- Exploring Azure AD Connect - Part 2: Configuring SSO with AD FS
- Exploring Azure AD Connect - Part 3: Configuring User and Password Writeback with Azure AD Premium
Exploring Azure AD Connect - Part 1: Express Installation
Hello Unified Communications (and Office 365) enthusiasts! With the launch of General Availability for the new Azure AD Connect for Office 365 by Microsoft recently, I wanted to dig into this awesome new tool in a three-post series. For those that are not yet aware, AAD Connect is the latest version of what was DirSync, and the new features allow for a much more fluid and fully-connected hybrid environment. Check out this Office Mechanics segment to see what's new with Azure AD Connect:
This first post is going to focus on connecting an Office 365 environment with an On-Prem environment using the Express Installation. Before we dive straight in, let's take a second to talk about what our environment actually looks like.
Office 365 Environment
Rather than using a full-blown Office 365 suite, I am working with only Skype for Business Plan 2 licensing. To start with, I have a single admin user: email@example.com. I have also added a test domain in called "s4blab.org", and setup all necessary DNS records through the Domain Add wizard within the Office 365 portal. Awesome!
On-Prem Lab Environment
My "On-Prem" environment is actually a virtual environment in Rackspace's Public Cloud. So far, the environment consists of:
- 1 Active Directory Domain Controller
- 1 Exchange Server (setup for later Demo of Exchange On-Prem to Skype for Business Online Hybrid configuration; stay tuned!)
- 1 small server for installing Azure Active Directory Connect
We will be expanding that a bit for ADFS in the other posts later in this series. So, let's get started with how to set this up!
Configuring Azure AD Connect: Express Installation
- First, get familiar with accessing your Azure AD. From within the Office 365 portal, on the left-side menu, navigate to: ADMIN -> Azure AD
- Once you have set up your profile for accessing Azure AD, you will see the below screen. As you can see, with Active Directory highlighted on the left, we can see that we have one directory currently setup, named "The MS UC Guy". This is the directory that was created with our Skype for Business Plan 2 subscription.
- Click on the name of your existing Azure Active Directory, Once you do this, you will see where you can manage your Users, Groups, Applications, Domains, Licenses, Reports, and Directory Integration! Click on Directory Integration, and you will see that Directory Sync is currently Deactivated, but that there are a series of steps to complete. First, since we have already added our "s4blab.org" domain, we go to Step 2, where we see we need to toggle the setting to "Activated".
- Once this is done, We go to Step 3, where we are instructed to download the sync tool. DO NOT DO THIS from this area in the portal (at the time of this posting, anyway), as the sync tool available for download is not the new and improved Azure AD Connect. Instead, you can download the new tool from here: https://www.microsoft.com/en-us/download/details.aspx?id=47594
- Once you have downloaded Azure AD Connect onto the VM in your On-Prem lab, double-click it to get started. You will have to agree to the license terms, etc, on the first screen, and then you will see the below screen after clicking Continue:
- After clicking on "Use express settings", you will briefly see the wizard install other required components before bringing you to the Connect to Azure AD screen. At this screen, you need to input credentials with Global Admin access to your Office 365 subscription. I would advise using credentials that are setup as such: firstname.lastname@example.org, I tried using credentials from the domain that I was about to sync (@yourdomain.com), and I received an error about the account being in the same forest.
- The next screen is where you input your Domain Admin credentials for your On-Prem Active Directory environment. These creds will obviously be from the domain that you are attempting to sync to Office 365.
- Finally, you are presented with the Ready to configure screen. This screen reviews the actions that are about to be taken, allows you run the sync after installation is complete via a checkbox, and then lastly offers a checkbox for you to specify whether or not this is intended to be an Exchange Hybrid Deployment. This would be that I intended to have Exchange accounts both within Office 365, AND On-Prem. Since I do not intend to do that (remember, I only have Skype for Business Plan 2 licences at this point), I will leave it in the default un-checked state, and then click Install:
- At this stage, several components get configured, and the screen updates you as it installs and configures each component:
- Lastly, the wizard reports that configuration is complete, and it instructs you to log into Azure AD to check on the status of the synchronized accounts. You can now click Exit.
At this stage, the Azure AD Connect wizard is complete, all required components have been installed on-prem, and we should now be able to go into Office 365 to check on the status of our Synced accounts. Below, while in USERS -> Active Users within the Office 365 portal, you can see a few users that I created in my On-Prem environment (marked by the orange arrows). These users also have a Status of Synced with Active Directory. Respectively, we have Captain Awesome (email@example.com), Josh B (firstname.lastname@example.org), and Princess Toadstool (email@example.com). You will also notice a good handful of Exchange-related accounts that were synced, and finally the "On-Premises Directory Synchronization Service Account" that was created by this process.
Also, if we go to our Azure AD portal, we can now see that our last sync was less than an hour ago, that Synchronization is Activated, and that we are good to go.
It is important to note, at this point, that while we have synced our AD, we have NOT enabled Single Sign-On (SSO). We have simply made it so that our usernames and passwords that lived on-prem are now synced to Office 365. Those users can now be assigned Skype for Business licenses (or whatever other Office 365 licenses we might buy), and can log into a Skype for Business client using the same credentials that they log into their on-prem resources with, like an Exchange mailbox, or their desktop.
Stay tuned for further exploration of the Azure AD Connect tool, including SSO capabilities, and it's awesome new Writeback features!
Stay techy, my friends!