Setting Up Directory Sync Between On-Premises Active Directory with Microsoft 365 Azure AD

Microsoft 365 uses an Azure Active Directory to store and manage user credentials for authentication and permissions to access cloud-based resources. If you also have an on-premises Active Directory, you should sync them up for having central account management.

The process of setting it up isn’t hard but it’s not easy and straightforward either. Here is a quick guide on how to make it happen.

Local AD Preparation

If your local domain has the same name as the one verified in Microsoft 365, preparation is easy. All you need to do is to make sure the UPN (UserPrincipalName) attribute matches the one you are planning to use in Microsoft 365.

However, if your local AD domain is a non-routable domain such as .local, you will need to add a second UPN suffix and update your users to it. The synced accounts with .local UPN will be automatically assigned the default domain.

To Add a new UPN suffix

First, open Active Directory Domains and Trusts. Right-click Active Directory Domains and Trusts and choose Properties.

And add a new UPN suffix in the Properties window that pops up.

To update UPN suffix for existing users

You can update it in the Account tab in each user account’s properties window. But a much better way is to use PowerShell.

$adusers = Get-ADUser - Filter * -SearchBase "OU=OU Name, DC=domain, DC=local" | Sort-Object Name
$adusers | ForEach {$_ | Set-ADUser -UserPrincipalName ($_.SamAccountName + '')}

The IdFix tool

There are other attributes in your AD that might need to be cleaned up, such as proxyAddresses, SAMAccountName, etc. The best way is to use a tool like IdFix to identify and remediate the majority of directory synchronization errors.

You can download the tool in your Micrsoft 365 Directory Sync Status page and run it directly on your domain-joined Windows 10 computer.

An Account for Azure AD Sync

The Azure AD Connect tool will help set it up during the setup wizard but it’s easier to have it ready before you run the configuration wizard.

Create a regular domain account with a password that matches the AD’s password complicity policy. And you will have to grant the user the following two permissions. Or the password hash sync will fail.

  • Replicating Directory Changes
  • Replicating Directory Changes All

To do so,

  1. Open Active Directory Users and Computers
  2. Go to View and select Advanced Features.
  3. Right-click the main domain name and choose Properties.
  4. In Security tab, add the account you want to use to directory sync and Allow the above two permissions.

Azure AD Connect

Now, let’s download the Azure AD Connect, install it on the Active Directory server, and run the configuration wizard. Follow up the wizard and it should be up and running shortly.

A few notes though that I hope would help.

You can sync the entire directory or the OUs of your choice.

There two ways you can stage your AD sync process. You can either enable the Stage mode in Azure AD Connect, or filter users via a specified group.

Note that if you use the Group filter option with the selected OUs, make sure the group resides inside that OU. Or, no accounts will be sync’d up.

To force a sync to start out of the scheduled window, run the following PowerShell cmdlet.

Start-ADSyncSyncCycle -PolicyType Delta

To initiate a complete sync,

Start-ADSyncSyncCycle -PolicyType Initial

If you are seeing an error telling you that the cmdlet is not recognized, run this.

Import-module ADSync


One thought on “Setting Up Directory Sync Between On-Premises Active Directory with Microsoft 365 Azure AD

Leave a Reply

Your email address will not be published. Required fields are marked *