Azure Active Directory Connect Guide
Office 365 provides a tool called Azure AD Connect that can integrate on premise AD users with Office 365. Azure AD Connect is most commonly used to achieve password sync from AD to Office 365. Azure AD Connect can also be used to achieve full ADFS but it is important to note that AppRiver can only provide assistance with the basic password sync feature.
The minimum system requirements to use Azure AD Connect are as follows:
1. The AD schema version and forest functional level must be Windows Server 2003 or later.
2. Azure AD Connect must be installed on Windows Server 2008 or later. NOTE: Azure AD Connect cannot be installed on Small Business Server or Windows Server Essentials.
3. The latest patches and updates should be applied to the server before attempting to install Azure AD Connect.
4. The server Azure AD Connect is to be installed on must have .NET Framework 4.5.1 or later and Microsoft PowerShell 3.0 or later.
5. You must have Enterprise Admin credentials for the server where Azure AD Connect is to be installed.
More details about the prerequisites for Azure AD Connect can be found in the following article.
DirSync VS ADSync
The original AD Sync tool was called DirSync and it has been replaced with Azure AD Connect. If you run across a client that is still using DirSync they should upgrade to Azure AD Connect. When upgrading to Azure AD Connect from DirSync the wizard automatically detects DirSync and transfers all of their settings to Azure AD Connect.
Azure AD Connect can be downloaded from the following link:
The following articles discusses the upgrade process from DirSync to Azure AD Connect.
Preparing to Sync
- We always recommend that clients setup their users and license them in the Office 365 portal before installing or syncing with Azure AD Connect. This is because mailbox provisioning issues can occur if users are synced with AD first and previously had an on premise mailbox. By creating the user and assigning the license in Office 365 first the mailbox can be provisioned properly then synced with AD a later time.
- We highly recommend configuring Organizational Unit filtering when using AD Sync. This is because many AD objects are created automatically by the system and they do not need to be synced to O365. When running the Azure AD Connect wizard you should choose the Custom setup option. The custom setup will provide more options that includes OU filtering as well.
- It is critical that administrators prepare their Active Directory users before setting up Azure AD Connect. Specifically, the following attributes should be populated with the correct information to match the Office 365 users.
- In order for users to sync properly the Administrator must ensure that the ProxyAddresses attribute in AD is populated with "SMTP:firstname.lastname@example.org" where email@example.com equals the O365 Primary Smtp Address.
- The UserPrincipalName (UPN) attribute in AD corresponds to the login address in Office 365. Many local Active Directories have a .local domain being used for the UPN addresses. A .local domain cannot be added to Office 365 so if users with a .local UPN are synced their login addresses will change to firstname.lastname@example.org because something.onmicrosoft.com is the initial domain. In this case you can change the Office 365 login addresses back to the correct domain through Powershell.
- The following article will walk you through installing our Pshell for O365 app that makes it easy to connect to O365 in Powershell.
- Once connected to Office 365 via Powershell the command to change the login address is shown below.
- We can also assist with updating the login addresses in bulk if you contact AppRiver support.
More info on the attributes that sync and the requirements for certain attributes can be found in the following article.
Starting the AD Sync Process
To start the Azure AD Connect installation process log into the Office 365 Admin portal then click on Settings > Services and Add-ins > click Directory Synchronization > click Go to the Dirsync readiness wizard > this will start the Azure AD Connect installation wizard.
NOTE: The Azure AD Connect sync will only run once every 30 min by default. An Admin may need to manually force a sync at some point or restart the sync if issues seem to be occurring. The following steps will walk them through forcing a manual sync.
In Powershell, run commands:
Start-ADSyncSyncCycle -PolicyType Initial
The following article also provides more information on the Azure AD Connect sync process.
Troubleshooting AD Sync
If Azure AD Connect is not syncing or seems to be having issues the following steps should be used for troubleshooting. The steps will restart the sync service, verify credentials, and force a manual sync.
1. Go through the Azure Ad Connect wizard again to ensure credentials are correct.
2. Restart the service – Microsoft Azure AD Sync
3. In Powershell, run commands:
Start-ADSyncSyncCycle -PolicyType Initial
Disabling AD Sync
In some case it may be necessary to disable AD Sync. The easiest way to disable the syncing process is by running a command in Powershell. Note: When AD Sync is disabled with the command below any synced users or groups are changed back to In Cloud objects.
The following article will walk you through installing our Pshell for O365 app that makes it easy to connect to O365 in Powershell.
Once connected to Office 365 via Powershell the command to disable AD Sync is shown below.
Set-MsolDirSyncEnabled -EnableDirSync $false
After the above command is ran you will also want to remove the Azure AD Connect program from the server where it was installed. You can do this by going to Control Panel > Programs and Features > select Azure AD Connect then click Uninstall.