Multi-domain, multi-forest hybrid Azure AD environment using Pass-Through Authentication (PTA), Password Hash Sync (for backup), and Hybrid Azure AD Join.

Feature

Pre-Requisites

Active Directory

Forest & domain functional level ≥ Windows Server 2012.
DNS resolution between domains and to Azure.
All domains reachable from Azure AD Connect server.
Global Catalog reachable for each domain.

Azure AD

Azure AD tenant with verified domain names matching on-prem UPNs.
At least one Global Administrator account.

Server

Windows Server 2019 or later.
Joined to one of the on-prem domains.
Static IP, outbound HTTPS (TCP 443).
Minimum 4 cores / 8 GB RAM recommended.
TLS 1.2 enabled.

Install Azure AD Connect

Download from Microsoft:
https://aka.ms/aadconnect
Run the installer.
Choose Customize (do not use Express).

Select Pass-through Authentication.
Enable Password Hash Synchronization (recommended as fallback).
Check Enable Seamless Single Sign-On.

This combination gives real-time auth but allows cloud fallback if PTA agents are unavailable.

Connect to Azure AD

Connect Your Forest and Domains

Click Add Directory.
Choose Create new AD DS Connector account (recommended).
Provide a Domain Admin account for each domain (root + child domains).
Azure AD Connect will read the forest schema and identify the UPN suffixes.

Repeat this step for each domain in the forest.

Domain / OU Filtering

Select only organizational units (OUs) that contain users, groups, and computers to sync.
Avoid syncing service accounts or system OUs.

Example:

corp.local/
  ├─ Users
  ├─ Groups
  └─ Computers

User & UPN Matching

Choose UserPrincipalName (UPN) as the login attribute.
Ensure the UPN suffix matches your verified Azure AD domain (e.g., user@vuuka.com not user@corp.local).
If not, add the custom UPN suffix in Active Directory Domains and Trusts → Properties.

✅ Password Writeback (requires Azure AD Premium P1 or higher)
✅ Group Writeback if you need M365 Groups back in AD
✅ Device Writeback for Hybrid Join
✅ Exchange Hybrid if using Exchange on-prem
✅ Azure AD app and attribute filtering for advanced mapping

Configure Hybrid Azure AD Join

Option 1: Windows 10/11 devices (recommended)

In Azure AD Connect → choose Configure device options.
Select Configure Hybrid Azure AD Join.
Choose your forest and select Windows 10 or later domain-joined devices.
Verify device registration service (AD FS not required for PTA/PHS setups).
Azure AD Connect creates a service connection point (SCP) in AD for device registration.

Option 2: Windows Server 2016 or later (optional)

Also enable for domain-joined servers if needed (for management or compliance).

Complete and Start Synchronization

Check the box Start synchronization process when configuration completes.
Finish the wizard.
Open Synchronization Service Manager to verify sync runs:
- Full Import / Full Sync for first cycle.
- Delta Sync runs every 30 min thereafter.

You can manually trigger:

Start-ADSyncSyncCycle -PolicyType Delta

Validate Setup

Azure AD Portal

Go to
Microsoft Entra Admin Center → Users → All users
→ Confirm users appear with “Synced with Active Directory” source.

Hybrid Join Verification

On a domain-joined computer, run:

dsregcmd /status

Check:

AzureAdJoined : YES
DomainJoined  : YES

Install PTA Agents (for redundancy)

Install additional Pass-Through Authentication Agents on 2–3 domain-joined servers for high availability:

Download agent from https://aka.ms/aadconnectagent.
Sign in with Azure AD Global Admin.
Agent registers automatically and shows as Active in Azure AD Connect Health.

Verify and Test Authentication

Use https://myapps.microsoft.com
→ Log in with on-prem credentials.
If Seamless SSO works, users on corporate network should not need to re-enter passwords.

Task