Complete Guide to Installing Azure AD Connect

Installing Azure AD Connect is a crucial step in synchronizing on-premises identities with Azure Active Directory. You'll need to download the Azure AD Connect installation package from the Microsoft Download Center.

The installation package is available in different versions, including the Express, Custom, and Password Hash Synchronization (PHS) versions. Each version has its own set of features and requirements.

To ensure a smooth installation process, it's essential to have a domain administrator account with the necessary permissions. This will allow you to configure the Azure AD Connect server and synchronize user identities.

The Azure AD Connect installation process involves several steps, including preparing the environment, installing the software, and configuring the synchronization settings.

Your on-prem Active Directory domain and Azure environment must meet specific requirements before installing Azure AD Connect.

First, ensure your local domain is routable, or set up an alternate UPN suffix that matches your verified domain in 365. You can find more information on how to do this on Microsoft's documentation.

The Azure AD Connect server must be joined to your on-prem AD domain, and the server must meet a specific PowerShell Execution Policy prerequisite. The policy must be configured to allow signed PowerShell scripts to run, which can be checked using the Get-ExecutionPolicy command.

To configure the Execution Policy, navigate to Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows PowerShell in your group policy. Set the "Turn on Script Execution" policy to "Enabled" and choose "All local scripts and remote signed scripts" from the dropdown list.

Network connectivity is also crucial. Ensure that the Azure AD domain for your AD Connect installation and synching has a green tick with the word "Healthy" in the Status column. If you're using a proxy, check that it's configured correctly, with the proxy address, port, and bypass on local settings all properly set.

Here are the key prerequisites you need to meet:

By meeting these prerequisites, you'll be well on your way to a successful Azure AD Connect installation.

To join your server to the on-prem domain, you'll need to ensure it's running a compatible operating system. Windows Server 2019 is supported, but if you're using Windows Server 2022, check if Microsoft has started supporting it yet.

Make sure your server is running the correct operating system, as installing Azure AD Connect on an unsupported version will cause issues. If you're using Windows Server 2022, change the server you plan to install AD Connect on if necessary.

To download and set up Azure AD Connect, you'll need to meet the prerequisites outlined in the Azure AD Connect Installation and Setup Prerequisites section. This includes requirements for your on-premise AD and Azure environments.

First, ensure your local domain is routable or set up an alternate UPN suffix that matches your verified domain in 365, as Chris mentioned in the comments section of the "How to Install and Setup Azure AD Connect" article.

To download the Azure AD Connect MSI installation file, click the Microsoft Azure Active Directory Connect download link from a domain-joined Windows server. Then, click the Download link to download the MSI package file.

To ensure a smooth setup, it's crucial to verify that the Domain Controller for Azure AD is writable. Azure AD does not support read-only domain controllers.

Make sure to check the Domain Controller's status before proceeding with the installation. You can do this by verifying that it's writable.

In case you're using Windows Server 2019 or 2022, be aware that Azure AD Connect installation on Windows Server 2022 was not initially supported. If you're using Windows Server 2022, check if Microsoft has started supporting it.

To download the MSI file, you need to click the Microsoft Azure Active Directory Connect download link from the domain-joined Windows server where you plan to install AD Connect.

The next step is to click the Download link to download the MSI package file, which will start the download process.

The file you need to download is the Azure AD Connection MSI installation file, which will be used for the installation process.

You can find the download link on the domain-joined Windows server, and it's essential to have this server ready before proceeding with the download.

Before you start the setup and download process for Azure AD Connect, you need to ensure you meet the prerequisites.

Your on-prem AD and Azure environments must meet a host of requirements. To determine if you're satisfactory, check the subsequent subsections for guidance.

You need an Azure AD tenant to proceed. This is a non-negotiable requirement.

To add and verify a custom domain, you'll need to follow Microsoft's guidelines. This will ensure your domain is recognized in Azure AD.

On-premises Active Directory schema version and forest level must be Windows Server 2003 or later. This is a crucial requirement to ensure compatibility.

To check the current ExecutionPolicy on the server, run the Get-ExecutionPolicy command on a PowerShell console. If the command returns “RemoteSigned,” then you’re good to go.

Here's a quick rundown of the key prerequisites:

Your Azure AD domain for your AD Connect installation and synching must have a green tick with the word “Healthy” in the Status column. This ensures connectivity between your on-prem Active Directory domain joined server and Azure AD.

You'll also need to ensure your local domain is routable or set up an alternate UPN suffix that matches your verified domain in 365. This might require some configuration tweaks, but it's essential for a successful installation.

To configure Azure AD Connect, you'll need to enter the credentials of an enterprise administrator account for your on-premises Active Directory. These credentials are used to create the local Active Directory account that is used for synchronization.

You'll have two options to configure Azure AD Connect: express settings and custom settings. Express settings will install Azure AD Connect with default settings, while custom settings will allow you to configure every option.

On the next page, enter the Global Admin account to connect with Azure AD and tap on next. Then, enter the Enterprise admin account to connect with On-prem AD and tap on next. This will fetch the available UPN Suffix, but you can select the option to continue without matching all UPN suffixes to the verified domain.

Here's a quick rundown of the configuration process:

To sign in to Azure AD, you can select options on the "User sign-in" page. This page allows you to choose how your on-premises AD users will sign in to Azure AD.

The default option for on-premises AD users is to use their on-premises AD username and password. This is achieved through Password Hash Synchronization, which is the first option on the page.

You can also configure Azure AD sign-in options for on-prem users on the "Azure AD sign-in configuration" screen. The default option on this screen is to use userPrincipalname, which is selected by the Azure AD installation and configuration wizard.

To use the UPN option, your on-prem AD domain name must be added and configured on the Office 365 domain page. You can do this by adding your on-prem AD domain name to the Office 365 registered domain list and clicking the "Refresh" icon.

Domain and OU filtering is a crucial step in configuring Azure AD Connect. By default, Azure AD Connect selects "Sync all domains and OUs" but you can choose to sync only specific containers.

To sync specific containers, you can select "Sync selected domains and OUs". I did this in my setup, syncing only one OU – "Writers" OU.

You can customize the synchronization options by reopening the Azure AD Connect tool and selecting "Customize synchronization options". This will allow you to filter the OUs you want to sync.

To filter the OUs, you'll need to enter the password of the Azure AD Global Administrator account and select the OUs you want to sync. You can expand your domain tree to select the OUs you want to include.

Here are the steps to follow:

To configure Azure AD Connect, you'll need to enter the credentials of an enterprise administrator account for your on-premises Active Directory. These credentials are used to create the local Active Directory account that is used for synchronization.

You'll also need to select the option to use express settings or customize your configuration. Using express settings will install Azure AD Connect with default settings, while customizing will give you more control over each option. For this example, we'll be using express settings.

Enter the Global Admin account to connect with Azure AD and tap on next. Then, enter the Enterprise admin account to connect with On-prem AD and tap on next. This will fetch the available UPN Suffix.

If you have a custom domain that's been verified, you can select "Continue without matching all UPN suffixes to the verified domain" and tap on next. This will take you to the ready to configure page.

On this page, you can select "Start the synchronization process when the configuration is completed" or manually initiate the sync once the installation is completed. Click on "Install" to complete the configuration.

Here are the default sync settings:

After the configuration is completed, you can check the sync status. The sync status should be enabled, and the last sync should be less than 1 hour ago. Password hash sync should also be enabled.