Windows Server 2016 or later (domain controller or member server).
Forest and domain functional level: Windows Server 2003 or later.
A global admin account in Azure AD.
An enterprise or domain admin account in AD DS.
DNS properly configured (DC reachable by name).
Time synchronization between on-prem and Azure.
Outbound HTTPS (TCP 443) to:
login.microsoftonline.com
graph.windows.net
secure.aadcdn.microsoftonline-p.com
Allow connections to Azure AD endpoints.
Minimum specs:
4 GB RAM
70 GB free disk
1.6 GHz CPU (x64)
Join the same domain as your AD DS or a member of the domain.
Go to:
https://www.microsoft.com/en-us/download/details.aspx?id=47594
Run the installer on your dedicated sync server (recommended, not your DC).
Accept license terms and click Continue.
Express Settings (recommended for single forest)
Installs with default sync options, synchronizing all users, groups, and passwords.
Custom Settings (recommended for multiple forests or filtered sync)
Let's you customize:
Domain/OU filtering
Sign-in method
Password writeback
Azure AD app and attribute mapping
Select Custom if you need to configure special sign-in (like PTA, federation, etc.).
Choose one of the following:
Method | Description |
|---|---|
Password Hash Synchronization (PHS) | Easiest, hashes stored in Azure AD |
Pass-through Authentication (PTA) | Authenticates against on-prem AD in real time |
Federation (ADFS) | Uses Active Directory Federation Services for SSO |
Seamless SSO | Automatically signs users in when on corporate network |
For most setups, use PHS + Seamless SSO.
Sign in with your Azure AD Global Admin credentials.
Add your on-premises AD forest and authenticate with a domain admin account.
Azure AD Connect will verify schema and connectivity.
OU Filtering → Choose specific OUs (e.g., only Users or ServiceAccounts).
UPN Matching → Ensure UPN suffix matches verified domain in Azure.
Password Sync → Enable “Password Hash Synchronization”.
Device Writeback → Optional (for Hybrid Join).
Exchange Hybrid Deployment → Enable if you plan to hybridize Exchange.
Finish the wizard and select Start synchronization process when configuration completes.
Once completed, open Synchronization Service Manager (Start → “Synchronization Service”).
Verify the sync cycles:
Initial Sync: Full import and synchronization.
Delta Sync: Occurs every 30 minutes by default.
You can manually trigger:
Start-ADSyncSyncCycle -PolicyType DeltaLog in to Microsoft Entra Admin Center → Users → All Users.
Confirm synced users appear with “Synced with Active Directory” in the source field.
Test sign-in using synced credentials.
Feature | Description |
|---|---|
Password Writeback | Allows password resets in Azure to sync back to AD. |
Group Filtering | Sync only certain groups. |
Staging Mode | Secondary sync server for failover. |
Hybrid Azure AD Join | Devices join both on-prem and Azure AD. |
View current sync schedule:
Get-ADSyncSchedulerForce full sync:
Start-ADSyncSyncCycle -PolicyType InitialCheck service status:
Get-Service ADSync