have been imported to Office 365 Directory.
The office 365 Home page shows the status of Directory Sync . In case of an unsuccessful sync it will be highlighted in the home page.
Summary
Thus, we saw how to Sync On Premise Windows Server Active Directory and Office 365 Directory using Azure AD Connect