Azure AD Connect: Next steps and how to manage Azure AD Connect - Microsoft Entra (2023)

FAQs

How do I manage Azure AD Connect? ›

Start a scheduled synchronization task

Double-click on the Azure AD Connect desktop shortcut to start the wizard. Click Configure. On the tasks screen, select the Customize synchronization options and click Next. Enter your Azure AD credentials.

Microsoft AAD Connect can connect to multiple on-premises forests and can exchange organizations and synchronized the customer defined attributes but cannot use Forefront Identity Management synchronization rules. It takes care of all management processes and describes the configuration model.

Azure AD Connect supports syncing from multiple forests. However, it supports only one instance of Azure AD Connect syncing to AAD. Therefore, in cases where Azure AD is already installed in one forest, the existing instance of AAD Connect must be updated to sync from the additional forest.

Azure Active Directory Connect is made up of three primary components: the synchronization services, the optional Active Directory Federation Services component, and the monitoring component named Azure AD Connect Health.

Azure Active Directory (Azure AD) Connect Health provides robust monitoring of your on-premises identity infrastructure. It enables you to maintain a reliable connection to Microsoft 365 and Microsoft Online Services. This reliability is achieved by providing monitoring capabilities for your key identity components.

The data movement can be of the following types: Offline transfer using shippable devices - Use physical shippable devices when you want to do offline one-time bulk data transfer.

AD DS Enterprise Admin credentials

If you are upgrading from DirSync, the AD DS Enterprise Admins credentials are used to reset the password for the account used by DirSync. You also need Azure AD Global Administrator credentials.

Azure AD Connect has two installation types for new installation: Express and customized. This topic helps you to decide which option to use during installation.

Having multiple Azure AD Connect sync servers connected to the same Azure AD tenant is not supported, except for a staging server. It's unsupported even if these servers are configured to synchronize with a mutually exclusive set of objects.

How many Azure AD Connect can you have? ›

There should only be one active Azure AD Connect sync server at any time.

By default, the number of members in a group that you can synchronize from your on-premises Active Directory to Azure Active Directory by using Azure AD Connect is limited to 50,000 members.

Advantages and Benefits of Active Directory

Centralized resources and security administration. Single logon for access to global resources. Simplified resource location.

- [Instructor] The exam may test your knowledge of the identity types available in Azure Active Directory. And for the exam, there are four different identity types that you'll want to be familiar with: the user, service principle, managed identity, and device.

Azure AD Connect Cloud Sync is the preferred way to synchronize on-premises AD to Azure AD, assuming you can get by with its limitations. Azure AD Connect provides the most feature-rich synchronization capabilities, including Exchange hybrid support.

The sync service consists of two components, the on-premises Azure AD Connect sync component and the service side in Azure AD called Azure AD Connect sync service.

If you have a paid subscription to Microsoft 365, you also have a free Azure AD subscription. You can use Azure AD to create and manage user and group accounts. To activate this subscription, you have to complete a one-time registration. Afterward, you can access Azure AD from your Microsoft 365 admin center.

To open Synchronization Service Manager, go to Start menu and type Synchronization Service. It should appear under the Azure AD Connect. In the Synchronization Service Manager console, under Operations tab, you can monitor the synchronization progress.

Add your custom domain name to Azure AD

After you create your directory, you can add your custom domain name. Sign in to the Azure portal using a Global administrator account for the directory. Search for and select Azure Active Directory from any page. Then select Custom domain names > Add custom domain.

How do I enable SSO in Azure AD Connect? ›

Sign in to the Azure Active Directory administrative center with the Hybrid Identity Administrator or hybrid identity administrator credentials for your tenant. Select Azure Active Directory in the left pane. Select Azure AD Connect. Verify that the Seamless single sign-on feature appears as Enabled.

In addition to the graphical user interface offered at the Azure Portal, we have the ability to manage and interact with Azure via Azure Powershell, Azure Command Line Interface (CLI), Azure Cloud Shell, and the Azure Mobile Application available on iOS and Android platforms.

The way you control access to resources using Azure RBAC is to assign Azure roles. This is a key concept to understand – it's how permissions are enforced. A role assignment consists of three elements: security principal, role definition, and scope.

Azure supports three approaches to deploying cloud resources - public, private, and the hybrid cloud.

Azure AD Connect requires a SQL Server database to store identity data. By default, a SQL Server 2019 Express LocalDB (a light version of SQL Server Express) is installed. SQL Server Express has a 10-GB size limit that enables you to manage approximately 100,000 objects.

Azure AD authentication is supported only for OpenVPN® protocol connections and requires the Azure VPN Client.

Azure Active Directory Domain Services (Azure AD DS), part of Microsoft Entra, enables you to use managed domain services—such as Windows Domain Join, group policy, LDAP, and Kerberos authentication—without having to deploy, manage, or patch domain controllers.

Looking for the latest versions? You can upgrade your Azure AD Connect server from all supported versions with the latest versions: You can download the latest version of Azure AD Connect 2.0 from the Microsoft Download Center.

Azure AD Connect automatic upgrade is a feature that regularly checks for newer versions of Azure AD Connect. If your server is enabled for automatic upgrade and a newer version is found for which your server is eligible, it will perform an automatic upgrade to that newer version.

Can Azure AD have multiple domains? ›

Yes, you can sync users from multiple domains, in multiple forests to single Azure AD tenant. When you have multiple forests, all forests must be reachable by a single Azure AD Connect sync server.

We can have many domain controllers in same domain. Do you have two domain controllers on same domaine xyz.com or two domain using the same name? If you have two domain controllers in same domain, you don't need to migrate objects , because all domain controllers in same domain share the same objects.

The synchronization process is one way / unidirectional by design. There's no reverse synchronization of changes from Azure AD DS back to Azure AD.

No licensing is needed to install AAD Connect and get all your AD users and groups syncing with AAD.

A directory can have many subscriptions associated with it, but only one tenant.

It can run under a Virtual Service Account (VSA), a Managed Service Account (gMSA/sMSA), or a regular User Account. The supported options were changed with the 2017 April release and 2021 March release of Azure AD Connect when you do a fresh installation.

We guarantee that Azure Firewall will be available at least 99.95% of the time, when deployed within a single Availability Zone. We guarantee that Azure Firewall will be available at least 99.99% of the time, when deployed within two or more Availability Zones in the same Azure region.

The object limit for Azure AD Free version is by default 50,000. If you add a custom domain to your Azure AD tenant, this limit is extended to 300,000 automatically.

Users, groups, and computer accounts (security principals) can be members of a maximum of approximately 1,015 groups.

What are the 3 main components of an Active Directory? ›

AD has three main tiers: domains, trees and forests. A domain is a group of related users, computers and other AD objects, such as all the AD objects for your company's head office. Multiple domains can be combined into a tree, and multiple trees can be grouped into a forest.

The Active Directory structure is comprised of three main components: domains, trees, and forests. Several objects, like users or devices that use the same AD database, can be grouped into a single domain. Domains have a domain name system (DNS) structure.

With cloud authentication, you can choose from two options: Azure AD password hash synchronization. The simplest way to enable authentication for on-premises directory objects in Azure AD. Users can use the same username and password that they use on-premises without having to deploy any additional infrastructure.

AD Authentication and LAPD

The simple authentication method involves three approaches: anonymous authentication, unauthenticated authentication, and name/password authentication.

Custom Connector: A Generic LDAP Connector enables you to integrate the Azure AD Connect synchronization service with an LDAP v3 server. It sits on Azure AD Connect. Active Directory: Active Directory is a directory service included in most Windows Server operating systems.

Azure AD Connect has two installation types for new installation: Express and customized. This topic helps you to decide which option to use during installation.

The Global Administrator role is not required after the initial setup and the only required account will be the Directory Synchronization Accounts role account.

To open Synchronization Service Manager, go to Start menu and type Synchronization Service. It should appear under the Azure AD Connect. In the Synchronization Service Manager console, under Operations tab, you can monitor the synchronization progress.

The user name shows the Azure AD Connector account. Another way to check the Azure AD Connector account is to sign in to Microsoft 365 admin center. Navigate to Health > Directory sync status. The Directory sync service account shows the Azure AD Connector account.

If you want to install a newer version of Azure AD Connect: close the Azure AD Connect wizard, uninstall the existing Azure AD Connect, and perform a clean install of the newer Azure AD Connect.

What is the difference between Azure AD Connect and Azure AD Sync? ›

Azure AD Connect Cloud Sync has many of the same features and capabilities as Azure AD Connect with the following differences: Lightweight agent installation model. Adds high availability using multiple agents. Synchronizes directory changes more frequently than Azure AD Connect.

Verifying Azure AD Connect in the Azure AD Admin Center

First, log in to the portal. Then, go to Azure Active Directory —> Azure AD Connect. Under the Azure AD Connect sync section, you should see the current status of the directory sync.

A full sync checks all objects across AD. A delta sync only checks and syncs changes since the last run. To start a full sync, you can use the Start-AdSyncSyncCycle cmdlet. Use the PolicyType parameter to choose either Full or Delta depending on the sync you'd like to initiate.

There should only be one active Azure AD Connect sync server at any time.

Export Azure AD Connect settings

By default, the settings are exported to %ProgramData%\AADConnect. You also can choose to save the settings to a protected location to ensure availability if a disaster occurs.

Start the Azure AD Connect wizard. Navigate to the Additional Tasks page, select Troubleshoot, and click Next. On the Troubleshooting page, click Launch to start the troubleshooting menu in PowerShell. In the main menu, select Troubleshoot Object Synchronization.