Synchronizing users’ identities between local and cloud directories is a great way to let users access different resources on both on-premises and cloud environments with just a single set of credentials. To achieve that, you need to use Microsoft Entra Connect (Azure AD Connect) to integrate your on-premises Active Directory with Entra ID (Azure AD).
In this article, you will find some guidance on how to use Azure AD Connect to sync on-premises Active Directory with Microsoft Entra ID.
Azure AD Connect
Azure AD Connect is a tool that connects functionalities of its two predecessors – Windows Azure Active Directory Sync, commonly referred to as DirSync, and Azure AD Sync (AAD Sync). Azure AD Connect will be now the only directory synchronization tool supported by Microsoft as DirSync and AAD Sync are deprecated and supported only until April 13, 2017.
Before installation
Before starting the installation process, make sure that you:
- are on the server that will handle the synchronization
- checked all the prerequisites. You can find out more details here.
- downloaded Azure AD Connect. You can download it from this Microsoft’s website.
- have a verified domain in Azure Active Directory – non-routable domains (such as .local) may not sync properly.
NOTE: Instead of a non-routable domain, Microsoft recommends using a verified domain that seamlessly matches a verified domain in Office 365. If you have a non-routable domain see this article on how to fix it.
Installation
There are a few ways to install Azure AD Connect depending on your preferences. As the installation via Express Settings is perhaps the most commonly used scenario, I will use it as an example in this article. Express Settings is an option to go if you have a single-forest and use password synchronization.
NOTE: all actions below are performed on a test Office 365 environment.
- Once you downloaded Azure AD Connect, navigate to Windows Installer Package (.msi) and double-click on the file.
- In the Microsoft Azure Active Directory Connect wizard, agree to the license terms by checking the box. Click Continue.
- If you have a verified domain, the Use Express Settings option will be highlighted to go with. Click on it to start the configuration. If you are using a non-routable domain, like .local, the wizard will recommend going with the Customize option.
- In the resulting window, provide your Azure AD global administrator credentials. Click Next.
- Now, connect to AD DS using your enterprise administration credentials. Click Next.
- If you didn’t add or verify your domain in Entra ID (Azure AD), you will see the Azure AD sign-in configuration section in the wizard. Make sure that you followed this instruction to add or verify the domain.
- In the Ready to configure window, you can put some final touches to the configuration by checking or unchecking available options. In this instruction, I do not want the synchronization to start automatically, so I unchecked the “Start the synchronization process when configuration completes” option.
- Install Azure AD Connect.
Use PowerShell to manage synchronization
If you unchecked the “Start the synchronization process when configuration completes” box in the Configure section in Azure AD Connect, you need to start the synchronization manually. You can do it via PowerShell.
Check current synchronization settings
To check the current state of the synchronization settings, use this cmdlet:
Get-ADSyncScheduler
Manually start the synchronization
To start the initial synchronization run this cmdlet:
Start-ADSyncSyncCycle –PolicyType Initial
To start the delta synchronization use this cmdlet:
Start-ADSyncSyncCycle –PolicyType Delta
Customize the synchronization time intervals
To change the default 30-minute (00:30:00) sync cycle interval, execute the following cmdlet:
Set-ADSyncScheduler –CustomizedSyncCycleInterval 00:40:00
To customize the sync interval, use the HH:MM:SS format, e.g. 00:40:00 will set 40-minute sync cycle interval.
NOTE: Setting interval time under 30 minutes is not supported. This is what I get when trying to set up the customized interval to e.g. 10 minutes:
Run the Get-ADSyncScheduler
cmdlet to check your settings. The time interval you set should appear next to the CustomizedSyncCycleInterval parameter.
Monitor the synchronization via Synchronization Service Manager
To monitor and manage directory synchronization, you can use the Synchronization Service Manager console:
- To open Synchronization Service Manager, go to Start menu and type Synchronization Service. It should appear under the Azure AD Connect.
- In the Synchronization Service Manager console, under Operations tab, you can monitor the synchronization progress. The upper part of the window shows ongoing sync cycles and the lower part presents what number of modifications is already synchronized.
- Sign in to Office 365 portal.
- In Office 365 portal, go to Users >Active Users to see, which users are already synchronized with Entra ID (Azure AD).
Filter Organizational Units before synchronizing them to Entra ID (Azure AD)
If you need to limit the synchronization to only selected Organizational Units (OUs), you can use the filtering option in Azure AD Connect.
Important! Before adjusting any filter options, disable Azure AD Sync Scheduler. Thanks to that, you will not push any unwanted or not verified changes to Office 365. You can use the following cmdlet to disable the scheduler:
Set-ADSyncScheduler –SyncCycleEnabled $False
To enable the scheduler again, run the following cmdlet:
Set-ADSyncScheduler –SyncCycleEnabled $True
To filter Organizational Units:
- Open Azure AD Connect.
- In the Domain and OU filtering section, unselect the OUs you don’t want to synchronize (by default all OUs are selected).
If for some reason you are not able to run Azure AD Connect wizard, you may filter Organizational units via Synchronization Service (although it is not a preferred method):
- Open Synchronization Service from the start menu.
- Go to the Connectors tab.
- Right click on the domain of Active Directory Domain Services type and select Properties.
- In the resulting window, click on Configure Directory Partitions, select the domain in the Select directory partition section, and click Containers.
- Provide your admin credentials:
- Now you can unselect OUs you don’t want to synchronize to Entra ID. Click OK.
- As a final step of this configuration, Microsoft suggests to verify the changes before exporting them to Entra ID.
- After you verify your configuration and accept the changes, go to Connectors. Right click on Azure AD Connector, then click Run.
- In the Run Connectors dialog box, select Export.
- Now you can enable the Azure AD Sync Scheduler again. To start it, use the following cmdlet
Set-ADSyncScheduler –SyncCycleEnabled $True
or Task Scheduler.
That’s it! Now you have local Active Directory synchronized with Azure Active Directory and all changes made to on-premises AD will be reflected in the Cloud, as per your settings.
Check also:
good article ..thanks….how i can filter devices from not joining to hybrid AD ? is there any way?
Thanks! As for your question – you can filter them by groups. See this article for more info: Scoped synchronization for Microsoft Entra Domain Services – Microsoft Entra ID
Does the tool only create a hybrid environment.
Or can i sync with the tool to azure ad en shut down the local active directory after.
AAD Connect doesn’t create a hybrid – it only syncs users to the cloud.
If you want to shut down the local Active Directory and have a cloud-only environment, neither AAD Connect nor Hybrid Configuration Wizard is the way to go – you will end up with remote mailboxes and a lot of configuration pain. Once you create a hybrid environment, it’s recommended to leave the latest on-prem server for administration purposes.
Apart from that, AAD Connect doesn’t migrate any mailbox content, so you’ll end up with empty Microsoft 365 organization.
To sum it up, if you really want to migrate to a cloud-only organization, CodeTwo Office 365 Migration is the best way.
Hi and thanks for your great post, I have already seen this article too “ How to merge an Office 365 account with an on-premises AD account after hybrid configuration?” and I still have a doubt.
Imagine this is a lab, I’m not an experto on exchanges and just set up a AD with Azure Ad connect to import users, but now I want to allow my local users to get an Office 365 account with my on prem users how can I achieve this ?
Or if there is a way to enable local user yo have an Office 365 mail box.
Regards,
Local users with Office 365 mailboxes is a pretty standard hybrid environment. You can read more about setting it up in this article.
Our Azure AD was originally synced in 2016, to create our users.
After a one time sync we turned the sync off. All new users have since been manually added to O365. We would now like to sync our on premise AD user passwords with the ADD. But don’t want to sync everyone’s passwords. How can we do this without deleting any ADD users.
You could run SMTP matching, explained in this article. If you don’t want to sync everyone’s passwords, you might need to look at AAD Connect filtering.
Article uses the term “non-reputable” in several places where I think you mean “non-routable”. Articles about mail servers, spam, and domain registrars use the term “non-reputable”, but the context indicates “non-routable” would be the correct term.
Thank you, you are right! I’ve just corrected it. I’m not sure how I missed it before.
Hi Sir
I’m new on Exchange 2016 hybrid mode. My question is do I need to sync all on-premises mail enabled users to the AAD then online mailbox can check each on-premises users from address list?
Thanks
Hi Johnny,
After you sync a mail-enabled user to AAD, this user should be able to see both on-premises and cloud contacts. I’m not sure if this answers your question.
Under “Filter Organizational Units before synchronizing them to Azure AD” it’s necessary to provide admin-credentials.
But if you used the fast-way whilst setup, the account is automatically generated by the wizard and sets a password without showing it for user “MSOL_…”.
What’s the right way to set a new user with an “admin-known” password?
Thanks in advance,
Jan
If the account is generated automatically, you can use either ADUC, or the Set-ADAccountPassword cmdlet to reset the account’s password.
This is the modern replacement from Microsoft for Dirsync. Dirsync had a recommendation that it should be installed on a server in the domain but not installed on a domain controller. Any restrictions of that nature or any experience recommendations in that regard with ad connect?
When it comes to installation guidelines – it has not changed. It is still recommended not to install the sync tool on a domain controller. More info at Prerequisites for Azure AD Connect.
hopefull someone still monitors this thread. haha.
i have an on premise ad with all my users.
i also have an o365 environment where everyone’s email addresses are hosted.
is there a way to link/sync the two together without having to recreate everyone’s accounts in O365? i’d realistically just like to sync the accounts so changes made in one place are reflected on the other and one set of credentials can be used.
thanks,
Your situation and a way to solve the issue you are having have been explained thoroughly in the article: How to merge an Office 365 account with an on-premises AD account after hybrid configuration?.
Hi,
I wonder if someone can help me out? I was told that office 365 users and groups were enter manually and now users on Premise AD and office 365 are completely different when logon.
If I am going to use AD Connect to syn on Promise to office 365, is there going to be any issues?
If there is, what is the best method to clean this up?
Thank you,
Hi Felix,
Ideally, you would use the procedure from this article, alternatively, you can perform SMTP matching, explained here.
Hi, Thank for the article.. i want to ask,
i create new server with AD, i want all people login to their computer using their office 365 password.
can i use this method ?
Hi Fixle,
Yes, Azure AD Connect allows you to sync Office 365 passwords to local AD thanks to the password writeback feature.
Hi there
I’ve got a 365 tenant with all my users but I want to setup a new On-Premise DC. Do I have to setup all the users locally first then sync or can I create the sync and it’ll pull down my users from 365 into a new domain
Hi Sam,
I am afraid that you will not be able to simply sync users to the on-premises server, automatically. Unless something has changed recently, directory synchronization handled by AAD Connect is one-way only (that is, on-prem to the cloud). Your best bet would be to export users (including their properties) from Office 365, import those users to the on-premises server and configure the sync then. Here is an article which describes what to do in this kind of scenario.
I wonder if anyone can help me? I’ve come to a new place of work where they have a local AD, and also Office 365, but the two currently are not sync’d – completely separate. The local AD domain is *.local, and the 365 domain is *.org.uk. User names in AD and 365 are the same, however, with the exception of the differing domain suffix. What we want to happen is for local equivalent accounts to be merged with their 365 counterparts, so that effectively, mailboxes will be preserved, and single sign on is achieved. Is there a way to do this? Thanks.
AAD Connect syncs UPNs and passwords. To perform the directory synchronization, you need to change your primary domain in the on-prem Active Directory. As a matter of fact, in the article, I have included the link to a guide which should help you solve your problem: Prepare a non-routable domain for directory synchronization.
hello !!
can any one please suggest me below queries
1 i need to sync from AD to office 365
2 is there any free tool
3 what is the configuration for AD synch
Hi Sarf,
Yes, there is a free tool to synchronize on-premises AD to Office 365. It is called Azure AD Connect and, quite ironically, you have posted questions about this tool under the article which answers them all. I recommend reading through the article above and asking more detailed questions if you still have any doubts.
After sync our On-premises AD users to the Azure AD,password sync done ,but now some of the members had ” rsp.onmicrosoft.com” not the custom domain they previously had. please provide solution asap.
Have you configured the Office 365 tenant to use your custom domain? Here is an MS guide on how to do this: Change your email address to use your custom domain.
Your command is correct in the image but incorrect in the area to copy and paste from. You have :
Start-ADSyncCycle –PolicyType Delta
It should be:
Start-ADSyncSyncCycle –PolicyType Delta
Hi Dustin,
Thanks for pointing out! I’ve just corrected it.
Hello Adam,
as I understand it this would be a two-way-sync, right? Could you confirm that the following scenario is possible using AD Connect?
So imagine the following scenario:
– A user adds a new contact to his adress book in the 365 environment (or it is added automatically by a 3rd party like Zapier)
– Its synced to appear in the on premise Exchange server
– He can use the contact object within his usual outlook client
Is this scenario possible?
very good artical