Complete tutorial for Azure AD Connect and Microsoft Entra Connect

Azure AD Connect (now Microsoft Enter Connect) It's the key to connecting your on-premises Active Directory with the Microsoft cloud: Azure AD and Microsoft 365. Thanks to this tool, your users can log in with the same username and password both on-premises and in cloud services, avoiding duplicate accounts and reducing headaches for the IT department.

Throughout this tutorial You will see in great detail the entire cycle: preparing the on-premises environment, creating the domain and the Active Directory forest, configuring Microsoft Entra ID, installing and configuring Azure AD Connect, authentication methods, object filtering, and advanced features such as password hash synchronization, write-back, or using Microsoft Entra Connect Health to monitor the infrastructure.

What is Azure AD Connect and what is it used for?

Azure AD Connect is the official Microsoft utility It acts as a "bridge" between your on-premises Active Directory and Azure Active Directory, also integrating Microsoft 365. It allows the identities you already have in your on-premises domain to be synchronized with the cloud, so that the user uses the same credentials in both worlds and, if desired, enjoys single sign-on (SSO).

The Azure AD Connect client is installed on a member server of the domain, and although it can technically be installed on a domain controller, Microsoft recommends avoiding this for security and service isolation reasons. This server will be responsible for synchronizing users, groups, and other objects from your Active Directory with Azure AD at regular intervals.

Once configured, Azure AD Connect It can use different authentication models: Password Hash Synchronization (PHS), Pass-Through Auth (PTA), federation with AD FS, or federation with providers like PingFederate. It also offers options such as SSO, filtering by OU or groups, protection against mass deletions, and automatic product updates.

In scenarios where you already work with Microsoft 365 And if you have "cloud-only" users, Azure AD Connect allows you to unify identities: if the UPN and email of a local user match those of the user in the cloud, upon synchronization, that user will cease to be "cloud only" and will become a synchronized user from AD, centralizing attribute governance in your local directory.

Preparing the local Active Directory environment

Before you think about syncing anything with AzureYou need a functional Active Directory environment. If you already have a corporate domain in production, you can use it; if not, you can set up a lab from scratch to test all hybrid identity scenarios without affecting your live environment.

The idea behind this lab is to create a server which will act as a domain controller (DC) and host the AD DS, DNS, and management tools. All of this can be set up on a Hyper-V virtual machine running Windows Server, using PowerShell scripts that automate much of the work.

Creating the virtual machine for the domain controller

The first step is to create a virtual machine which will function as an on-premises Active Directory server. To do this, you can open PowerShell ISE as administrator on the Hyper-V host and run a script that defines the VM name, network switch, VHDX path, disk size, and installation media (Windows Server ISO).

This script creates a generation 2 VMWith fixed memory, a new virtual disk is created, and a virtual DVD drive pointing to the operating system ISO is attached. The machine's firmware is then configured to boot from the DVD initially, allowing you to perform the system installation interactively.

Once the virtual machine has been createdFrom Hyper-V Manager, you must launch the server, connect to its console, and perform a standard Windows Server installation: select your language, enter the product key, accept the license terms, choose a custom installation, and use the newly created disk. After the installation is complete, restart, log in, and apply all available updates.

Initial configuration of the Windows Server

With the operating system already installedThe server must be prepared to receive the Active Directory Domain Services role. This involves assigning it a consistent name (for example, DC1), configuring a static IP address, defining DNS settings, and adding the necessary administrative tools using Windows features.

Using another PowerShell script You can automate these tasks: setting the IP address, mask, gateway and DNS servers (usually the server itself and, as a secondary, a public DNS such as 8.8.8.8), renaming the computer and installing the Active Directory RSATs, recording everything in a log file for auditing.

After applying these changes The server will restart and be ready to be promoted to a domain controller in a new forest, so you will have your on-premises AD environment operational for testing or for real integration with the cloud.

Creating the Active Directory forest and domain

The next step is to install AD DS, DNS and the Group Policy Management Console (GPMC), and then create a new Active Directory forest. Again, PowerShell allows you to expedite the process by installing the necessary features and running the Install-ADDSForest cmdlet with all the required parameters.

In the forest definition you specify the domain name (for example, contoso.com), NetBIOS name, paths to the Active Directory database (NTDS), logs, and SYSVOL, as well as the domain and forest functional levels. The Directory Services Restore Mode (DSRM) password, essential for recovery tasks, is also defined.

When the server restarts after the promotionYou already have a Windows Server AD environment with an operational domain, integrated DNS, and all the necessary tools to manage users, groups, OUs, and group policies.

Creating test users in Active Directory

With the forest up and running, it's useful to have test accounts available. To verify synchronization with Azure AD, you can use a PowerShell script to create, for example, the user “Allie McCray” with a login name (samAccountName), initial password, display name, and the option to prevent the password from expiring.

The script can also flag the user Enabled to prevent users from having to change their password at the next login, this will place them in the appropriate container path (for example, CN=Users,DC=contoso,DC=com). These users will then be synchronized with their Microsoft Entra IDs via Azure AD Connect.

Preparing the local domain for synchronization

Before deploying Azure AD Connect, it's advisable to review your AD. To ensure it meets Microsoft's requirements: properly configured domains, correct UPN suffixes, consistent email attributes, and no conflicting data. For this task, Microsoft offers the IdFix tool, which helps detect problematic objects.

In many environments there is a local domain of the type mydomain.local and, on the other hand, a public email domain, for example mydomain.com used in Microsoft 365. For the synchronization to be clean, it is recommended to add the UPN suffix corresponding to the public email domain to the local AD.

From “Active Directory Domains and Trusts” You can open the properties and add the new UPN suffix (for example, mydomain.com). Then, in the user account properties, on the "Account" tab, change the user's UPN from user@mydomain.local to user@mydomain.com, aligning it with the email address in Microsoft 365.

Although changing the UPN is highly recommended To facilitate subsequent logins and eventual SSO, this change does not modify the classic DOMAIN\user login method (pre-Windows 2000), so it does not affect applications or scripts that continue to use that format.

It is also important to fill in the mail attribute correctly. of the user accounts with their primary email address. If you already have users created directly in the cloud, the combination of UPN and matching email between on-premises and Microsoft 365 will allow, after synchronization, those accounts to be joined and the cloud user to become a synchronized identity from AD.

Microsoft Entra ID setup and configuration (Azure AD)

In order for the local directory to be synchronized You need a Microsoft Entra ID tenant. This tenant is the cloud directory where replicas of your users, groups, and devices from the on-premises environment will be created.

If you don't already have a tenantYou can create it by accessing the Microsoft admin center. Sign in with an account that has the subscription. From the Overview section, choose the option to manage tenants and then create a new one, providing a name for the organization and an initial domain (for example, something.onmicrosoft.com).

Once the wizard is finished, the directory is created. And you can manage it from the portal. Later, you'll be able to associate custom domains (like contoso.com) and verify them to use as primary domains in the UPNs of your users synchronized from Active Directory.

Creating a hybrid identity administrator account

In the Microsoft Entra tenant, it is recommended to create A dedicated account will be used to manage the hybrid component. This account will be used, for example, for the initial configuration of Azure AD Connect and identity-related tasks.

From the Users section You create a new user, assign them a name and username (UPN), and change their role to "Hybrid Identity Administrator." During creation, you can view and copy the temporary password assigned to them.

After creating this account, it's advisable to log in. Go to myapps.microsoft.com with that username and the temporary password, forcing a password change to a permanent one. This will be the administrative identity you'll use in several of the hybrid setup steps.

Azure AD Connect (Microsoft Entra Connect) Installation

With the local environment ready and the cloud tenant preparedYou can now install Azure AD Connect on a local domain member server. Microsoft recommends against using a domain controller to minimize security and availability risks.

Downloading Azure AD Connect It's available from the Azure Active Directory portal, in the Azure AD Connect section, or directly from the Microsoft Download Center. Once you've downloaded the installer, run it on the designated server.

The license terms are accepted during the installation wizard. You have two options: quick setup or custom setup. The quick option configures full Active Directory synchronization by default using the "password hash synchronization" method, while the custom option allows much greater control over attributes, domains, OUs, authentication methods, and additional features.

In typical installations, it is usually more interesting Choose the custom path, especially if you need to limit which organizational units are synchronized, want to evaluate different login methods, or have multi-forest topologies.

Configuring the login method

One of the key points in the assistant It's the choice of authentication method your users will use when accessing cloud resources. Azure AD Connect offers several built-in options, each with its own advantages and requirements.

1. Password Hash Synchronization (PHS)This method synchronizes with Azure AD additional password hash stored in your on-premises Active Directory. The user logs into the cloud directly with Azure AD, using the same password as in the on-premises environment, but managed only in AD. It is the simplest model to implement and the most widely used.

2. Pass-through authentication (PTA)In this case, passwords are not stored in Azure AD; when a user attempts to log in, validation is forwarded through on-premises agents that verify the credentials against the local AD. This allows you to apply local access restrictions, schedules, etc., while maintaining authentication control within your infrastructure.

3. Federation with AD FSAzure AD delegates authentication to a federation system based on Active Directory Federation Services. It requires deploying AD FS servers and, typically, a web application proxy. It is more complex to maintain, but offers maximum control and compatibility with advanced scenarios.

4. Federation with PingFederate: similar to the previous case, but using PingFederate as the federation solution instead of AD FS, for organizations that already have that identity infrastructure.

5. Do not configure login method: designed for when you already have a third-party federation solution and don't want Azure AD Connect to automate anything in this area.

Additionally, you can enable single sign-on (SSO) In combination with PHS or PTA. With SSO enabled, and through a group policy (GPO), domain-joined computers can log in using the user's UPN, typically the same as their email address, preventing them from having to repeatedly enter their credentials when accessing services such as the Microsoft 365 portal.

Connecting to Microsoft 365 and the local Active Directory

In the Azure AD Connect wizard you will need to provide First, you'll need the credentials of a Microsoft Entra tenant administrator (for example, the hybrid identity administrator account created earlier). This allows the tool to configure the cloud component and register the server as a synchronization source.

Then, credentials are requested from an account with permissions in the local AD. to create the synchronization link with the on-premises forest. Once validated, the local directory is added to the list of data sources for synchronization.

In the next step you choose which attribute to use as the primary username For cloud accounts, the usual approach is to use userPrincipalName, but in some scenarios you can opt for the email field if it's consistent and properly configured. You can also indicate whether you'll continue without having all UPN domains verified in Azure AD yet (useful when the AD domain is private).

OU selection and object filtering

Azure AD Connect allows you to define which subset Your Active Directory forest is synchronized with the cloud. You can select entire domains, specific organizational units, or even filter by attributes to narrow the scope.

In practice, it's usually a good idea Start by synchronizing only the OUs where the users participating in the pilot reside, or use a specific security group whose members will be replicated in Azure AD. This reduces the risk of synchronizing service accounts, obsolete objects, or information that should not leave the on-premises environment.

It is worth noting that subsequent changes Changes to the OU structure (renaming, moving containers, etc.) can affect filtering. A common strategy is to synchronize the entire domain but restrict filtering based on group membership, avoiding excessive reliance on the organizational structure.

Additional configuration options

The assistant's final screens offer Additional features include password writeback, device rewriting, hybrid Exchange integration, and protection against mass deletions.

Deferred password writing It allows users to change or reset their password from the cloud (for example, from the self-service portal) and for that change to also be applied in the on-premises Active Directory, respecting the organization's password policy. For many companies, this is a significant advantage for support.

Device rewriting It allows devices registered in Microsoft Entra ID to be dumped back into the local Active Directory, which facilitates conditional access scenarios where you need to keep track of devices on both sides.

The feature to prevent accidental deletions It is enabled by default and limits the number of objects that can be deleted in a single synchronization run (for example, to 500). If this threshold is exceeded, the synchronization is blocked to prevent accidental mass deletions, which is crucial in large environments.

Finally, automatic updates It is enabled by default in installations with quick setup and keeps Azure AD Connect up to date with the latest versions, fixing bugs and adding compatibilities without you having to manually update each server.

Verification of synchronization and daily operation

After completing the installation and the wizardAzure AD Connect can immediately initiate a full synchronization if you've specified it. The wizard itself offers the option to run an initial cycle as soon as it finishes, which is recommended to validate that everything is working correctly.

On the server where you installed Azure AD Connect You can open the "Synchronization Service" console from the Start menu. There you will see the execution history, including the initial synchronization, any errors, and details of object import, synchronization, and export.

On the Microsoft 365 portal or the Microsoft Login portal You can check the user list to verify that they are appearing as “Synchronized with Active Directory” instead of “Cloud Only”. From that point on, the main attributes (first name, last name, email address, etc.) are managed from the local Active Directory.

Azure AD Connect runs a default cycle Synchronization occurs every 30 minutes, although you can always force a manual synchronization using PowerShell if you need a change to be reflected immediately. It's good practice to document this behavior so the support team knows what to expect.

Advanced scenarios: multiple forests and additional servers

In more complex organizations You may encounter multiple Active Directory forests, each with its own domain and users. There may also be resource forests where linked mailboxes or other services reside.

Azure AD Connect is ready for these topologiesThis allows you to add multiple forests as synchronization sources and apply a declarative provisioning model. This means that the rules for combining, transforming, and flowing attributes are defined declaratively and can be adjusted to fit your identity design.

For more advanced laboratories A second forest (e.g., fabrikam.com) can be created with its own domain controller (CP1) by repeating the steps of VM creation, system installation, IP and DNS configuration, promotion to DC, and creation of test users. This allows testing of multi-forest scenarios and cloud synchronization with different domains.

In production environments, it is recommended to have An Azure AD Connect server is placed on standby or in staging mode. The staging server maintains a copy of the configuration and performs internal import and synchronization, but does not export changes to Azure AD. In the event of a primary server failure, you can switch to the staging server with minimal impact.

Microsoft Entra Connect Health: monitoring and alerts

To keep the hybrid identity infrastructure under controlMicrosoft offers Microsoft Entra Connect Health, a premium solution that monitors key components such as Azure AD Connect (synchronization), AD FS, and AD DS, providing alerts, performance metrics, and usage analysis.

The operation is based on agents. These agents are installed on identity servers: AD FS servers, domain controllers, and Azure AD Connect servers. They send health and performance information to the cloud service, where you can view it in the dedicated Connect Health portal.

To begin, you need to have licenses. From Microsoft, enter ID P1 or P2 (or a test). Then download the Connect Health agents from the portal and install them on each relevant server. Once registered, the service automatically detects which roles are being monitored.

On the Connect Health portal you will find different panelsOne for synchronization services (Azure AD Connect), another for federation services (AD FS), and another for AD DS forests. In each, you can view active alerts, replication status, potential certificate issues, authentication errors, and usage trends.

In addition to the technical aspects, Connect Health includes options To configure role-based access (IAM) and, optionally, authorize Microsoft to access diagnostic data for support purposes only. This option is disabled by default, but it can be useful if you need advanced Microsoft support to resolve complex issues.

With this entire ecosystem set up—local AD, Microsoft Entra ID, Azure AD Connect, and Connect Health— You have a complete hybrid identity platform, capable of delivering single sign-on, centralized account and password governance, high availability, and visibility into the state of the infrastructure; a combination that simplifies life for the end user and gives you the control you need to operate securely and flexibly.