Step-By-Step: Syncing An On Premise AD with Azure Active Directory

SyncADtoAzureAD0

Enterprise Mobility has become top of mind for organizations big and small as of late. Extending beyond the need of just mobile device management, the focus has evolved to securely enabling people within an organization with information pertinent to their success. With this in mind, Microsoft’s Enterprise Mobility Suite addresses Mobile Device Management (MDM), Mobile Application Management (MAM), information protection and identity/access management.

To start, let’s take into consideration how users can be enabled to authenticate seamlessly between on premise and in cloud. The Azure Active Directory tool, previously known as DirSync, provides this capability enabling the end user to authenticate seamlessly and securely via online or on premise. Said offering creates an easier way for people at an organization to utilize a single sign on authenticator to take advantage of online productivity suites such as Office 365.

This Step-By-Step is the first step in terms of deploying said Microsoft Enterprise Mobility solution and invoking the single sign on capability.

Prerequisites

The following are required to complete this Step-By-Step:

  1. A domain joined server running Windows Server 2008 SP2 or higher
     
    or
     
    A domain joined server running Windows Server 2008 R2 SP1 or higher
     

  2. An active Microsoft Azure subscription. View Step-By-Step: Creating a Windows 2012 R2 Lab on Windows Azure should you require to setup your lab
     

  3. An Internet Domain Name will allow your users to authenticate to
     
    Note: It is not mandatory for the Internet Domain Name to match with your Active Directory Domain Name
     

Step 1: Configuring the Internet Domain Name for use with Azure Active Directory

  1. Navigate to https://manage.windowsazure.com on your browser
     

  2. Select ACTIVE DIRECTORY found near the bottom of the right hand side menu
     
    SyncADtoAzureAD1

  3. In the Active Directory window, click your provided Directory Name
     

  4. In the Directory window, click DOMAINS found in the top menu
     
    SyncADtoAzureAD2

  5. Click the ADD button located in the menu at the bottom of the page
     

  6. On the ADD DOMAIN page, enter the Internet Domain Name to be utilized for the sync
     
    SyncADtoAzureAD3

  7. Click the checkmark box enabling the ability for single sign-on with your local Active Directory
     

  8. Click ADD to complete the task of adding the domain

 

Step 2: Configuring the Internet Domain Name for use with Azure Active Directory

  1. Return back to the ACTIVE DIRECTORY window
     

  2. Select DIRECTORY INTEGRATION found in the top menu
     
    SyncADtoAzureAD4

  3. Select ACTIVATED
     

  4. Click SAVE located in the menu at the bottom of the page
     

Step 3: Configuring the sync of the on premise AD users and passwords to Azure Directory

  1. Download the Azure Active Directory Sync Tool
     

  2. Install the Azure Active Directory Sync Tool on a domain controller with Administrative rights
     
    Note: The Azure Active Directory Sync Tool can be installed on a domain joined computer. The sync will fail however if the computer is disabled.
     

  3. On the first Azure Active Directory Sync Setup window, click Next
     

  4. On the next window, Accept the Terms and click Next
     

  5. On the next window, specify the installation path or leave the default and click Next
     

  6. Click Next once the installation is complete
     

  7. On the first Azure Active Directory Sync Configuration Wizard window, click Next
     

  8. On the next window, provide your Microsoft Azure credentials and click Next
     
    SyncADtoAzureAD5
     

  9. On the next window, provide your administrative Windows Active Directory credentials and click Next
     
    SyncADtoAzureAD6
     
    Note: It is recommended to use a service administrative account instead of an administrators account should said administrator leave the organization
     

  10. Enable Hybrid Deployment by clicking the provided box click Next
     
    Note: Various Microsoft Online Services such as Office 365 provide features that work best when certain directory information can be controlled by the online service. Directory objects, such as users, are synchronized from your on-premises directory are modified in the Azure Active Directory. These changes are then written back to your on-premises directory for on-premises applications to consume. The Directory Sync tool will not be given the permission to modify all attributes in your directory. Only those attributes that can be written back from Azure Active Directory will have permission to be modified. This step is not crucial for this lab however will be required in future labs.
     

  11. Enable Password Sync by clicking the provided box and click Next

    SyncADtoAzureAD7

  12. Click Next to complete the installation
     

  13. Ensure Synchronize your directories is selected and click Finish

 

Now completed, your on premise Active Directory is now synced with your Azure Active Directory. Future posts will build on this lab to enable additional functionality provided in Microsoft Enterprise Mobility Solutions and other similar offerings. To further your learning regarding Microsoft Azure, visit Microsoft Virtual Academy and complete the Azure for IT Pros Jump Start.