When setting up an Enterprise Mobility Suite (EMS) environment and you want to use your own Active Directory domain you definitely need to setup synchronization services with Azure AD. Where we needed to setup DirSync in the past we now need to install and configure the successor Azure AD Sync or the Azure AD Connect synchronization service. You can do this by downloading this tool or by downloading Microsoft Azure Active Directory Connect which is still in preview but does a really great job in simplifying the setup process. Let’s have a look.
When stating the setup the Microsoft Azure Active Directory Connect tool assist you by installing the prerequisites that are needed to be able to synchronize users and groups from your on premise AD to Azure AD. It will automatically install the following products if they do not exist;
- Microsoft Online Services Sign-In Assistant for IT Professionals
- Windows Azure Active Directory Module for Windows PowerShell
- Microsoft Visual C++ 2013 Redistributable Package
After getting the prerequisites ready the Azure AD Connect synchronization service will be installed. Azure AD Connect synchronization service needs a SQL database, you can configure an existing one or a SQL Express version will be automatically installed. Next we need to provide the username of a Azure AD user that is a member of the Global Administrator role.
After the synchronization service installed and connected with Azure AD we are able to customize the configuration of Azure AD Connect synchronization service, and more J So if we do not choose to use the express settings as shown below we are able to configure Single Sign On via Password Synchronization, Federation with AD FS.
Since I do not have this small lab setup to be able to use AD FS (will show this in my next blog) I will choose Password Synchronization and connect my Active Directory. Microsoft Azure Active Directory Connect allows you to synchronize more than one directory, which is really cool if you ask me.
The next step is that you are able to filter users and groups by DN or Group Membership. So no hacking in FIM (which is not part of this solution anymore) anymore.
Next you need configure how the user in on premise directories is identified. Is a user represented only once across multiple directories or does user identities exist across multiple directories. Based on attributes you are able to configure how a user must be matched. If you only use one Active Directory as a source you can easily use the defaults as shown below.
As you see the Microsoft Azure Active Directory Connect tool assist you heavily in setting up the synchronization service. But is does more, optionally you are able to configure the following features:
Exchange hybrid deployment
The Exchange hybrid deployment features allows co-existance of Exchange mailboxes on both on premises as in Azure by synchronizing a specific set of attributes from Azure AD back to your own Active Directory.
If the password changes in Azure AD, it will be written back to your own Active Directory.
If a user is created in Azure AD, it will be written back to your own Active Directory.
- Azure AD app and attribute filtering
- Group writeback
- Device writebrack
- Device Sync
- Directory extension attribute sync
Selecting two options as shown below allows us to configure the writeback location in the on premise Active Directory.
The Final step in the really great wizard is to install and configure the synchronization process.
Next the synchronization service has been setup and we are ready to be able to synchronize the users to Azure Active Directory.
Next time we will have a look how to setup AD FS, the easy way.