Azure AD AAD Connect Setup User Password Sync Tool to Sync On-prem AD Domain to Azure AD? SCCM admins have to go through the AAD connect setup when they want to build Intune and SCCM hybrid lab.
AAD Connect is the app used for syncing On-Prem AD with Azure AD. AAD connect app can be installed on any of the server-class machines. AAD Connect sync operation is very critical for organizations.
If you are planning to sync the hash of your passwords to the cloud, then the configuration of the AAD connect setup is fairly straightforward. If you have specific and advanced AAD Connect setup requirements, you need to spend loads of time in the initial setup.
Introduction
AAD connect setup and configuration will install SQL Express DB and configure it. For big corporate organizations, we need to select the advanced settings. They may have custom attributes used in their sync process. These kinds of settings can be configured in advanced settings.
Also, there could be the possibility that the password hash is not synced and ADFS configuration has been used for authentication.
Azure AD AAD Connect Setup
But for my lab, I have selected “Express Settings” so that installation is very straightforward. During the configuration, you have to provide two credentials, AZURE AD and On-prem AD. To use on-premises credentials for Azure AD sign-in, UPN suffixes should match one of the verified custom domains in Azure AD.
I have changed the UPN suffixes of 4 on Prem AD users so that those On-Prem AD users will get synced with Azure AD. The high-level steps are completed in the AAD Connect setup and configuration wizard. Azure AD AAD Connect Setup User Password Sync Tool to Sync On-prem AD Domain to Azure AD?
- Install and Configure SQL Express DB
- Install the synchronization engine
- Configure Azure AD Connector
- Configure On-Prem AD Connector
- Enable Password Synchronization
- Enable Auto Upgrade
- Configure Azure AD Connect Health Agent for sync
- Configure Synchronization services on the computer
- End Results/Outcome of AAD Connect Sync
AAD Connect sync process will start after the AAD Connect setup and configuration. As you can see in the above screen capture, the configuration has been completed successfully on my On-prem AD server. To confirm whether the on-prem users/groups got synced with Azure AD, you can log in to portal.azure.com and confirm the user IDs.
All the users whose UPNs have been changed to SCCZ.Onmicrosoft.com have been replicated to Azure AD. They can use them ON Prem AD user ID and password to log in to AZURE AD, Office 365 services. You can check the user profile – Source attribute to confirm whether the user is synced via AAD Connect from the on-prem Active Directory.
Azure AD AAD Connect Setup User Password Sync Tool to Sync On-prem AD Domain to Azure AD?
You can sync on-prem user identities/attributes and passwords to Azure AD using Azure AD connect. Azure AD connect installation and configuration is very straightforward if we use (express settings 🙂 ).
I have a video tutorial here that helps you understand the AAD connect configuration, How to enable MFA for Azure AD to join Windows 10 devices and Twitter app integration with Azure AD.
In this post, I will cover two other topics related to Azure AD (AAD) Sync.
- Where is the Scheduled Task used to get created for Azure AD?
- How to Create a service connection point in on-premises Active Directory?
- Video Tutorial – How to Sync On-Prem AD User accounts With Azure AD
Windows 10 MDM devices can write back to on-prem AD. More details are available here. AAD Connect is mandatory for the write-back feature of Windows 10 devices.
Earlier versions of Azure AD connect used Windows task scheduler to schedule the Azure AD sync of on-prem objects and attributes. The latest version of Azure AD connect has a sync engine inbuilt. Hence we won’t find a scheduled task for AAD Connect.
The new default synchronization frequency is 30 minutes. We can change the AD Sync Schedule using the PowerShell command “Get-ADSyncScheduler” and other parameters documented here. Window
PS C:\Users\anoop\Desktop> Get-ADSyncSchedulerAllowedSyncCycleInterval : 00:30:00
CurrentlyEffectiveSyncCycleInterval : 00:30:00
CustomizedSyncCycleInterval :
NextSyncCyclePolicyType : Delta
NextSyncCycleStartTimeInUTC : 26-05-2016 02:06:23
PurgeRunHistoryInterval : 7.00:00:00
SyncCycleEnabled : True
MaintenanceEnabled : True
StagingModeEnabled : False
I was getting trouble creating a service connection point in on-premises Active Directory. This service connection point is used to “Connect domain-joined devices to Azure AD for Windows 10 experiences”. I followed the documentation here to configure the service connection points in on-prem AD but was getting stuck with PowerShell Commands. I ran the PowerShell commands as per the above documentation, however, with no luck.
After that, I installed the appropriate version of the Windows Azure Active Directory Module for Windows PowerShell. Then I tried to run the following PowerShell commands, which worked like a champ!
PS C:\Users\anoop\Desktop> Connect-MsolService PS C:\Users\anoop\Desktop> Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1" PS C:\Users\anoop\Desktop> Initialize-ADSyncDomainJoinedComputerSync cmdlet Initialize-ADSyncDomainJoinedComputerSync at command pipeline position 1 Supply values for the following parameters: AdConnectorAccount: nair\Anoop AzureADCredentials Initializing your Active Directory forest to sync Windows 10 domain joined computers to Azure AD. Configuration Complete
How to Sync On-Prem AD User accounts With Azure AD
How to Sync On-Prem AD User accounts With Azure AD AADJ MFA Twitter Integration – YouTube
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a logger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…