< All Topics
Print

Integrate on-premises Active Directory domains with Microsoft Entra ID

PostedSeptember 24, 2025
UpdatedSeptember 24, 2025
Byadmin

Prerequisites

Before beginning the integration process, ensure the following:

  1. On-Premises Requirements:
    • Windows Server 2016 or later domain controllers.
    • Functional Active Directory domain and forest.
    • Properly configured DNS resolution for internal and external domains.
    • A global administrator account in Azure AD.
    • Enterprise or Global Admin account in Active Directory.
  2. Azure Requirements:
    • Azure AD tenant (included with Microsoft 365 or standalone).
    • Verified custom domain in Azure AD (e.g., contoso.com).
  3. Network Requirements:
    • Outbound HTTPS (TCP 443) access to Azure AD endpoints.
    • Time synchronization between on-prem and Azure systems.
  4. Server Requirements for Azure AD Connect:
    • Dedicated Windows Server (2016 or later recommended).
    • At least 4 GB RAM, 70 GB free disk space.
    • Installed with .NET Framework 4.6.2 or later.

Integration Methods

Azure AD Connect offers three main integration options:

  1. Password Hash Synchronization (PHS):
    • Hashes of user passwords are synchronized to Azure AD.
    • Easiest to set up and maintain.
    • Supports cloud authentication and SSO.
  2. Pass-Through Authentication (PTA):
    • Authentication requests are validated against on-prem AD in real time.
    • Passwords are not stored in Azure AD.
    • Supports SSO but requires additional agents.
  3. Federation with AD FS:
    • Full identity federation using Active Directory Federation Services.
    • Complex but provides maximum control.
    • Best for organizations with existing AD FS infrastructure.

Step-by-Step Integration

Step 1: Prepare Active Directory

  • Ensure all user UPNs (User Principal Names) match the verified Azure AD domain (e.g., user@contoso.com).
  • Clean up duplicate or invalid accounts.
  • Configure DNS suffixes for domain-joined devices if needed.

Step 2: Verify Domain in Azure AD

  1. Sign in to the Azure Portal.
  2. Navigate to Azure Active Directory > Custom domain names.
  3. Add your custom domain (e.g., contoso.com).
  4. Create the required TXT record in your public DNS.
  5. Verify the domain in the portal.

Step 3: Install Azure AD Connect

  1. Download the latest Azure AD Connect from Microsoft’s site.
  2. Install on the dedicated Windows Server.
  3. Run the installation wizard:
    • Select Express Settings for most scenarios (uses PHS).
    • Or choose Custom Settings to enable PTA or federation.

Step 4: Configure Synchronization

  • During setup, provide:
    • Azure AD Global Administrator credentials.
    • On-prem AD Enterprise Administrator credentials.
  • Choose the sign-on method (PHS, PTA, or Federation).
  • Select the OU(s) or groups to synchronize.

Step 5: Initial Sync

  • Azure AD Connect performs the first synchronization.
  • Verify synchronization by logging into the Azure Portal > Azure AD > Users.
  • Ensure on-prem users appear in the cloud directory.

Step 6: Enable Seamless SSO (Optional)

  • In the Azure AD Connect wizard, select Enable Seamless SSO.
  • This allows users on domain-joined devices to sign in without re-entering credentials.

Post-Integration Tasks

  • Test login for synchronized accounts in Microsoft 365.
  • Set up Conditional Access Policies for security.
  • Enable Multi-Factor Authentication (MFA).
  • Monitor sync health using Azure AD Connect Health.

Troubleshooting

  • Users not syncing: Check OU filtering in Azure AD Connect.
  • UPN mismatch: Ensure UPN suffixes match verified Azure AD domains.
  • Password sync failures: Verify Azure AD Connect service account permissions.
  • Connectivity issues: Confirm firewall rules allow HTTPS outbound traffic.

Best Practices

  • Deploy Azure AD Connect in staging mode first for testing.
  • Regularly update Azure AD Connect to the latest version.
  • Limit synchronization scope to necessary OUs.
  • Backup AD and configuration before making major changes.
  • Document integration settings for disaster recovery.

References

📘 Summary:
By integrating on-premises Active Directory with Azure Active Directory, organizations gain a hybrid identity solution that simplifies authentication, improves security, and enables seamless access to cloud services. Azure AD Connect provides multiple integration methods to meet different security and infrastructure needs.