Share via


Step 3: Sync your active directory

Tip

Some of the URLs in this article will take you to another document set. If you would like to maintain your place in this document set's table of contents, please right click on URLs to open them in a new window.

This article is meant for customers who intend to integrate an on-premise active directory with Office 365. If you don't need to integrate an on-premise directory and intend to provision cloud-only identities, you can skip this step and proceed to Sync your SIS with School Data Sync.

There are three ways to move your identities to Microsoft 365 Education.

  1. Microsoft Entra Connect with Password Hash Sync: Recommended Path

    The most efficient path to move from an on-premise active directory is using Microsoft Entra Connect with Password Hash Sync for authentication. This path is easier and cheaper to deploy because you can use Microsoft Entra Connect Express Settings. Express Settings is the default option and is used for the most commonly deployed scenarios. You'll only have to manage one server and this path will give you seamless single sign-on and cloud multi-factor authentication.

  2. Microsoft Entra Connect with Passthrough Authentication

    If you need to manage password authentication requests from your own on-premise active directory, you'll still use Microsoft Entra Connect, but you'll need to use the Passthrough Authentication Option instead of Password Hash Sync. Microsoft Entra Pass-through Authentication enables users to sign in to both on-premises and cloud-based applications using the same passwords. When users sign in using Microsoft Entra ID, this feature validates users' passwords directly against your on-premises Active Directory. This path is for organizations wanting to enforce their on-premises Active Directory security and password policies.

  3. Active Directory Federated Services (ADFS)

    If you need to have on-premise managed Multi-Factor Authentication (MFA), you'll need to use Active Directory Federated Services (ADFS). When you choose this authentication method, Microsoft Entra ID hands off the authentication process to the on-premises Active Directory Federation Services (AD FS) to validate the user's password. We don't recommend this option unless you need federated single sign-on and on-premise password management. This path is more difficult and expensive, requires the management of multiple servers, and is only relevant for districts with complex security set-up and requirements.

Microsoft Entra Connect and ADFS compared.

View this document for additional context as to how to set up directory synchronization for Office 365.

If you're still not sure which path to choose, use this guide for a comparison of the various Microsoft Entra sign-in methods and how to choose the right sign-in method for your organization.

Next step: After you have completed syncing your active directory, please proceed to Step 4 to Sync your SIS with School Data Sync.