I had a project to migrate Exchange 2007 to Office 365 (Exchange Online) for a customer.
Azure AD Connect was deployed in preparation for the migration. This article covers the installation and customisation options chosen.
Download the latest version of Azure AD Connect (in this case its v1.1.750.0, released 22.03.18).
Launch the installer (AzureADConnect.msi).
Check I agree to the license terms and privacy notice. Click Continue.
I’m performing an installation using Custom Settings, as I want to change the on-premises attribute to use as the Azure AD username, and enable password writeback. These aren’t available in Custom Settings. Click Customize.
I’m happy for Azure AD Connect to set up everything automatically (i.e. install & configure SQL Server 2012 Express LocalDB instance, create appropriate groups, assign permissions). Click Install.
I’m enabling Password Synchronization, this allows users to sign into Office 365 (and other Microsoft cloud services), using their local AD account password. Passwords are synchronised to Azure AD as a password hash and authentication occurs in the cloud.
I’m also enabling single sign-on (SSO). This option is available with Password Synchronization and Pass-thru Authentication user sign-on methods.
Check Password Synchronization and Enable single sign-on. Click Next.
Connect to Azure AD
Enter the credentials for an Azure AD Global Administrator. I always use an account in the default onmicrosoft.com domain. The credentials are used one time only, to create a service account in Azure AD. Click Next.
Example of service account created in Azure AD:
X500ADC01v is the name of the Azure AD Connect Server.
Sync: Connect your directories
From the Forest drop down box, select the appropriate forest (in this case its a single forest), click Add Directory.
Check Create new AD account. The Azure AD Connect wizard will create the AD DS account required by Azure AD Connect for connecting to the AD forest during directory synchronisation.
Enter credentials for an account with Enterprise Admin permissions. The credentials are used one time only, to create the required AD DS account.
Enter the credentials, click OK.
Example of AD DS account created in local AD:
The directory has been added successfully. Click Next.
Sync: Azure AD sign-in
I want users to sign-in to Office 365 using their corporate email address.
My local AD domain is x500.local, and users have usernames in the format firstname+initial of lastname, e.g. SteveB, EricaB, LouisB.
Email addresses are firstname.lastname@example.org. I could add an additional UPN suffix of x500.co.uk into AD and change users to have that as their UPN; however, usernames still wouldn’t match email addresses.
Therefore, I’m changing the on-premises attribute to use as the Azure AD username from the default: userPrincipalName to: mail.
Select mail. Click Next.
Sync: Domain and OU filtering
The default option is Sync all domains and OUs. I’m happy to go with this option as there aren’t any OUs that I don’t want to synchronise to Azure AD. Click Next.
Sync: Identifying users
This is a single forest, so I don’t need to worry about identities existing across multiple directories. Click Next.
This isn’t a pilot so there is no need to configure filtering. Click Next.
Sync: Optional Features
I’ve checked Password writeback, as mentioned earlier this is one of the reasons why I chose a Custom Installation. Click Next.
Earlier I specified SSO. Click Enter credentials.
Enter credentials of an account with Domain Admin permissions. The credentials are used one time only, to create a computer account in the forest. Click OK.
Computer Account created in local AD:
SSO is now enabled, click Next.
Check Start the synchronization process when configuration completes. Click Install.
Configuration is complete. Click Exit.