Integrating your on-premises directories with Azure Active Directory makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. Azure AD Connect is the Microsoft tool designed to meet and accomplish your hybrid identity goals. It provides features such as password hash synchronization, pass-through authentication, federation integration, and health monitoring.

In this series of blog posts, I go through some of the installation and configuration options that are available for Azure AD Connect. I begin with the express installation option, as it is the easiest and common. I the next parts of the series, I’ll discuss some of the other options we have such as the custom installation option and more.

Express Installation

When you launch the Azure AD Connect installation wizard, you are prompted to either use express settings or customize the installation experience.

For the purpose of this first part of the series, we select use express settings, which will:

Configure synchronization of identities in the current Active Directory forest
Configure password hash synchronization from on-premises Active Directory to the Azure AD tenant
Start the initial synchronization
Synchronize all attributes, and
enable the option to automatically upgrade

This option applies to most environments, and we will go through the custom installation in the next part of this series.

Connect to Azure AD

The express installation option presents the initial screen requesting Azure AD global administrator credentials.

Enter the username in the format of username@verifieddomain.co.za or username@tenant.onmicrosoft.com, followed by the associated password. If you hover over the blue question mark, you’ll realize that the credentials are used to configure Azure features and create a more limited account for periodic synchronization.

Connect to on-premises AD

The next screen requests an on-premises Active Directory account that is a member of the enterprise admins group.

These credentials are used to create the local Active Directory account that is only used for synchronization and to assign the correct permissions for this account. The format can either be username@domain.co.za or DOMAIN\username.

Azure AD sign-in configuration

To use on-premises credentials for Azure AD sign-in, UPN suffixes should match one of the verified custom domains in Azure AD.

In my case, I have one of the domains verified. This can also be confirmed in Azure under custom domains of the Azure AD tenant.

Ready to configure

Just as the wizard promised, below is a summary of what would happen if you went ahead to install.

To avoid synchronization conflicts, do not deploy more than one active server. I’ll go through supported scenarios and options in a future post in this series.

In an environment that’s not already configured, clicking install here configures the service and starts synchronization with Azure AD.

Summary

Taking a quick look at the Azure Active Directory blade, we see that Azure AD Connect sync is enabled.

The express settings option is quick, easy and applicable in most deployments. In the next parts of the series, I’ll cover the customized installation path and take a closer look at some of the objects that are created on-premises in Active Directory and in the Azure AD tenant.