This document provides a technical deep dive into configuring Azure Active Directory Connect (Azure AD Connect). It discusses architectural best practices, supported configurations, installation best practices, advanced configuration options, and using Azure AD Connect Health. Key points include choosing a custom service account, OU filtering, changing the default source anchor, self-service password reset, GDPR considerations, and installing Azure AD Connect Health agents.
4. Michael Noel @MichaelTNoel
Authored 20 books including the best
selling SharePoint, Exchange, and
Windows Unleashed series
Presented at over 220 events in over 80
countries around the world
Microsoft MVP, first awarded in 2007
Partner at Convergent Computing in the
San Francisco Bay Area (cco.com)
6. Why Azure AD Connect?
Quite simply, the most effective and
supported method of synching On-Premises
Active Directory with Azure Active Directory
(Office 365’s Directory.)
Simplifies Single Sign On (SSO) to SAAS
applications
Released by Microsoft in 2015, AADC
combines functionality provided by multiple
tools previously
◦ DirSync
◦ Active Directory Federation Services (though
services still required)
◦ AADSync
Runs on a Domain/Workgroup Member
Server, easy to configure
7. Design and Planning – AADC Consoles
For most organizations, single console session will suffice (snapshot backup
config)
For larger organizations or orgs with high SLAs, consider deploying secondary
Azure AD Connect console, but run second console in staging mode. In the
event of an outage, turn off staging mode on secondary server
Recommended to run on domain-joined system inside the network, with
restrictions placed on traffic to MS-defined IP ranges.
Alternatively, if policy dictates, it can be installed on a Workgroup member in
the DMZ, though note that there are a large number of ports required to be
open to domain controllers inside the network.
10. Staging Server
Configuring a dedicated server
as a ‘Staging Server’ is the
preferred failover and DR
option for AADC
A server in ‘Staging Mode’
won’t actually export any
changes to Azure AD, but will
keep information up to date
Failover simply involves turning
off staging mode and running a
full sync
12. Install – Prerequisites and Software
Hardware
◦ 2GB RAM (4GB for 5000+ users)
◦ 1 CPU (2CPU for 5000+ users)
Typically virtual server session
Software
◦ Windows Server 2008, Windows Server 2008 R2, Windows Server
2012, Windows Server 2012 R2, or Windows Server 2016 (preferred)
◦ Download link: http://is.gd/azureadconnect
13. Install – SQL Options
Most organizations install simple SQL Server Express
instance for AADC (SQL 2008 R2+)
Full SQL Server can be used if needing to utilize an
existing farm
AlwaysOn Availability Groups are now supported for
AADC Database failover
14. Express Settings vs. Custom
Small organizations with a single
domain/forest may choose
Express Settings
This does not allow for much
advanced customization, such as
OU filtering, custom service
account, or many other things you
may need
Recommended to choose a
custom install in most cases
15. Install – Custom Service Account
If you don’t choose a custom service
account, MS will create one for you –
This account will start with MSOL_ and
will contain a long GUID name in it.
In addition, MS will attempt to configure
security settings for this account within
the forest, adding root level permissions
Most organizations will likely prefer to
control the creation of this account and
assign it permissions to only those OUs
necessary. Subsequently, a custom
service account that is pre-created is
advised
Rights Required: http://is.gd/aadcsvc
16. Install – Choose SSO Option
Password Hash Synchronization – copies
the internal AD password hashes to the
cloud, allowing for SSO using the same
username/password combo
Pass-through authentication – option
where hash is NOT stored in cloud.
Requires an on-prem agent
Federation with AD FS – Utilizes MS AD
FS for SSO, requires AD FS setup
Federation with PingFederate – New
option, direct integration with Ping
Do not configure – Used if you are using
other 3rd party such as Okta
17. Azure AD Username
Most organizations will use
the User Principal Name
(UPN) to create usernames
in AADC (highly
recommended)
Options exist to choose
other attributes for
usernames, but only use
for fringe scenarios
18. OU Filtering
Highly recommended to restrict AADC
to only sync users within specific Ous
This will keep Azure AD from being
overpopulated with service accounts
and other accounts which may never
need to login to cloud services
This option also allows you to move
objects to non-synched OUs for testing,
migration, or other options.
19. Identifying Users
Source Anchor is a critical
concept in AD
Consider changing the
defaults only in specific
fringe scenarios
ObjectGUID is not longer
the default, MS now defaults
to using Ms-Ds-
ConsistencyGUID as source
anchor
20. Group Filtering
Option exists to filter
out objects from sync
based on membership
in a group
Not a recommended
option except for with
initial testing
21. Optional Features
MS provides for multiple additional options when
configuring AADC
These options can be added at a later time as needed
(such as when enabling Exchange hybrid)
Options include:
◦ Exchange hybrid deployment
◦ Exchange Mail Public Folders
◦ Azure AD app and attribute filtering
◦ Password writeback
◦ Group writeback
◦ Device writeback
◦ Directory extension attribute sync
22. Recommendation: Wait to Sync Until
All Changes Made and Validated
At the end of the steps to the
wizard, the default setting is to
immediately start the
synchronization process
Recommended to wait to sync
until all additional configuration
has been done and you have
tested in staging mode
24. Advanced – Restrict by Attribute
For attribute level synching
restrictions, create an inbound
sync rule from within the
Synchronization Rules Editor
Be sure that your syntax is
accurate.
In this example, it means that we
are EXCLUDING all accounts that
have their employeeID field set to
NULL
NOTE: These settings are
overwritten during upgrades,
ensure that you re-apply settings
after you update AADC.
25. Synchronize Custom Extensions
You may want to add additional fields
from Active Directory to Azure AD. For
example, you may desire to have user
mobile phone numbers synched from
AD DS to Azure AD to allow them to be
used as part of SharePoint Online
profiles
Select which attributes to sync in the
‘Directory Extensions’ portion of the
Azure AD Connect wizard to sync
26. Multi-Geo (Tenants with >5000
Users) – Preferred Data Location
Allows tenants with greater than 5000 users to store
mailboxes in a preferred MS Datacenter:
◦ Asia Pacific (APC)
◦ Australia (AUS)
◦ Canada (CAN)
◦ European Union (EUR)
◦ India (IND)
◦ Japan (JPN)
◦ Korea (KOR)
◦ United Kingdom (GBR)
◦ United States (NAM)
Must configure sync rules to join custom internal attribute
(i.e. extensionAttribute5 with preferredDataLocation
attribute in AAD.)
See https://is.gd/o365multigeo for details
27. Self-Service Password Reset and
Writeback
Allow your users to reset their
password directly in Office 365 and
have the password synched back to AD
DS
AADC Service Account must be granted
the following rights in AD DS:
◦ Reset password
◦ Change password
◦ Write permissions on lockoutTime
◦ Write permissions on pwdLastSet
◦ Extended rights on either:
◦ The root object of each domain in that forest
◦ The user organizational units (OUs) you want to
be in scope for SSPR
28. Accidental Delete Prevention and
Overrides
By default, AADC will not allow you to delete more than 500 objects during any one sync cycle.
You may need to change this temporarily, though it is recommended to leave it on during normal
operations.
PowerShell commands:
Disable-ADSyncExportDeletionThreshold (Turns off Accidental Delete prevention)
Enable-ADSyncExportDeletionThreshold -DeletionThreshold 500 (Enables Accidental Delete
prevention)
29. GDPR Considerations: Azure AD Connect
Azure AD Connect Server stores the following user privacy data:
◦ Data about a person in the Azure AD Connect database – This is removed automatically when deleting
user from the database. Ensure you are synching at least every 48 hours.
◦ Data in the Windows Event log files that may contain information about a person – Flush event logs on
the AADC Server on a scheduled basis
◦ Data in the Azure AD Connect installation log files that may contain about a person – Script a process
to remove the Azure AD Connect installation logs every 48 hours
NOTE: Do NOT delete the PersistedState.Xml file. It is used for upgrades and does not contain personal
data
Sample PowerShell script to delete installation log files:
$Files = ((Get-childitem -Path "$env:programdataaadconnect" -Recurse).VersionInfo).FileName Foreach
($file in $files) { If ($File.ToUpper() -ne
"$env:programdataaadconnectPERSISTEDSTATE.XML".toupper()) # Do not delete this file {Remove-
Item -Path $File -Force} }
30. Useful PowerShell Commands
Start-ADSyncSyncCycle -PolicyType Delta – Start a manual sync immediately
Start-ADSyncSyncCycle -PolicyType Initial – Perform a full sync…only needed if changing
filtering options, made changes to rule, or added attributes to sync)
Stop-ADSyncSyncCycle – Stop a running AD Sync in order to make changes to config
Get-ADSyncScheduler – View current configuration
Set-ADSyncScheduler -SyncCycleEnabled $false – Turn off sync (set to true to turn back on)
Set-ADSyncScheduler -CustomizedSyncCycleInterval 02:00:00 – Change Sync Schedule to
synchronize every two hours
Add-ADSyncAADServiceAccount – Used to reset the AADC service account’s password
31. mS-DS-ConsistencyGuid – A Warning
Azure AD Connect defaults to using MS-DS-
ConsistencyGuid as the Source Anchor object
This needs to be unique across ALL of Microsoft
Office 365 tenancies
This means that if you are performing
migrations or synching accounts from one forest
to another, be sure to EXCLUDE that attribute
from the sync, or your migrated users will NOT
be able to access their accounts!
33. Azure AD Connect Health
Azure AD Premium Feature
(Requires additional licensing)
Monitor the following:
◦ Azure AD Connect
◦ Azure AD DS Domain Controllers
◦ AD FS Servers
34. Install Azure AD Connect Health
Agents on AD DS Domain Controllers
Install AD DS Health
Agents on all domain
controllers to monitor
them from the Azure
AD Health Service
Pay special attention
to the prerequisites,
particularly which
websites need to be
allowed
Agents for AD FS
servers can also be
downloaded