Hello, in our previous articles, we talked about the IdFix tool for changing the UPN of our users.
- What is Microsoft IdFix and How to Use It – Cengiz YILMAZ
- Changing User UPN with PowerShell – Cengiz YILMAZ
What is Azure AD Connect (Entra ID Connect)?
Azure AD Connect, local user infrastructures Microsoft Azure AD This tool replaces the previous tools DirSync and AAD Sync, and Microsoft no longer releases separate updates for these tools; all improvements are provided through Azure AD Connect. Azure AD Connect automatically deploys all the required conditions and components for synchronization operations and sign-in methods.
Azure AD Connect Setup Information
- It is recommended to install Azure AD Connect on a separate server. Installation on a Domain Controller is not recommended and Windows Server Core editions are not supported.
- The server where Azure AD Connect will be installed must have Windows Server 2012 or later operating system. The server must have .NET Framework 4.5 and PowerShell 3.0 or later installed.
- On the Azure AD Connect server, the Group Policy feature related to PowerShell Transcription should not be enabled.
- When using Federation Services (ADFS) with Azure AD Connect, ADFS and Web Application Proxy (WAP) servers must be running on Windows Server 2012 R2 or later. Additionally, Windows Remote Management (WinRM) must be enabled. A valid SSL certificate is required for the ADFS installation, and the name used for ADFS must be resolvable.
Microsoft Azure AD Connect Installation and Configuration
Azure AD Connect, is used to synchronize your On-Premises Active Directory environment with Microsoft Azure AD. Before starting the synchronization process, you can download Azure AD Connect from the Azure Active Directory portal. In the left menu, click “Azure AD Connect (Entra ID Connect)You can download it directly using the ” option or from the link I provided:
- Microsoft Azure Active Directory Connect – Official Microsoft Download Center
- Run the downloaded application.”Welcome to Azure AD Connect” screen will greet you, accept the license agreement here and 'ContinueContinue with the ' button.
- "Express Settings” screen, for quick setup 'Express Settings' option or for a more detailed configuration 'Customize' If you are planning to build a hybrid structure, you can choose 'CustomizeContinue with the ' option.
- 'Install required components' screen offers the following options:
- Specify a custom installation location: Allows you to change the installation directory.
- Use an existing SQL Server: an existing SQL Server a new one on instance You can create and use this server as a database.
- Use an existing service account: Azure AD Connect You can use a special user account for the service.
- Specify custom sync groups: You can define custom synchronization groups. This allows you to use user-defined groups instead of the default four groups.
- Import Synchronization Setting: If you have an export file for your old configuration, you can import it with this option.
- install You can start the installation with the button.
- 'User Sign-in' screen, users are presented with various options for logging in:
- Password Hash Synchronization: This method allows users' password hashes in the local Active Directory to be synchronized to Office 365 and Azure environments, allowing users to sign in to Office 365 and Azure services directly with their passwords in the local AD.
- Pass-through Authentication and Seamless Single Sign-On: This method allows users in local AD to sign in to Office 365 services with their local password information without synchronizing their passwords to Azure Active Directory. Users' passwords are verified by local AD controllers and when the Seamless Single Sign-On (SSO) option is enabled, it is possible to sign in directly without the need for ADFS architecture.
- Federation with AD FS or PingFederate: This method allows users to sign in to Office 365 using Active Directory Federation Services (AD FS) with the same passwords they use in their local Active Directory. Signing in is done through AD FS servers in your organization.
- Federation with PingFederate: This method allows users to sign in to Office 365 and Azure services with the same credentials they use in their local environment. Users are directed to locally installed PingFederate instances to sign in, and authentication is performed through that system.
- 'Connect to Azure ADOn the ' screen, enter a user with global administrator authority to connect to Azure AD.
- In the configuration screen named “Connect your directories”, a connection is established to the selected forest by entering the authorized user information required for Active Directory. You have two options for entering user information:
- "Create new AD accountUsing the " button you can create a new Enterprise Admin This is a recommended method, especially during installation, because it provides security and ease of management.
- "Use existing AD Account” option, you can use a pre-existing user account. This option allows you to preserve existing users and permission structures.
Once the connection is established, if you have previously verified your own domain name in Azure AD, it will be marked as “Verified”. If you are going to use a new domain, this domain will also need to be verified in Azure AD.
The domain I added as UPN came up as “Verified” because it was added and verified on the O365 side. If I had continued as “cozumpark.com.tr”, we would have had to add this domain to the O365 side. If we need to list the things to be done for a hybrid structure, the order is as follows;
UPN Change
Testing with IdFix Tool
Testing of Outlook Connectivity and Outlook Autodiscover services
Domain adding and verification process on O365 side
Azure AD Connect Installation and Configuration
We installed the UPN Change and IdFix tool before installing AD Connect.
- In the Azure AD sign-in configuration section, Azure AD Connect lists all the User Principal Names (UPNs) found in the Local Active Directory. On this page
userPrincipalName
The attribute displays the identities that users use when signing in to Azure AD and Office 365 services. An important note: UPNs that cannot be routed (such as .local) are registered as “onmicrosoft.com” on the Office 365 side.
- In the Domain and OU filtering section, the Organizational Units (OU) and domains are made available to be synchronized by Azure AD Connect. However, “Synchronize selected domains and OUs” option, you can select only specific OUs and domains. You can change this configuration at any time.
- In the Uniquely identifying your users section, we will specify how users in the AD DS forest will appear in Azure AD. Each user can be represented only once in the forest or can have a combination of active and inactive accounts. I'm going with the default settings.
- "Filter users and devices” window, you can allow specific objects to be synchronized. It provides a group-based synchronization; you can create a group in on-premises Active Directory and add users and groups to this group to be synchronized with Azure AD. You cannot add members to nested groups.
- In the Optional Features section, Azure AD Connect offers various optional features to suit various scenarios:
- Exchange Hybrid Deployment: It is used in migration scenarios between simultaneously active on-premises Exchange servers and Office 365.
- Exchange Mail Public Folders: Provides synchronization of public folder objects from on-premises AD to Azure AD.
- Azure AD App and Attribute Filtering: Activates feature filtering.
- Password Hash Synchronization: Synchronizes users' password information to Azure AD, may vary depending on the scenario.
- Password WriteBack: Ensures that password changes made in Azure AD are written back to local AD.
- Group Writeback: If Office 365 Groups are used, it also activates the relevant groups in local AD.
- Device Writeback: Allows devices registered in Azure AD to be written back to local AD.
- Directory Extension Attribute Sync: Provides synchronization of certain properties to Azure AD.
Our Choice “Exchange Hybrid DeploymentWe are moving forward with ' and 'NextWhen you click the ' button, the tool starts preparing the necessary components. "Start the synchronization process when configuration completes” If you select the option, the synchronization process will start automatically when the installation is complete.
Enable staging modeWhen selected, synchronization will not export any data to AD or Azure AD, you can review the following article.
After all the settings are done,install' button to start the installation and configuration process. When the installation is complete, you will be presented with information that Azure AD Connect has been successfully installed and the synchronization process will start.
Azure AD Connect Synchronization Control
After the installation and configuration process is complete, we can open the Synchronization Service Manager application. This application will be located in your installation directory. miisclient
It can be accessed via a file named .
- After the installation, the necessary connectors between on-premises Active Directory (AD) and Azure AD have been created and the synchronization process has been completed successfully.
- Now, we can review the latest synchronization information by opening the Azure Active Directory console. In the Azure AD console, we can check if the synchronization process is active.
- We can examine the synchronized users by going to the users section in the Azure Active Directory console. In this section, we can observe how the users in on-premises AD appear in Azure AD.
With the Azure AD Connect application, object syncing occurs every 30 minutes.
If you want, you can trigger the Sync process manually with Powershell, or if we had not selected the “Start the synchronization process when configuration completes” option before installation, we would have had to trigger the Sync process manually.
Synchronization with Azure AD Connect Powershell
To manage Azure Active Directory synchronization operations, we first need to include the ADSync module in our system:
Import-Module ADSync
- To check the current configuration and timing of our sync process, we can use the following PowerShell command. This command displays the sync duration and the start time of the next sync:
Get-ADSyncScheduler
- If we want to initiate a full synchronization, that is, to ensure that all objects are synchronized with Azure AD for the first time or re-synced, we can use the following command:
Start-ADSyncSyncCycle -PolicyType Initial
- Delta synchronization process synchronizes only the objects that are changed or newly added. This increases efficiency and prevents unnecessary data transfer. We can use the following command to start the delta synchronization process:
Start-ADSyncSyncCycle -PolicyType Delta
In our next article, we will cover the Hybrid Wizard setup.