To manage identities and authentication On-Premises in a Microsoft world, we usually use Active Directory Domain Services. This feature enables to create a directory to handle accounts for users, services or computers. The servers and workstations are joined to the Active Directory and then users can use a single credentials to authenticate in all applications. Depending on the application implementation, Kerberos or NTLM is used to accomplish the authentication.

In Web modern App, Kerberos or NTLM is not used to authenticate a user. Instead, they use things like oAuth 2, SAML and so on. So, our On-Premises Active Directory is incompatible with web application. To solve that, we can leverage Azure Active Directory (AAD). AAD is able to deliver authentication token based on oAuth2, SAML and so on. However (by default), it is incompatible with Kerberos and NTLM. So, we have two directories: one for modern web applications and another for On-Premises usage. In this state, because we have two directories, a single user has two credentials. Maybe we can use something to synchronize identities across these both directories? The answer is Azure AD Connect.

Azure AD Connect synchronizes your On-Premises accounts located in Active Directory with Azure Active Directory. In this way, a single user will have a single credentials to authenticate to On-Premises applications and also in modern web applications. In this topic, we’ll see how to implement Azure AD Connect.

Requirements

Before following this topic, you need a working Active Directory Domain Services and a working Azure AD tenant with a custom domain registered and verified. I have the following domain:

  • SeromIT.local: it’s my On-Premises domain name based on Windows Server 2019 (forest level Windows Server 2016)
  • SeromIT.com: it’s my Azure AD domain

To implement Azure AD Connect your need two accounts with the following permissions:

  • Azure AD side: an account with Global Administrator permissions
  • Active Directory Side: an account with Enterprise admins permissions.

I recommend you to deploy a dedicated server to install Azure AD Connect in full GUI edition (Core edition is not supported). For security reasons, I don’t recommend you to deploy Azure AD Connect on domain controllers.

I have to add the SeromIT.com domain as an alternative UPN suffix in Active Directory (On-Premises). To do so, connect to a server or a workstation with Active Directory consoles and open Active Directory Domain and Trusts console.

A screenshot of a video game Description automatically generated

Then do a right click on Active Directory Domains and Trust and select Properties.

A screenshot of a social media post Description automatically generated

Next add your Azure AD domain as an alternative UPN suffix.

A screenshot of a social media post Description automatically generated

Now in Active Directory user accounts, you can change the user UPN to your Azure AD domain name.

A screenshot of a social media post Description automatically generated

I ran the following script to change the UPN of all users in my Active Directory.

Deploy Azure AD Connect

First of all, you need to download Azure AD Connect here. Connect to the Azure AD Connect machine and run the Azure AD Connect wizard. Then click on Configure.

A screenshot of a cell phone Description automatically generated

Click on Customize to continue the wizard.

A screenshot of a social media post Description automatically generated

Because no Azure AD Connect was installed previously, the service will be installed. I leave the default settings and I click on Install.

A screenshot of a social media post Description automatically generated

Next you have to choose the Sign On method. If you have an AD FS and you want to use it to handle authentication tokens, select Federation with AD FS. For this topic, I select Password Hash Synchronization to synchronize the On-Premises password hash to Azure AD. In this way, a user will have single password across both directories. I enable also single sign-on.

A screenshot of a cell phone Description automatically generated

Next specify an Azure AD account with Global Administrator permissions.

A screenshot of a cell phone Description automatically generated

Then select your Active Directory domain to synchronize and click on Add Directory.

A screenshot of a cell phone Description automatically generated

The wizard asks you to create a new AD account for periodic synchronization for you. For that, you need to specify an Active Directory account with Enterprise Admins permissions.

A screenshot of a cell phone Description automatically generated

Next the wizard shows you both domains. It’s saying that local domain is not added to Azure AD domain. It makes sense because the local domain is not routable. This is why we added previously the Azure AD domain name as a UPN suffix in Active Directory and we changed all user UPNs.

A screenshot of a social media post Description automatically generated

Then select the OU you want to synchronize. I choose to synchronize only user accounts and groups.

A screenshot of a cell phone Description automatically generated

Next I leave all default settings and I click on Next.

A screenshot of a cell phone Description automatically generated

You can filter users and groups to synchronize only those you want. It’s useful for a pilot. I choose the synchronize everything.

A screenshot of a cell phone Description automatically generated

I enable Password writeback optional feature. Thanks to this feature, if a user change his password in Azure AD, it will be changed also in On-Premises directory.

A screenshot of a cell phone Description automatically generated

Then specify a domain administrator account to enable single sign-on.

A screenshot of a cell phone Description automatically generated

Finally, click on Install to run the first synchronization.

A screenshot of a cell phone Description automatically generated

If you look in your Azure AD, you should see the Azure AD Connect status to enabled.

A screenshot of a cell phone screen with text Description automatically generated

VSAN from StarWind eliminates any need for physical shared storage just by mirroring internal flash and storage resources between hypervisor servers. Furthermore, the solution can be run on the off-the-shelf hardware. Such design allows VSAN from StarWind to not only achieve high performance and efficient hardware utilization but also reduce operational and capital expenses.

Learn more about ➡ VSAN from StarWind

Once the synchronization is finished, you should retrieve your On-Premises account in Azure AD. You should also be able to authenticate with your On-Premises credentials to Azure AD.

A screenshot of a cell phone screen with text Description automatically generated

Views All Time
2
Views Today
7
Appreciate how useful this article was to you?
No Ratings Yet
Loading...
Back to blog
The following two tabs change content below.
Romain Serre
Romain Serre
Senior consultant at Exakis
Romain Serre works in Lyon as a Senior Consultant. He is focused on Microsoft Technology, especially on Hyper-V, System Center, Storage, networking and Cloud OS technology as Microsoft Azure or Azure Stack. He is a MVP and he is certified Microsoft Certified Solution Expert (MCSE Server Infrastructure & Private Cloud), on Hyper-V and on Microsoft Azure (Implementing a Microsoft Azure Solution).