32
White Paper Azure AD Integration with Microsoft AD Using Azure AD Connect By: Bhoodev Sharma
White Paper
Azure AD Integration with Microsoft AD Using Azure AD Connect
By: Bhoodev Sharma
2
What is Azure Active Directory?
Azure Active Directory (Azure AD) is a Microsoft cloud-based identity and access management service, in layman terms, the
Azure AD is not an extension of an on-premises directory. Rather, it’s a copy that contains the same objects and identities.
Azure AD Connect is a Microsoft provided tool that helps in the integration of Azure AD with Microsoft Active Directory.
Azure AD Components
1. Identity: Anything that can be authenticated. It can be a user with a username & password, applications, or other services
that require authentication.
2. Account: Identity with data associated.
3. Azure AD Account: Identity created using Azure AD or other Microsoft cloud services.
4. Azure Tenant: An Instance of Azure AD is created when an organization signs up for a Microsoft Cloud service
subscription.
5. Azure AD Directory: Each Azure Tenant has a dedicated and trusted Azure AD Directory.
6. User Subscription: To pay for Azure cloud services used.
Why integrate Azure Active Directory with Microsoft Active Directory?
Integration of Azure AD with Microsoft AD helps employees sign-in and access resources from internal and external identities
providers.
1. External resources, such as Microsoft Office 365, the Azure portal, and thousands of other SaaS applications.
2. Internal resources, such as apps on your corporate network and intranet, along with any cloud apps developed by your
own organization.
3
Benefits of Using Azure AD
Integration with the Microsoft identity platform comes with
benefits that do not require you to write additional code.
1. Azure AD is highly available and spread across 32 data
centers in different geographies.
2. Using Azure AD access to applications on cloud or
on-premise can be simplified.
3. Single Sign-On to access thousands of SaaS applications
and on-premise applications.
4. Multi-Factor Authentication, Conditional Access, Privileged
Identity Management, and Dynamic Group.
Features of Azure AD Connect
Azure AD Connect is a Microsoft tool designed to meet and
accomplish your hybrid identity goals. AD Connect lets you
connect your on-premises Active Directory to Azure Active
Directory using Azure AD Connect following features can be
accomplished.
1. Password hash synchronization - A sign-in method that
synchronizes a hash of a user’s on-premises AD password
with Azure AD.
2. Pass-through authentication - A sign-in method that allows
users to use the same password on-premises and in the
cloud, but doesn’t require the additional infrastructure of
a federated environment.
3. Federation integration - Federation is an optional part of
Azure AD Connect and can be used to configure a hybrid
environment using an on-premises AD FS infrastructure.
It also provides AD FS management capabilities such
as certificate renewal and additional AD FS server
deployments.
4. Synchronization - Responsible for creating users, groups,
and other objects. As well as, making sure identity
information for your on-premises users and groups is
matching the cloud. This synchronization also includes
password hashes.
5. Health Monitoring - Azure AD Connect Health can provide
robust monitoring and provide a central location in the
Azure portal to view this activity.
What are the Azure AD Challenges?
When it comes to hybrid AD setup, we need to work with
whole different types of issues than on-premises AD
environments or Azure AD environment. Few common
challenges are listed below:
• Connection to Azure AD
• Connection to on-premises domain controllers
• DNS issues
• Synchronization errors
• Duplicate attribute
• Data mismatch
• Data validation failure
• Admin Role Conflict
4
Choose Authentication Methods
Azure AD Connect helps in choosing the authentication method from several available authentication methods between
On-Premise Active Directory and Azure AD.
Select the appropriate method of authentication to meet common hybrid identity and access management option with
recommendations as best to which hybrid identity option is appropriate for the organization:
• Column 1: Password Hash Synchronization with Single Sign-On
• Column 2: Pass-through Authentication and Single Sign-On
• Column 3: Single Sign-On with Active Directory Federated Services
5
Azure AD Connect Architecture:
6
Instructions: Azure AD Connect Installation, Configuration, Administration
The Azure AD Connect tool needs to be installed on the Domain Controller machine. AD Connect tool can be downloaded
directly from internet or from the link provided below from Azure Active Directory > Azure AD Connect > Download Azure AD
Connect
Download Microsoft Azure Active Directory Connect from Official Microsoft Download Center
7
1. Post software is available on Active Directory Server by directly downloading from the internet or by copying to the directory
server. Start the installation like any other windows installation program.
2. Start the installation of Azure AD Connect using the file AzureADConnect.msi downloaded in previous step.
8
3. On the Welcome to Azure AD Connect screen check the box for I agree to the license terms and privacy notice and click
on Continue to move to the next screen for installation.
9
4. From the Install Required Components screen, check the Use an existing service account and set the required
information. You will need to type your domain administrator credentials. Click Install.
10
5. Click on the Install button to install all the required components for Azure AD Connect Synchronization Service.
11
6. Select the password hash synchronization and click on Next.
12
7. From the User Sign-In tab you will need to set your desired selection of the Single Sign-On method. Each selection might
add more steps and requirements. We recommend using Password Synchronization or Do not configure options.
13
8. Enter credentials for Azure Active Directory user with Global Administrator role. The Global Administrator role is a must for
identity used for configuring Azure AD Connect and click on the Next button.
14
9. Based on the requirement create a new AD account or use an existing AD account, Identity must be a member of Domain
Administrator Group for directory authentication and click OK.
15
10. On Azure AD Connect your directories screen add directory and click on Next to continue.
16
11. Select the Azure AD sign-in configuration and select Continue without matching all UPN suffixes to verify domains and
click on Next to continue.
17
12. On Domain and OU filtering screen select the sync option based on business requirement and click on Next to continue.
18
13. Select the option to Uniquely identifying your users from on-premises directories and click on Next to continue.
19
14. Select the filtering options for users and devices and click on Next to continue.
20
15. Select the optional features from the list below and click on Next to continue.
21
16. Select the Azure AD apps based on requirement and click on Next to continue.
22
17. Select the Azure AD attributes and click on Next to continue.
23
18. On the Ready to configure screen select the option for Start the synchronization process when configuration
completes if you want to start automatically and click on Install to install the options select in previous screens.
24
19. Monitor the configuration screen for the progress of configuration of all the selected components.
25
20. Once Configuration Complete screen appears, click on Exit.
26
21. Verify from the Azure Active Directory > Azure AD Connect > you should see Password Hash Synchronization is enabled
and sync status is enabled.
27
22. Verify by logging into Azure portal > Azure Active Directory > Users > you should see the users synced from the
on-premises active directory.
Monitor Azure AD Synchronization via Synchronization Service Manager
To monitor and manage directory synchronization, you can use the Synchronization Service Manager console:
1. To open Synchronization Service Manager, go to the Start menu and type Synchronization Service. It should appear
under the Azure AD Connect.
2. In the Synchronization Service Manager console, under the Operations tab, you can monitor the synchronization progress.
The upper part of the window shows ongoing sync cycles and the lower part presents what number of modifications is
already synchronized.
28
Use PowerShell to Manage Azure AD Synchronization
If you unchecked the “Start the synchronization process when configuration completes” box in the Configure section in Azure
AD Connect, you need to start the synchronization manually. You can do it via PowerShell.
1. Check current synchronization settings
To check the current state of the synchronization settings, use this cmdlet:
Get-ADSyncScheduler
29
2. Manually start the synchronization
To start the initial synchronization run this cmdlet:
Start-ADSyncSyncCycle – PolicyType Initial
3. To start the delta Synchronization, use this cmdlet:
Start-ADSyncSyncCycle –PolicyType Delta
4. Customize the synchronization time intervals.
To change the default 30-minute (00:30:00) sync cycle interval, execute the following cmdlet:
Set-ADSyncScheduler –CustomizedSyncCycleInterval 00:40:00
To customize the sync interval, use the HH:MM:SS format, e.g. 00:45:00 will set a 45-minute sync cycle interval.
30
NOTE: Setting interval time under 30 minutes is not supported. This is what I get when trying to set up the customized
interval to e.g. 10 minutes:
5. Validation of synchronization time intervals.
Run the Get-ADSyncScheduler cmdlet to check your settings. The time interval you set should appear next to the
CustomizedSyncCycleInterval parameter.
31
6. Identity Synchronization validation from the Azure Active Directory.
Get the best out of your hybrid and multi-cloud investment
visit us at www.unisys.com/cloud
For more information visit www.unisys.com
© 2020 Unisys Corporation. All rights reserved.
Unisys and other Unisys product and service names mentioned herein, as well as their respective logos, are trademarks or registered trademarks of Unisys Corporation. All other trademarks referenced herein are the property of their respective owners.
12/20 20-0701
