How to sync on-premises Active Directory to Azure Active Directory with Azure AD Connect?

Synchronizing users’ identities between local and cloud directories is a great way to let users access different resources on both on-premises and cloud environments with just a single set of credentials. To achieve that, you need to use Microsoft Entra Connect (Azure AD Connect) to integrate your on-premises Active Directory with Entra ID (Azure AD).

In this article, you will find some guidance on how to use Azure AD Connect to sync on-premises Active Directory with Microsoft Entra ID.

Azure AD Connect

Azure AD Connect is a tool that connects functionalities of its two predecessors – Windows Azure Active Directory Sync, commonly referred to as DirSync, and Azure AD Sync (AAD Sync). Azure AD Connect will be now the only directory synchronization tool supported by Microsoft as DirSync and AAD Sync are deprecated and supported only until April 13, 2017.

Before installation

Before starting the installation process, make sure that you:

  • are on the server that will handle the synchronization
  • checked all the prerequisites. You can find out more details here.
  • downloaded Azure AD Connect. You can download it from this Microsoft’s website.
  • have a verified domain in Azure Active Directory – non-routable domains (such as .local) may not sync properly.

NOTE: Instead of a non-routable domain, Microsoft recommends using a verified domain that seamlessly matches a verified domain in Office 365. If you have a non-routable domain see this article on how to fix it.

Installation

There are a few ways to install Azure AD Connect depending on your preferences. As the installation via Express Settings is perhaps the most commonly used scenario, I will use it as an example in this article.  Express Settings is an option to go if you have a single-forest and use password synchronization.

NOTE: all actions below are performed on a test Office 365 environment.

  1. Once you downloaded Azure AD Connect, navigate to Windows Installer Package (.msi) and double-click on the file.

    Double-click Azure AD Connect file to start it.
  2. In the Microsoft Azure Active Directory Connect wizard, agree to the license terms by checking the box. Click Continue.

    Azure AD Connect - welcome page.
  3. If you have a verified domain, the Use Express Settings option will be highlighted to go with. Click on it to start the configuration. If you are using a non-routable domain, like .local, the wizard will recommend going with the Customize option.

    Azure AD Connect - Customize settings.
  4. In the resulting window, provide your Azure AD global administrator credentials. Click Next.

    Azure AD Connect - connect to Azure.
  5. Now, connect to AD DS using your enterprise administration credentials. Click Next.

    Azure AD Connect - connect to AD DS.
  6. If you didn’t add or verify your domain in Entra ID (Azure AD), you will see the Azure AD sign-in configuration section in the wizard. Make sure that you followed this instruction to add or verify the domain.

    Azure AD Connect - sign-in configuration.
  7. In the Ready to configure window, you can put some final touches to the configuration by checking or unchecking available options. In this instruction, I do not want the synchronization to start automatically, so I unchecked the “Start the synchronization process when configuration completes” option.

    Azure AD Connect - ready to configure page.
  8. Install Azure AD Connect.

Use PowerShell to manage synchronization

If you unchecked the “Start the synchronization process when configuration completes” box in the Configure section in Azure AD Connect, you need to start the synchronization manually. You can do it via PowerShell.

Check current synchronization settings

To check the current state of the synchronization settings, use this cmdlet:

Get-ADSyncScheduler

Cmdlet Get-adSyncscheduler

Manually start the synchronization

To start the initial synchronization run this cmdlet:

Start-ADSyncSyncCycle –PolicyType Initial

Cmdlet Start-adsync -policytype initial

To start the delta synchronization use this cmdlet:

Start-ADSyncSyncCycle –PolicyType Delta

Cmdlet Start-adsync -policytype delta

Customize the synchronization time intervals

To change the default 30-minute (00:30:00) sync cycle interval, execute the following cmdlet:

Set-ADSyncScheduler –CustomizedSyncCycleInterval 00:40:00

To customize the sync interval, use the HH:MM:SS format, e.g. 00:40:00 will set 40-minute sync cycle interval.

Change time interval for AD SyncScheduler.

NOTE: Setting interval time under 30 minutes is not supported. This is what I get when trying to set up the customized interval to e.g. 10 minutes:

Customize interval time.

Run the Get-ADSyncScheduler cmdlet to check your settings. The time interval you set should appear next to the CustomizedSyncCycleInterval parameter.

Check time interval settings.

Monitor the synchronization via Synchronization Service Manager

To monitor and manage directory synchronization, you can use the Synchronization Service Manager console:

  1. To open Synchronization Service Manager, go to Start menu and type Synchronization Service. It should appear under the Azure AD Connect.
  2. In the Synchronization Service Manager console, under Operations tab, you can monitor the synchronization progress. The upper part of the window shows ongoing sync cycles and the lower part presents what number of modifications is already synchronized.

    Results of cmdlet start-adsynccycle.
  3. Sign in to Office 365 portal.
  4. In Office 365 portal, go to Users >Active Users to see, which users are already synchronized with Entra ID (Azure AD).

    Users in Azure AD after synchronization.

Filter Organizational Units before synchronizing them to Entra ID (Azure AD)

If you need to limit the synchronization to only selected Organizational Units (OUs), you can use the filtering option in Azure AD Connect.

Important! Before adjusting any filter options, disable Azure AD Sync Scheduler. Thanks to that, you will not push any unwanted or not verified changes to Office 365. You can use the following cmdlet to disable the scheduler:

Set-ADSyncScheduler –SyncCycleEnabled $False

To enable the scheduler again, run the following cmdlet:

Set-ADSyncScheduler –SyncCycleEnabled $True

To filter Organizational Units:

  1. Open Azure AD Connect.
  2. In the Domain and OU filtering section, unselect the OUs you don’t want to synchronize (by default all OUs are selected).

    Domain and OU filtering in Azure AD Connect.

If for some reason you are not able to run Azure AD Connect wizard, you may filter Organizational units via Synchronization Service (although it is not a preferred method):

  1. Open Synchronization Service from the start menu.
  2. Go to the Connectors tab.
  3. Right click on the domain of Active Directory Domain Services type and select Properties.

    Active Directory Domain Services - Properties.
  4. In the resulting window, click on Configure Directory Partitions, select the domain in the Select directory partition section, and click Containers.

    Configure directory partitions.
  5. Provide your admin credentials:

    Provide admin credentials to access a list of containers with OUs.
  6. Now you can unselect OUs you don’t want to synchronize to Entra ID. Click OK.

    Select containers you want to unselect in directory synchronization.
  7. As a final step of this configuration, Microsoft suggests to verify the changes before exporting them to Entra ID.
  8. After you verify your configuration and accept the changes, go to Connectors. Right click on Azure AD Connector, then click Run.
  9. In the Run Connectors dialog box, select Export.
  10. Now you can enable the Azure AD Sync Scheduler again. To start it, use the following cmdlet
    Set-ADSyncScheduler –SyncCycleEnabled $True

    or Task Scheduler.

That’s it! Now you have local Active Directory synchronized with Azure Active Directory and all changes made to on-premises AD will be reflected in the Cloud, as per your settings.

Check also:

Tools for Microsoft 365

34 thoughts on “How to sync on-premises Active Directory to Azure Active Directory with Azure AD Connect?


  1. Does the tool only create a hybrid environment.
    Or can i sync with the tool to azure ad en shut down the local active directory after.

    • AAD Connect doesn’t create a hybrid – it only syncs users to the cloud.
      If you want to shut down the local Active Directory and have a cloud-only environment, neither AAD Connect nor Hybrid Configuration Wizard is the way to go – you will end up with remote mailboxes and a lot of configuration pain. Once you create a hybrid environment, it’s recommended to leave the latest on-prem server for administration purposes.
      Apart from that, AAD Connect doesn’t migrate any mailbox content, so you’ll end up with empty Microsoft 365 organization.
      To sum it up, if you really want to migrate to a cloud-only organization, CodeTwo Office 365 Migration is the best way.

  2. Hi and thanks for your great post, I have already seen this article too “ How to merge an Office 365 account with an on-premises AD account after hybrid configuration?” and I still have a doubt.

    Imagine this is a lab, I’m not an experto on exchanges and just set up a AD with Azure Ad connect to import users, but now I want to allow my local users to get an Office 365 account with my on prem users how can I achieve this ?

    Or if there is a way to enable local user yo have an Office 365 mail box.

    Regards,

    • Local users with Office 365 mailboxes is a pretty standard hybrid environment. You can read more about setting it up in this article.

  3. Our Azure AD was originally synced in 2016, to create our users.
    After a one time sync we turned the sync off. All new users have since been manually added to O365. We would now like to sync our on premise AD user passwords with the ADD. But don’t want to sync everyone’s passwords. How can we do this without deleting any ADD users.

  4. Article uses the term “non-reputable” in several places where I think you mean “non-routable”. Articles about mail servers, spam, and domain registrars use the term “non-reputable”, but the context indicates “non-routable” would be the correct term.

  5. Hi Sir

    I’m new on Exchange 2016 hybrid mode. My question is do I need to sync all on-premises mail enabled users to the AAD then online mailbox can check each on-premises users from address list?

    Thanks

    • Hi Johnny,
      After you sync a mail-enabled user to AAD, this user should be able to see both on-premises and cloud contacts. I’m not sure if this answers your question.

  6. Under “Filter Organizational Units before synchronizing them to Azure AD” it’s necessary to provide admin-credentials.
    But if you used the fast-way whilst setup, the account is automatically generated by the wizard and sets a password without showing it for user “MSOL_…”.
    What’s the right way to set a new user with an “admin-known” password?
    Thanks in advance,
    Jan

    • If the account is generated automatically, you can use either ADUC, or the Set-ADAccountPassword cmdlet to reset the account’s password.

  7. This is the modern replacement from Microsoft for Dirsync. Dirsync had a recommendation that it should be installed on a server in the domain but not installed on a domain controller. Any restrictions of that nature or any experience recommendations in that regard with ad connect?

  8. hopefull someone still monitors this thread. haha.

    i have an on premise ad with all my users.

    i also have an o365 environment where everyone’s email addresses are hosted.

    is there a way to link/sync the two together without having to recreate everyone’s accounts in O365? i’d realistically just like to sync the accounts so changes made in one place are reflected on the other and one set of credentials can be used.

    thanks,

  9. Hi,

    I wonder if someone can help me out? I was told that office 365 users and groups were enter manually and now users on Premise AD and office 365 are completely different when logon.

    If I am going to use AD Connect to syn on Promise to office 365, is there going to be any issues?

    If there is, what is the best method to clean this up?

    Thank you,

    • Hi Felix,
      Ideally, you would use the procedure from this article, alternatively, you can perform SMTP matching, explained here.

  10. Hi, Thank for the article.. i want to ask,
    i create new server with AD, i want all people login to their computer using their office 365 password.
    can i use this method ?

  11. Hi there
    I’ve got a 365 tenant with all my users but I want to setup a new On-Premise DC. Do I have to setup all the users locally first then sync or can I create the sync and it’ll pull down my users from 365 into a new domain

    • Hi Sam,
      I am afraid that you will not be able to simply sync users to the on-premises server, automatically. Unless something has changed recently, directory synchronization handled by AAD Connect is one-way only (that is, on-prem to the cloud). Your best bet would be to export users (including their properties) from Office 365, import those users to the on-premises server and configure the sync then. Here is an article which describes what to do in this kind of scenario.

  12. I wonder if anyone can help me? I’ve come to a new place of work where they have a local AD, and also Office 365, but the two currently are not sync’d – completely separate. The local AD domain is *.local, and the 365 domain is *.org.uk. User names in AD and 365 are the same, however, with the exception of the differing domain suffix. What we want to happen is for local equivalent accounts to be merged with their 365 counterparts, so that effectively, mailboxes will be preserved, and single sign on is achieved. Is there a way to do this? Thanks.

  13. hello !!
    can any one please suggest me below queries
    1 i need to sync from AD to office 365
    2 is there any free tool
    3 what is the configuration for AD synch

    • Hi Sarf,
      Yes, there is a free tool to synchronize on-premises AD to Office 365. It is called Azure AD Connect and, quite ironically, you have posted questions about this tool under the article which answers them all. I recommend reading through the article above and asking more detailed questions if you still have any doubts.

  14. After sync our On-premises AD users to the Azure AD,password sync done ,but now some of the members had ” rsp.onmicrosoft.com” not the custom domain they previously had. please provide solution asap.

  15. Your command is correct in the image but incorrect in the area to copy and paste from. You have :
    Start-ADSyncCycle –PolicyType Delta
    It should be:
    Start-ADSyncSyncCycle –PolicyType Delta

  16. Hello Adam,
    as I understand it this would be a two-way-sync, right? Could you confirm that the following scenario is possible using AD Connect?

    So imagine the following scenario:
    – A user adds a new contact to his adress book in the 365 environment (or it is added automatically by a 3rd party like Zapier)
    – Its synced to appear in the on premise Exchange server
    – He can use the contact object within his usual outlook client

    Is this scenario possible?

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*

CodeTwo sp. z o.o. sp. k. is a controller of your personal data.
See our Privacy Policy to learn more.