This guide will illustrate to you step by step instructions on how to integrate your on-premises Active directory with Azure Active Directory by using Azure AD Connect. In doing so it will allow you to provide common identity for your users for Office 365, Azure, and any applications that are integrated with Azure AD. This topic will guide you on the simplest way on how to achieve this assuming that you already have fulfilled the prerequisites for your Active Directory Instance, Azure Instance as well as the server where Azure AD Connect will be installed.
Lets start!
First you need to go login to your Azure and once logged in go on the Active Directory Tab and add a domain.
Select your domain name and tick the configure this domain for single sign-on with my local Active Directory.
Now configure your domain for single-sign on. Tick the Go to the Directory Integration page now.
At this point it will go to the Directory Integration tab and will show you stats of your domains.
Before continuing to install the Azure AD connect I suggest for you to verify your domain first, go to Domains tab.
Note: The domain you use in here must be verified and this should be the UPN that show on you user accounts. If your UPN is not the same as your Domain Name you will need to add the UPN to the top level of your domains forest.
Now to verify go to the list of unverified domains and click verify.
choose a record type TXT or MX Record, enter the appropriate details.
Click on verify (from this point on it might take sometime to verify but you can continue on with the next steps).
Now go back to the Directory Integration tab and on go to item number 2 and install and run Azure AD Connect and download.
Choose a server you will install this, the best place will be in one of your domain controllers. Click to install.
Choose customize, to customize the installation
Set up your install location, point to a SQL Server and use and existing service account. If you don’t have the service account I suggest you do it first.
You might also need to create different groups in your Active Directory to separate the different types of users. If you installed this on a Domain Controller then the setup need to happen in Active Directory but if you prepared a stand alone server you will be setting this up on the local users and groups of the server (not ideal).
For this demo I all placed them in the same Organizational Unit
Install will now commence.
Now you need to set up user sign in, you have 3 options. In this instance I used Password Synchronization which allows users to sign in to Microsoft cloud services like Office 365 and Azure deployed servers using the same password they use in their on-premises network. The users passwords are synchronized to Azure AD as a password hash and authentication occurs in the cloud.
Click next and indicate a username that has the appropriate access to Azure AD.
Now connect your directories by indicating your directory type, forest and the credentials who has the appropriate access to your local Directory.
Now you can filter by OU and choose only OU’s you want to sync. I suggest doing this in a test or a smaller OU (few users).
Then you move on to the section for uniquely identifying your users In this section I chose users are only represented once across all forests which means that all users are created as individual objects in Azure AD. The objects are not joined in the metaverse.
On source anchor I chose objectGUID, this attribute is immutable during the lifetime of a user object. It is the primary key linking the on-premises user with the user in Azure AD. I know this wont change hence I chose the option. Also the User Principal Name in AD is called userPrincipalName hence I used that.
On Filter users and devices I did not choose a filter since I already filtered it on an OU level. You are free to create your own filter if you wish to filter it down further.
Click next then you will see optional features.
I left the optional features default. You can click on the question mark beside each one of them for a more detailed information, or you can have a look below on what they all mean. I just copied them over at the documentation at Microsoft.
| Exchange Hybrid Deployment | The Exchange Hybrid Deployment feature allows for the co-existence of Exchange mailboxes both on-premises and in Office 365. Azure AD Connect is synchronizing a specific set of attributes from Azure AD back into your on-premises directory. |
| Azure AD app and attribute filtering | By enabling Azure AD app and attribute filtering, the set of synchronized attributes can be tailored. This option adds two more configuration pages to the wizard. For more information, see Azure AD app and attribute filtering. |
| Password synchronization | If you selected federation as the sign-in solution, then you can enable this option. Password synchronization can then be used as a backup option. For additional information, see Password synchronization. |
| Password writeback | By enabling password writeback, password changes that originate in Azure AD is written back to your on-premises directory. For more information, see Getting started with password management. |
| Group writeback | If you use the Office 365 Groups feature, then you can have these groups represented in your on-premises Active Directory. This option is only available if you have Exchange present in your on-premises Active Directory. For more information, see Group writeback. |
| Device writeback | Allows you to writeback device objects in Azure AD to your on-premises Active Directory for conditional access scenarios. For more information, see Enabling device writeback in Azure AD Connect. |
| Directory extension attribute sync | By enabling directory extensions attribute sync, attributes specified are synced to Azure AD. For more information, see Directory extensions. |
Now its ready to configure, click install and the start synchronization option so it synchronizes after the installation.
All you need to do now is wait.
Grab a coffee and after a cup or two your configuration will be complete.
And you can verify that on the users tab on your Azure AD. Be patient this might not show up instantaneously give it sometime for it to synchronize properly.
Pingback: Changing User Principal Names in Bulk on Azure Active Directory – Raymund Macaalay's Dev Blog