This series is for configuring Microsoft 365 environment.

 

In this post we’ll integrate on-premises AD with Azure AD using Azure AD Connect. The sign-on method we’re going to use is Pass-through Authentication.

 

Existing setup done:

  1. Two Local users created

 

Existing Devices:

  1. SkyDC: Machine with ADDS, DNS, DHCP role
  2. SkyCON: Machine where we will install Azure AD Connect
  3. SkyCM: Machine with Configuration Manager Current Branch
  4. SkyTEN1: Domain Joined Windows 10 machine
  5. SkyTEN2: Domain Joined Windows 10 machine
  6. SkyTEN3i: Domain Joined Windows 10 machine (to be Intune Managed)
  7. SkyTEN4i: Domain Joined Windows 10 machine (to be Intune Managed)

 

 

Creating a new user ID which we will use in Azure AD Connect configuration:

Navigate to Active Directory Users and Computers -> Users.

Right click, select New -> User.

 

Enter the details. I my case I have used AAD_Connect and click Next.

 

Enter Password and click Next.

 

Click Finish.

 

Assign above created account the necessary rights

Start Group Policy Management and edit Default Domain Policy. You can create a separate GPO also.

 

Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment.

Right click Log on as a batch job and click Properties.

 

Check Define these policy settings. Click Add User or Group… and select above created user. Click OK.

 

Right click on Log on as a service and click Properties.

 

Check Define these policy settings. Click Add User or Group… and select above created user. Click OK.

 

 

In SkyCON machine:

Log on to Azure portal. Navigate to Azure Active Directory -> Azure AD Connect and click on Download Azure AD Connect.

 

A new page will open, click on Download button.

 

Start the installation.

 

Accept the license terms and click on Continue.

 

Click Customize.

 

Check Use an existing service acount and enter the user account details that we created in previous steps. Depending on your requirement, you can use other installation options also. Click Install.

 

Select the appropriate Sign On method. I have used below:

Authentication method used: Pass-through authentication

Check Enable single sign-on and click Next. Enable single sign-on is needed for seamless single sign-on.

 

Enter your Azure AD global Administrator credentials and click Next.

 

Click on Add Directory.

 

Select Create new AD Account and enter your Enterprise Admin credentials. CLick OK.

 

Click Next.

 

Select the appropriate on-premises attribute to use as the Azure AD Username. I have used userPrincipalName. Click Next.

 

Select appropriate option and click Next.

 

Select Appropriate options and click Next.

If you have a single forest on-premises, then the attribute you should use is objectGUID. This is also the attribute used when you use express settings in Azure AD Connect and also the attribute used by DirSync.

If you have multiple forests and do not move users between forests and domains, then objectGUID is a good attribute to use even in this case.

If you move users between forests and domains, then you must find an attribute that does not change or can be moved with the users during the move. A recommended approach is to introduce a synthetic attribute.

Azure AD Connect (version 1.1.524.0 and after) now facilitates the use of ms-DS-ConsistencyGuid as sourceAnchor attribute. When using this feature, Azure AD Connect automatically configures the synchronization rules to:

    1. Use ms-DS-ConsistencyGuid as the sourceAnchor attribute for User objects. ObjectGUID is used for other object types.
    2. For any given on-premises AD User object whose ms-DS-ConsistencyGuid attribute isn’t populated, Azure AD Connect writes its objectGUID value back to the ms-DS-ConsistencyGuid attribute in on-premises Active Directory. After the ms-DS-ConsistencyGuid attribute is populated, Azure AD Connect then exports the object to Azure AD.

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-design-concepts

 

Select appropriate option and click Next.

 

Select appropriate option and click Next.

 

Click on Enter credentials.

 

Enter your enterprise admin credentials and click OK.

 

Click Next.

 

Click Install.

 

It will take some time to complete the installation. Once it completes, click Exit.

 

In Azure AD:

Log on to Azure portal and check the Azure AD Connect section. You should see the status similar to above screenshot.

Check the Users section. You should see your on-premises users depending on your Azure AD Connect configuration.

Next Action: Assign the appropriate licenses to users.

Leave a comment

Your email address will not be published. Required fields are marked *