You can integrate your Office 365 subscription with your existing local (on-premises) directory service based on Active Directory Domain Services (AD DS). You can configure automatic synchronization of AD user accounts, groups, and contacts with Azure. As a result, you can manage your user accounts for both environments.
Office 365 uses Azure Active Directory (Azure AD) tenant for authenticating to access cloud resources. When you configure Active Directory with Office 365 synchronization, your users are actually synchronized with Azure AD. In this article, we will look at how to configure directory synchronization of the on-premises Active Directory with Azure AD (Office 365).
How to Install and Configure Azure AD Connect?
To synchronize between Azure AD tenant and on-premises AD, a tool called Azure AD Connect is used. You can download the tool from link or from your Azure Portal.
This is an MSI installer package you should install on one of your on-premises servers. This server must meet the following system requirements:
- Windows Server 2012 R2 and later;
- PowerShell 3.0 and later;
- .Net Framework 4.5 installed.
Azure AD Connect allows you to synchronize not only users but also sync user passwords (hashes) from AD to Office 365.
Before setting up Azure AD Connect, it’s important to prepare your on-premises Active Directory users. You must fill in the following AD attributes, which must match the Office 365 users attributes:
- ProxyAddresses (this is a required attribute). For example, you can specify an attribute value: SMTP:user@theitbros.com equals the Office 365 Primary SMTP Address;
- UserPrincipalName (UPN) (this is a required attribute), corresponds to the login name on Office 365;
- DisplayName;
- GivenName;
- Mail;
- MailNickName;
- SamAccountName.
Hint. You can connect to Office 365 using the MSOnline PowerShell module and change the login address as follows:
Set-MsolUserPrincipalName –UserPrincipalName user@olddomain.com –NewUserPrincipalName user@newdomain.com
When installing Azure AD Connect, you will need to specify:
- Your Office 365 tenant global admin credentials;
- The on-premises domain administrator credentials;
- Authentication method: PHS, PTA or federated.
It is advisable to configure the OU Filtering. In this case, only users from the specified Organizational Units will synchronize with Office 365.
Also, you can select the password synchronization options and some other items.
How to Manually Force Sync Active Directory to Office 365?
By default, the Active Directory synchronization is being performed every 30 minutes from the server on which Azure AD Connect is installed.
Together with Azure AD Connect, a special Azure Active Directory PowerShell Module is installed.
You can use this module to force start manual synchronization from on-premises Active Directory environment to Azure Active Directory using the following commands:
Import-Module adsync Start-ADSyncSyncCycle -PolicyType Delta
This command launches AD delta synchronization (all changes are synchronized since the last successful sync).
You can check your sync scheduler settings with the command:
Get-ADSyncScheduler
You can change the sync cycle interval with the command:
Set-ADSyncScheduler –CustomizedSyncCycleInterval 00:10:00
To run the full synchronization, use the command:
Start-ADSyncSyncCycle -PolicyType Initial
Note. Keep in mind that the manual sync doesn’t sync user passwords.
Azure AD Connect is not syncing users, groups or password, try to restart the synchronization service on your local server and check if the specified credentials are correct.
You can check your AD synchronization status on Office 365 portal (DirSync Status).
