You may use Active Directory Domain Services to combine your Office 365 subscription with your existing local (on-premises) directory service (AD DS). Automatic synchronisation of AD user accounts, groups, and contacts with Azure can be configured. As a result, you’ll be able to manage both environments’ user credentials.
To access cloud resources, Office 365 employs an Azure Active Directory (Azure AD) tenant. Your users are synchronized with Azure AD when you configure Active Directory with Office 365 synchronisation. We’ll look at how to set up directory synchronization between on-premises Active Directory and Azure AD in this article (Office 365).
How to Install and Configure Azure AD Connect?
A utility named Azure AD Connect is used to synchronise between Azure AD tenant and on-premises AD. The tool can be downloaded from this URL or from your Azure Portal.
This is an MSI installer package you should install on one of your on-premises servers. This server must meet the following system requirements:
- Windows Server 2012 R2 and later;
- PowerShell 3.0 and later;
- .Net Framework 4.5 installed.
You can synchronise not only users but also user passwords (hashes) from AD to Office 365 using Azure AD Connect.
It’s critical to prepare your on-premises Active Directory users before setting up Azure AD Connect. The following AD properties, which must match the Office 365 user attributes, must be filled in:
ProxyAddresses (this is a required attribute). For example, you can specify an attribute value: SMTP:firstname.lastname@example.org equals the Office 365 Primary SMTP Address;
UserPrincipalName (UPN) (this is a required attribute), corresponds to the login name on Office 365;
You can connect to Office 365 using the MSOnline PowerShell module and change the login address as follows:
Set-MsolUserPrincipalName –UserPrincipalName email@example.com –NewUserPrincipalName firstname.lastname@example.org
When installing Azure AD Connect, you will need to specify:
- Your Office 365 tenant global admin credentials;
- The on-premises domain administrator credentials;
- Authentication method: PHS, PTA or federated.
It is advisable to configure the OU Filtering. In this case, only users from the specified Organizational Units will synchronize with Office 365.
Also, you can select the password synchronization options and some other items.
How to Manually Force Sync Active Directory to Office 365?
By default, the Active Directory synchronization is being performed every 30 minutes from the server on which Azure AD Connect is installed.
Together with Azure AD Connect, a special Azure Active Directory PowerShell Module is installed.
You can use this module to force start manual synchronization from on-premises Active Directory environment to Azure Active Directory using the following commands:
Import-Module adsync Start-ADSyncSyncCycle -PolicyType Delta
The synchronisation of AD deltas is started with this command (all changes are synchronised since the last successful sync).
You may use the command to check your sync scheduler settings:
You can change the sync cycle interval with the command:
Set-ADSyncScheduler –CustomizedSyncCycleInterval 00:10:00
To run the full synchronization, use the command:
Start-ADSyncSyncCycle -PolicyType Initial
The manual sync doesn’t sync user passwords.
If Azure AD Connect isn’t syncing users, groups, or passwords, try restarting the synchronisation service on your local server and double-checking the credentials.
On the Office 365 site, you may check the progress of your AD synchronisation (DirSync Status).