Azure AD is a service that provides identity and access management capabilities in the cloud. Azure AD can be integrated with existing on-premise AD for providing single sign-on functionality for their users to access the cloud applications. So it is essential for organizations to keep the credentials in both on-premise AD and Azure AD to be in sync. To solve the sync issues, we have Azure Active Directory connect tool, which provides one-way synchronization from on-premise AD to Azure AD.
Prerequisites
- Windows Server 2008R2 SP1 or Higher
- Only 64 bit version supported
- .Net framework 3.5 SP1 and .net framework 4.0
- Install Active Directory Domain Services role on your local machine and promote it to a Domain Controller
Test Lab Environment:
- Active subscription for Azure Active Directory
- On-premise AD server (Windows Server 2012)
- Azure AD connect tool
Synchronizing on-premise AD to Azure AD involves the following steps
Create Azure AD and Activate Azure AD Connect
- Login to azure management console,
- From the left hand bottom portion of the menu click “New”.
- Now a new page opens, in which navigate to NEW > APP SERVICES > ACTIVE DIRECTORY > DIRECTORY and click CUSTOM CREATE as shown below,
- Provide the name for your directory, choose your domain name and the country of your choice.
- Now the Azure Active Directory has been created successfully.
- To activate the Directory Sync for the created AD, from the left pane select Active Directory, then in the Active Directory page, click the Azure AD and select the DIRECTORY INTEGRATION tab. Then click ACTIVATED and finally click SAVE to confirm the changes.
- Now Azure AD Sync has been activated successfully.
2. Download and Install Azure AD Connect tool in on-premise AD
- Login to windows azure management console from your base machine..
- In the DIRECTORY INTEGRATION menu of your Azure AD, scroll to bottom section and download the Azure AD connect tool as shown below,
After downloading the Azure AD Sync tool proceed with the installation steps as shown below,
- Agree with the License agreements and privacy rules, click continue.
- Choose whether you would go with an express installation or a customized installation. In this blog, I will be using customized installation
- Now provide the credentials of user account with administrator permissions in on premise AD to grant the permission to install the Azure AD connect synchronization service and click install.
- Select the single sign on method for user sign in as below and click next
- Connect to azure active directory providing the credentials of a global admin user pre-existing in the directory and click next
· Enter connection information for your on premise directory or forests and click on add directory
· Since we do not have a verified custom domain, choose the check box saying continue without verified domains (users will not be able to use on-premise credentials to Azure AD sign-in) and click next.
- In the next dialog box, you will be provided with the option to sync all the domains or the selected domain.
- Select the domain of your choice and click next.
· Select how the users should be identified in your on-premise directory and click next.
- In the opted domain, you can further choose whether to include all users and groups or a selected group and user respectively
- I have typed in my group name azure and clicked on resolve to have the below parameters auto populated
- Click on next
· Select other enhanced functionality if required by your organization and click next.
- The Azure AD connect tool in now ready to synchronise the on-premise AD with the azure AD. Click on install to complete the process
· The configuration is now complete and you can verify in your azure AD that the user accounts have been created
Below are the two users that were created and added to the azure group for demo purpose
To confirm the sync between on-premise AD with Azure AD, login to windows azure management console and navigate to Active Directory > Azure AD > Users. In the Users list, now I confirm that the user account created in on-premise AD is synchronized with Windows Azure AD as shown below,
Hereby we have synchronized the on-premise AD with Windows Azure AD using Azure AD Connect tool.