Installing Azure AD Connect: Streamlining Identity Management & Security

Today’s digital landscape requires businesses - of all sizes - to efficiently and securely manage user identities and their access to various resources. Known as Identity Management, this framework exists to address the challenges and complexities of user access to sensitive information. According to Statista, many Chief Information Security Officers (CISOs) state that human error is the greatest cyber vulnerability in their organization. Security training for employees is beneficial to help mitigate identity compromise; however, additional protocols should be in place to avoid major consequences.

As internet usage continues to rise, so does the volume of personal data and information. Hence, businesses are taking advantage of cyber opportunities such as the automation of internal processes, cloud service adoption, and enhancing internal processes with new digital technologies. Azure Active Directory (Azure AD) is a cloud-based identity management service provided by Microsoft. To help streamline the process, Microsoft offers Azure AD Connect to help you synchronize on-premises directories with Azure AD. 

Below is a step-by-step guide to help you install Azure AD Connect. Learn how to choose the right server, installation type, and featured tools to enhance your cybersecurity ecosystem by managing and controlling the digital identities within your systems and network.

But first, what is Azure AD Connect?

Azure AD Connect is a tool that simplifies integrating on-premises Active Directory (AD) with Azure AD. It enables you to sync user accounts, passwords, and other on-premises attributes to allow seamless access to resources in the cloud.

Installation prerequisites

Before installing Azure AD Connect, ensure that the following items are met:

• Do you have an Azure AD tenant? If not, get an Azure free trial. To manage Azure AD Connect, use the Azure portal or Office portal
• Add and verify the domain you plan to use in Azure AD
• For on-premises Active Directory, the AD schema version and forest functional level must be Windows Server 2003 or later in order to run domain controllers. The domain controller used by Azure AD must be writable (a read-only domain controller is not supported).

Choosing a Server for Azure AD Connect

Choose a server that meets the minimum requirements and suits your organization’s needs. 

Hardware requirements:

• A server running Windows Server 2016 or later
• Sufficient memory, disk space, and processing power to handle synchronization operations
• Microsoft .Net Framework 4.6.2 or higher is required

Network connectivity:

• The server should have access to on-premises AD and the internet to communicate with Azure AD

Firewall considerations:

• Ensure that the necessary ports and IP ranges for communication are open on the server and the network firewall
• Refer to Microsoft’s documentation for specific port requirements

Prepare your on-premises schema:

• Use IdFix to identify errors, such as duplicates and formatting problems in your directory, before you synchronize
• Review optional sync features you can enable in Azure AD

Installation Type for Azure AD Connect

Azure AD Connect has two installation types: Express and customized.

Express

Express is the most common option - used by 90% of all new installations. It assumes that you have the following:

• A single Active Directory forest on-premises
• An enterprise admin account you can use
• Less than 100,000 objects in your on-premises Active Directory

Features you get:

• Password hash sync from on-premises to Azure AD for single sign-on
• A configuration that syncs users, groups, contacts, and Windows 10 computers
• Synchronization of all eligible objects in all domains and all OUs (if you wish not to sync all OUs, you can use Express on the last page, unselect Start the sync process… then rerun the installation wizard and change the OUs in configuration options and enable scheduled sync)
• Automatic upgrades are enabled to make sure you are up-to-date with the latest version

Custom

Are you looking for more features and options than express? Use the custom path when your organization does not check off the cases described in the Express configuration above.

Use the custom path when:

• You do not have access to an enterprise admin account in Active Directory
• You have more than one forest, or you plan to synchronize more than one forest in the future
• You have domains in your forest that are not reachable from the Connect server
• You plan to use federation or pass-through authentication for user sign-in
• You have more than 100,000 objects and need to use a full SQL Server
• You plan to use group-based filtering and not only domain or OU-based filtering

Choose the Right Authentication For Your Azure AD

The authentication method is a critical component of an organization’s presence in the cloud. Once Azure AD becomes your new control panel, authentication will be the foundation of your cloud access. Consider factors such as the time, current infrastructure, complexity, and budget of choosing an authentication method. Here are a few authentication forms to choose from:

Password hash synchronization (cloud authentication): requires the least effort regarding deployment, maintenance, and infrastructure. This is typically for organizations that only need users to sign in to their Microsoft 365, SaaS apps, and other Azure AD-based resources. 

Pass-through authentication (cloud authentication): requires one or more (three recommended) lightweight agents installed on existing servers. This authentication needs unconstrained network access to domain controllers, including on-premises. Learn more about pass-through authentication security deep dive.

Federated authentication: relies on an external trusted system to authenticate users. Certain organizations aim to utilize their pre-existing federated system investment alongside their Azure AD solution; however, Azure AD does not have direct control of the maintenance and management of the federated system.

Installing Azure AD Connect Express:

Download Azure AD Connect:

• Visit the Microsoft Azure AD Connect download page.
• Select the appropriate version and download the installer.

Run the Azure AD Connect Installer:

• Double-click the downloaded installer to start the installation process.
• Review and accept the license terms.
• Choose the installation type: Express or Custom. Express installation is recommended for most scenarios.

Configure Azure AD Connect:

• Sign in with your Azure AD global administrator account

• Select the appropriate configuration option based on your environment:

  • ”Express Settings”: This option automatically configures the most common settings
  • ”Customize”: Allows you to customize the synchronization settings and configure optional features

Connect to On-Premises Active Directory:

• Enter the credentials of an account with sufficient permissions to access the on-premises Active Directory
• Specify the domain and organizational unit (OU) to synchronize

Connect to Azure AD:

• Sign in with your Azure AD global administrator account
• Select the Azure AD tenant you want to synchronize with

(Express sync)

• If no synchronization is found in the Custom setting, continue by clicking next

Configure Sync Options:

• Choose the synchronization method: “Password Hash Synchronization,” “Pass-through Authentication,” or “Federation.”
• Customize any additional sync settings, such as filtering or configuring write-back options

(Custom setting)

Verify and Start Synchronization:

• Review the configuration summary
• If everything looks correct, click “Install” to start the synchronization process

Azure AD Connect is a powerful tool that simplifies the synchronization of on-premises Active Directory with Azure AD. If you need further guidance, contact Trusted Tech Team, and leverage our subject matter experts.