How To Synchronize on-premises Active Directory to Azure AD

This guide will show you how to connect and synchronize your on-premises Active Directory to Microsoft Azure Active Directory.

 

Prerequisites

• This guide assume that your on-premises Active Directory is configured on one of these operating systems: (Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 or Windows Server 2019).
• Make sure you have properly configured UPN Suffix for your on-premises domain if your domain name is (something.local). Azure AD doesn't support (.local) domain name.

 

Configure UPN Suffix

When you synchronize your on-premises active directory with Microsoft Azure AD, you have to have a verified domain in Azure Active Directory. If you currently use a ".local" domain for your user accounts in on-premises AD DS, it's recommended that you change them to use a verified domain, such as username@techsupportpk.com, in order to properly synchronize with your Microsoft Azure AD.

In other words, the domain has to be a valid Internet domain (such as, .com, .org, .net, .us). You can fix this issue by either changing your primary domain in your on-premises AD DS, or by adding one or more UPN suffixes.

Changing your on-premises domain name is a very involved process, however, and an easier solution is to create UPN Suffix as described below.

On the AD DS domain controller, in the Server Manager choose Tools > Active Directory Domains and Trusts. 

 

 

In the Active Directory Domains and Trusts window, right-click Active Directory Domains and Trusts, and then choose Properties.

 

On the UPN Suffixes tab, in the Alternative UPN Suffixes box, type your new UPN suffix or suffixes, and then choose Add > Apply.

Choose OK when you're done adding suffixes.

To change the UPN suffix for all existing users, open Server Manager choose Tools > Active Directory Users and Computers.

Select a user, or you can select all users at once, right-click, and then choose Properties.

On the Account tab, in the click UPN suffix, choose the new UPN suffix, and then Apply> OK.

If you have a lot of user accounts to update, it's easier to use PowerShell. The following example uses the cmdlets Get-ADUser and Set-ADUser to change all techsupportpk.local suffixes to techsupportpk.com in AD DS.

$LocalUsers = Get-ADUser -Filter "UserPrincipalName -like '*techsupportpk.local'" -Properties userPrincipalName -ResultSetSize $null
$LocalUsers | foreach {$newUpn = $_.UserPrincipalName.Replace("@techsupportpk.local","@techsupportpk.com"); $_ | Set-ADUser -UserPrincipalName $newUpn}

 

Prepare Azure Active Directory

Open up a web browser, enter https://portal.azure.com/ in the browser address bar, login with your registered account.

 

Navigate to Azure Active Directory.

Click Custom domain names

 

 

Click Add custom domain

 

Enter your on-premises Active Directory domain name, click Add domain

 

At this point, you should create a DNS record using the on screen provided information with your domain name registrar DNS to verify your domain ownership.

 

 

Once DNS record is created with your domain name registrar, click Verify to initiate verification.

 

Upon successful verification, your domain name will be marked as verified. To make your domain name primary, click on your domain name.

.

Click Make primary

 

Navigate to Users, click New user

 

Create your new user like an example below:

Note down auto generated password for your new user, and make sure your new user has Global Administrator role as you can see in above screenshot.

Once you are finished creating new user, navigate to https://aad.portal.azure.com/, login with your new user as shown in example below:

 

Click Next. 

Enter your new user's auto generated password, and click Sign in.

 

This will prompt you to update your auto generated password as shown in screenshot below:

 

At this stage your Azure AD preparation is completed.

Install Azure AD Connect

You will need to download Azure AD connect tool from Microsoft official website, and install it directly on your Domain Controller or on any of the domain joined machine.

 

Click Continue

 

Click Customize

 

 

Click Install

 

This will take a moment

It is recommended to use Password Hash Synchronization method, click Next

 

Enter your username and password your created earlier on Azure AD, and click Next.

Click Add Directory

 

 

Keep Create new AD account option, enter your on-premises Active Directory enterprise administrator credentials:

Click OK

 

Click Next

 

 

Azure AD domain and on-premises domain is matched and verified, as we have already created the same domain name on Azure AD using the custom domain name in earlier step.

Click Next.

Keep the default and click Next

 

Keep the default and click Next

 

Keep the default selection Synchronize all users and devices, click Next

 

If you want, your Azure AD to write back password to your on-premises AD, you can select Password writeback option.

 

Click Next

 

Select Start the synchronization process when configuration completes.

 

Click Next

 

This will take a moment to configure synchronization.

Click Exit.

At this stage, navigate to https://aad.portal.azure.com/, then click Users, you will notice that your on-premises AD users showing in Azure AD which means your Synchronization was successful. You can also verify your on-premises AD groups synchronization by navigating to Azure AD Groups section.

 

You can also verify Synchronization status from Azure AD Connect Synchronization Service Manager

You can also manually rerun these operations any time to synchronize on-premises Active Directory to reflect changes to your Azure AD.

 

Conclusion

We hope that this guide was helpful to connect and synchronize your on-premises active directory to your azure active directory.