Synchronizing users and groups from On-premises Active Directory to Azure Active Directory
Azure Active Directory is a multi-tenant, cloud-based directory and identity management service provided by Microsoft. It offers identity and access capabilities for applications running in both Microsoft Azure and in an on-premises environment. It is the foundation for Office 365 and other SaaS applications; users are allowed to sign in and access the resources in these applications. As it is entirely cloud-based, it offers more flexibility; hence it can act as an organization’s only directory and can also be synced with an on-premises directory.
Synchronizing on-premise Active Directory to Azure Active Directory
Azure Active Directory is not simply the cloud version of Active Directory. It is designed to provide various services and capabilities in a different manner, compared to its on-premises counterpart. While the on-premises directory can be synchronized with Azure Active Directory, the organizational units (OUs), group policies and computer accounts cannot be migrated to Azure AD. However, synchronizing Active Directory with Azure AD provides many advantages. This integration allows the on-premises network computers to access cloud environments while allowing cloud-based applications to access the on-premises devices.
One of the major benefits of this synchronization is that, only one set of credentials is required by the users to access both the cloud and on-premises resources. This offers Single Sign-On (SSO) features to the users, where only a single username and password can be used to sign in to all the available applications. However, this can be achieved only if the AD Federation Services (AD FS) servers are deployed. Once Single Sign-On is achieved, the authentication will be handled directly by the AD FS servers. In addition to this, the organization is allowed to adopt Azure Active Directory easily, without having to create new tools and practices.
Synchronizing on-premises directory to Azure AD is a fairly simple process. However, the synchronization is one way and can be done only from on-premises to Azure AD. Synchronizing Azure AD accounts down to an on-premises directory is not allowed.
This can be done using:
- Azure AD Connect Tool
- PowerShell commands for synchronizing on-premises Active Directory to Azure AD
1. Using Azure AD Connect for Synchronizing on-premise Active Directory to Azure Active Directory
Azure AD Connect is a tool that is used to connect on-premises infrastructure to the cloud-based Azure Active Directory. It is built upon the functionalities of its predecessors namely, Dirsync and AAD Sync. Since these tools are no longer in use, Azure AD Connect is the only tool that is used for synchronization.
Downloading and Installing Azure AD Connect
Azure AD Connect can be downloaded by following the instructions given below.
- Login to your Azure AD tenant and click on Azure Active Directory.
- Under the Manage menu, select Azure AD Connect.
- Click on Download Azure AD Connect.
- After the download is complete, the tool can be installed by following the instructions given below.
- Verify the prerequisite information to make sure that your server meets the requirements.
- After downloading Azure AD Connect, navigate to the Windows Installer Package which is a .msi file and double click on it.
- In the Microsoft Azure Active Directory Connect wizard welcome screen, click on Continue.
- Click on the Use Express Settings option if you have a verified domain.
- Enter your Azure AD global administrator credentials and click on Next.
- If your domain is not verified or added in Azure AD, review and verify the domains in the Azure AD Sign-in Configuration window.
- Check or uncheck the available options in the Ready to configure window.
- Click on Install to complete the installation.
- In the installation process, if the “Start the synchronization process when the configuration is complete” option was checked in the Ready to configure window then the synchronization need not be done manually.
- However if this option was left unchecked, the synchronization has to done manually. This can be done with the help of PowerShell commands.
2. Using PowerShell commands for synchronizing on-premise Active Directory to Azure Active Directory
The PowerShell commands for synchronizing on-premise Active Directory to Azure Active Directory are discussed as follows.
i) Get-ADSyncScheduler
This command is used to check the current state of synchronization settings.
ii) Start-ADSyncSyncCycle –PolicyType Initial
This command is used to start the initial synchronization.
iii) Start-ADSyncSyncCycle –PolicyType Delta
This command is used to start the delta synchronization.
iv) Set-ADSyncScheduler –CustomizedSyncCycleInterval 00:50:00
The default synchronization interval is set at 30 minutes. However, this can be customized by using this command. The interval can be set using the HH:MM:SS format. In the above example, the interval has been set to 50 minutes.
v) Get-ADSyncScheduler
This command can be used to check the settings.
After the process is complete, the synchronization can be monitored and managed using the Synchronization Service Manager console.