Azure AD Connect deployment with Password Synchornization & SSO


I had a project to migrate Exchange 2007 to Office 365 (Exchange Online) for a customer.

Azure AD Connect was deployed in preparation for the migration.  This article covers the installation and customisation options chosen.

Download the latest version of Azure AD Connect (in this case its v1.1.750.0, released 22.03.18). 

Launch the installer (AzureADConnect.msi).


Check I agree to the license terms and privacy notice Click Continue.


I’m performing an installation using Custom Settings, as I want to change the on-premises attribute to use as the Azure AD username, and enable password writeback.  These aren’t available in Custom Settings.  Click Customize.


Required Components

I’m happy for Azure AD Connect to set up everything automatically (i.e. install &  configure SQL Server 2012 Express LocalDB instance, create appropriate groups, assign permissions).  Click Install.


User sign-in

I’m enabling Password Synchronization, this allows users to sign into Office 365 (and other Microsoft cloud services), using their local AD account password.  Passwords are synchronised to Azure AD as a password hash and authentication occurs in the cloud.

I’m also enabling single sign-on (SSO).  This option is available with Password Synchronization and Pass-thru Authentication user sign-on methods.

Check Password Synchronization and Enable single sign-on.  Click Next.


Connect to Azure AD

Enter the credentials for an Azure AD Global Administrator.  I always use an account in the default domain.  The credentials are used one time only, to create a service account in Azure AD.  Click Next.

Example of service account created in Azure AD:
X500ADC01v is the name of the Azure AD Connect Server.


Sync: Connect your directories

From the Forest drop down box, select the appropriate forest (in this case its a single forest), click Add Directory.


Check Create new AD account.  The Azure AD Connect wizard will create the AD DS account required by Azure AD Connect for connecting to the AD forest during directory synchronisation.

Enter credentials for an account with Enterprise Admin permissions.  The credentials are used one time only, to create the required AD DS account.

Enter the credentials, click OK.

Example of AD DS account created in local AD:


The directory has been added successfully.  Click Next.


Sync: Azure AD sign-in

I want users to sign-in to Office 365 using their corporate email address.

My local AD domain is x500.local, and users have usernames in the format firstname+initial of lastname, e.g. SteveB, EricaB, LouisB.

Email addresses are  I could add an additional UPN suffix of into AD and change users to have that as their UPN; however, usernames still wouldn’t match email addresses.

Therefore, I’m changing the on-premises attribute to use as the Azure AD username from the default: userPrincipalName to: mail.


Select mail.  Click Next.


Sync: Domain and OU filtering

The default option is Sync all domains and OUs.  I’m happy to go with this option as there aren’t any OUs that I don’t want to synchronise to Azure AD.  Click Next.


Sync: Identifying users

This is a single forest, so I don’t need to worry about identities existing across multiple directories.  Click Next.


Sync: Filtering

This isn’t a pilot so there is no need to configure filtering.  Click Next.


Sync: Optional Features

I’ve checked Password writeback, as mentioned earlier this is one of the reasons why I chose a Custom Installation.  Click Next.


Single sign-on

Earlier I specified SSO.  Click Enter credentials.


Enter credentials of an account with Domain Admin permissions.  The credentials are used one time only, to create a computer account in the forest.  Click OK.


Computer Account created in local AD:

SSO is now enabled, click Next.



Check Start the synchronization process when configuration completes.  Click Install.


Configuration is complete.  Click Exit.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s