Configure Active Directory Connect
We’re almost ready to synchronize our identities, but first we’ll create a new global admin (specifically for the new Azure AD Tenant) and use that account for AD Connect.
I will be creating a new Global Admin on my wilde.company Azure Active Directory Tenant and using that account in AD Connect to synchronize my on-premise users (userX@wilde.company).
- In Azure Portal > Azure Active Directory > Users and Groups > All Users > New User > Set Name, User name and Global Administrator as the Directory Role > Copy the password.
Noticed I have created a global administrator email@example.com
- Open up a private browsing/incognito session and log in as the global administrator you just created.
- In the Active Directory virtual machine (adVM), download Azure Ad Connect from https://www.microsoft.com/en-us/download/details.aspx?id=47594 and run the installer (you may need to change your internet zone settings to download the file). Agree > Continue > Customize > select Pass-through authentication (this means all authentications are completed using the on-premise Active Directory), select > Enable single sign-on (this means users that use devices that are Active Directory domain joined will be automatically logged into cloud applications seamlessly - a great feature!)
- Enter the Global Administrator details for the new Azure Active Directory Tenant > Next
I have used my firstname.lastname@example.org global admin
- Connect the Directories by allowing the AD Connect wizard to create an account for AD Connect to use. Add Directory > Create new AD Account > Enter new Username and Password > OK
I created a user of WILDECOMPANY.LOCAL\ADC for AD Connect to use when syncronising
- The on-premise and cloud directories are now connected! Next
- Notice the on-premise domain shows not added and the new Azure Active Directory public domain shows as verified. Next
- Choose what OU’s you want to sync.
All my users are in the Users organizational unit but you may seperate them out to remote/cloud/departmental groups.
- Choose how you want to uniquely identify your users > Next
I only have a single on-premise directory so the default options work but if you have multiple directory you need to choose what makes a user unique.
Again, for this lab we can synchronize all users but you could apply some filtering to only sync the users that would use the cloud.
- Password writeback > Next
I have selected password writeback (so any password changes in the cloud will replicate to on-premise) and have not selected password synchronization (so passwords are not actually stored in the cloud).
- Enable Single Sign on > authenticate with your local domain admin > Next
If you add Windows 10 devices to the on-premise domain they can be authenticated automatically with cloud applications.
- Confirm you want to start synchronization after the installation is complete > Install
- Notice the information displayed > Exit
- Let’s verify the connection, in the Azure portal > Azure Active Directory > AD Connect
Notice my sync status, seamless single sign-on and pass-through authentication are all enabled for wilde company.
- Users and Groups > All Users
Notice the new users and their usernames email@example.com, these have been synchronized from on-premise.
- Let’s test logging into the cloud as user1 by logging into the Microsoft Access Panel Applications - https://myapps.microsoft.com. This is where all the cloud and on-premise applications would be once they’ve been assigned, such as Office 365, Salesforce, Box, Docusign, Concur, etc
Example Access Panel Applications below
So to recap, we have created a new on-premise Windows Active Directory Domain (with a few users) > created a new Azure Active Directory Tenant > modified our on-premise users’ UPN Suffix (so they have a matching login to on-premises and the cloud) > configured AD Connect and extended our identites to the cloud.
Now we have connected our on-premise and cloud directories you can open up cloud functionality to those synchronized users!