There are several requirements for using Azure AD Connect, and I have summarized them below.
You need a Microsoft Entra tenant.
Your on-premises AD domain needs to have a routable domain, or the user accounts need a registered UPN suffix that matches the verified domain in your tenant. For example, if your on-premises domain is .local then you have a problem. This is not a routable domain and will be different from your registered Entra tenant.
Must be installed on a domain joined server that runs Windows Server 2022, 2019 or 2016.
The Active Directory schema version and forest functional level must be Windows Server 2003 or higher.
The domain controller used by the Entra connect must be writable.
Windows Server full GUI
You will need your Microsoft Entra Global Administrator account during the installation.
Step 4. On the Install required components screen, make your selection and click “Install”. In most cases you will not need to select anything on this screen.
Step 5. On the User sign-in screen, select your sign on method and click “Next”. In most cases Password Hash Synchronization is used.
Step 6. Enter your Entra ID account that has global administrator role and click “Next”.
You will be prompted to sign in with your Microsoft account.
Step 7. On the Connect your directories screen, under FOREST, select your directory and click “Add Directory”.
Step 8. Select “Create new AD account” and fill in the box with an account that has enterprise admin permissions. Then click “OK”.
By default, the install creates an account in your on-premises Active Directory named:
MSOL_<random characters>
The account is placed in the Users container by default (not in an OU). Here is a screenshot of the account that was created in my AD.
Configured Directories should now be listed. Click “next”.
Step 9. The Microsoft Entra Sign-in Configuration screen.
This screen is very important! To sign-in to Office 365 with the same credentials as your on-premises AD, a matching Microsoft Entra ID domain is required. Your on-premises AD should have a UPN suffix that is also a verified domain in Entra. Typically, the on-premises userPrincipalName attribute is used as the Microsoft Entra ID username.
Select “Continue without matching all UPN suffixes to verified domains” and click “Next”.
You will have suffixes in your on-premises AD that do not need verified such as a subdomain or a .local domain. You can see in my screenshot below I have a verified domain “activedirectorypro.com” and one that is not verified.
Step 10. On the Domain and OU filtering screen choose to sync all domains and OUs or choose to select specific domains and OUs. I have a lot of test accounts in my domain so I will choose to select specific OUs. You can always go back and change the filtering options.
Step 11. On the Uniquely identify your users screen, select how users should be identified in your on-premises directories and select how users should be identified with Microsoft Entra ID. Click Next.
I’m leaving the default options selected.
Step 12. On the Filter users and devices screen select your option and click Next. The default selection (Synchronize all users and devices) is recommended unless you are testing or creating a pilot deployment.
Step 13. On the Optional features screen select your options and click “Next”. I’m leaving the default; you can come back later and add options as needed.
Step 14. Select “Start the synchronization process when configuration completes”. Click “Install”.
The installation can take several minutes to complete.
If you get a message that says “The Active Directory Recycle Bin is not enabled for your forest” then I highly recommend you enable it. See my article enable ad recycle bin for step by step instructions.
How to Check Entra Connect Sync Status
You can view the sync status by logging into the Microsoft Entra admin center, click on “Entra Connect” in the side bar menu and then click on “Connect Sync.
Check Entra Connect Sync Status with PowerShell
On the server that has the Entra Connect sync tool installed you can run the following command.
Note: this command will not work in PowerShell 7.
Get-ADSyncScheduler
Exclude Users from Azure AD Connect Sync
What if you have users or groups that you don’t want to sync to the Azure cloud?
The easiest option is to use the Azure AD connect domain and OU filtering. If you need more advanced options such as excluding users based on an attribute you can use the synchronization rules editor.
The following steps will walk through excluding an OU from syncing.
1. Open Azure AD Connect.
2. Click Configure
3. Click Customize synchronization options and click next
4. Enter your Azure AD global administrator credentials.
5. Select your forest, it should already be selected, and click next.
6. Select “Sync selected domains and OUs”.
Next, uncheck any domains or OUs you want to exclude from syncing to Azure.
In this example, I’m going to uncheck my west.ad.activedirectorypro.com domain. This domain was for testing only and does not need to be synced. Under my ad.activedirectorypro.com domain I’m going to uncheck my test OUs. These OUs are test accounts that do not need to be synced.
When you are done click the next button.
7. On the option features page leave the default options selected and click next.
On the ready to configure screen click configure.
What happens to accounts in Azure if they are already synced?
If accounts have been synced to Azure and you then exclude them they will be deleted from Azure. In this guide, I initially synced my entire domain (over 8,000 accounts) to Azure. I then excluded several OUs that had around 5,000 accounts. When I exclude these OUs and user accounts they will be deleted from Azure. By default, there is a threshold of 500 accidental deletes. See the steps below for more details.
After I excluded over 5,000 users from Azure AD Connect, I got the following email alert.
If you want to continue with removing the accounts follow these steps.
1. Disable the Azure AD Connect sync deletion threshold with the following command.
Disable-ADSyncExportDeletionThreshold
2. Force start Azure AD Connect Sync
Use the following command to start the sync process.
Start-ADSyncSyncCycle -PolicyType Initial
3. Check the synchronization service status
Open the Synchronization service tool.
Look for export in the profile name. Click on it and view the export statistics and status. Mine is showing in-progress with 1320 deletes.
The deletion process can take a while if you have a lot of accounts. You may also get an email notification that deletes threshold has been resolved.
4. When done deleting the accounts set the threshold back to 500 objects.
When it comes to syncing your on-premises users to Azure there can be all kinds of different issues. Below are some options to help you troubleshoot and get more details on issues you may have.
1. Azure Active Directory Connect Health
In Azure, you can check for sync errors using the Azure Health Connect tool.
2. Azure AD Connect Troubleshoot
The troubleshooting wizard can help with the following:
Detect user principal name (UPN) mismatch if the object is synced to Azure AD.
Check whether object is filtered due to domain filtering.
Check whether object is filtered due to organizational unit (OU) filtering.
Check whether object sync is blocked due to a linked mailbox.
Check whether the object is in a dynamic distribution group that isn’t intended to be synced.
Many sync issues can be related to a network connection issue. The following are the two most common connection issues.
Connection to On-Premises Active Directory (Domain Controllers): The server running Azure AD Connect, needs full connectivity to your domain controllers. Make sure the following Active Directory Firewall ports are open between the servers.
53 (TCP/UDP)
88 (TCP/UDP)
135 (TCP/UDP)
389 (TCP)
445 (TCP)
49152 – 65535 TCP/UDP
Connection to Azure AD: The server that is running Azure AD Connect needs internet access to various Azure and Microsoft URLs. Refer to the document Office 365 URLs and IP Address ranges for a complete list.
