Azure Active Directory – 3 simple steps to integrate with on-premises AD
Azure Active Directory (Azure AD) is Microsoft’s multi-tenant cloud based directory and identity management service.
It’s easy to use solution to give employees and business partners single sign-on (SSO) access to SaaS applications such as O365, SFDC, DropBox, and etc. It also provides capability to integrate with existing on-premises Active Directory to enable Hybrid identity management solution. How easy to integrate Azure AD to on-premises AD? In this article I would like to introduce to you end-to-end guideline to enable Azure AD and on-premises integration.
Tool and Integration model
Let’s start with tools first – Azure AD Connect. Azure AD Connect provides three primary parts.
- Synchronization services: it’s responsible for marking sure the information on users and groups in your on-premises environment matches to the cloud.
- Active Directory Federation Services: this part can be used to address complex deployment that include such things as domain join SSO, enforcement of AD sign-in policy and smart card 3rd party MFA.
- Health Monitoring: provide robust monitoring and provide a central location in the Azure portal to view this activity.
Azure AD Connect supports two model: Synchronized or Federated identities.
- Synchronized identities: synchronize user accounts and optionally passwords from on-premises AD to Azure AD. If you also synchronize passwords, your users will use the same password to access on-premises and Azure resources.
- Federated identities: this model requires a synchronized identity but the user password is verified by the on-premises identity provider. This mean the password hash doesn’t require to be synchronized to Azure AD. This model can be applied to integrate with Active Directory Federation Services (AD FS) or third party identity provider.
3 Steps to enable integration
Step 1 – Add a custom domain
A custom domain is required as prerequisite requirement for on-premises and Azure AD integration. In the dashboard of your selected Active Directory click on Add domain and please make sure your public domain is similar with your AD domain (in my case it’s sonnn2.com)
Access to your DNS portal, add new TXT record following Azure’s guideline (I used MatBao.net and all configurations is quite easy for dummy DNS user like me).
Next step, you need to start verify and active your custom domain as primary domain. In this guideline, I apply synchronized identity model so my domain is not planned for Single Sign-On.
Step 2 – Add a Global Admin account
Access to your domain, add new account that used for AD synchronization process, please make sure this account must be Global Admin account.
You also need to change password of new account before continuing next step.
Step 3 – Install AD Connect and Configure Synchronization
Download Azure Active Directory Connect from Download Center, and install it in proxy server (which can access to AD servers and internet).
Start AD Connect configuration after finishing all installation steps. There are two options Express settings (default settings) or Customized settings.
- Express settings: recommended if you have a single forest AD. User sign in with same password using password synchronization.
- Customize settings: used when you have multiple forests. Support many on-premises topologies. It also supports to customize your sign-in option, such as AD FS for federation.
But no matter what you choose, you must ensure using relevant accounts to access to Azure AD (Global Admin account) and AD DS (Enterprise Administrator account).
Detailed guide for configuration can be found from Integrating your on-premises identities with Azure Active Directory. And after finished all steps, your on-premises AD and your Azure AD connect to each other.