How to Synchronize Active Directory User Accounts to EntraID with Microsoft Entra Connect

Last updated: Oct 26, 2024

We may regret it (at least I do), but Entra ID is increasingly used in enterprises as Microsoft's cloud solution for user account management. It serves as the user account database for all Microsoft cloud services such as Microsoft Azure and Microsoft 365 to authenticate users. Since many organizations still rely on local Active Directory (AD on-premise), it can be very advantageous to synchronize user accounts from on-premise AD to Entra ID. This synchronization offers several advantages, including streamlined account management—administrators only need to create the account once—and password synchronization.

To enable this synchronization, Microsoft provides a tool called Microsoft Entra Connect (previously known as Azure Connect; staying up to date with Microsoft's naming conventions can be as difficult as staying up to date with this site's CSS changes…).

Details of the test architecture:
- Local domain: std.priv
- Entra domain: std.rocks

Network Diagram

Diagram showing Microsoft Entra Connect Sync between on-premises Active Directory (std.priv) and Microsoft Entra ID (std.rocks). Users' accounts from Active Directory are synchronized to Entra ID using Entra Connect installed on a Windows Server. — Microsoft **Entra Connect** Architecture

Prerequisites

Prerequisites:
- .Net: 4.7.2
- Tls: 1.2

Make sure you have a version of .Net at least equal to 4.7.2 and Tls with version 1.2. For example, on a Windows 2016 server, I had to update my .Net version and activate Tls to 1.2.

Below is the error message: Incorrect version of Tls when lauching Entra Connect for the first time:

Microsoft Entra Connect Sync error screen indicating an incorrect version of TLS. The message states that TLS 1.2 is required but not configured on the server. Users are directed to a document for instructions on enabling TLS 1.2 before continuing the installation. The 'Exit' button is highlighted.

To solve this problem, first display the currently configured Tls version (Note: on Windows Server 2025, it only returns: SystemDefault, which isn't very useful…):

PS C:\> [Net.ServicePointManager]::SecurityProtocol
Ssl3, Tls

Run this PowerShell script to permanently activate Tls 1.2:

If (-Not (Test-Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319'))
{
    New-Item 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Force | Out-Null
}
New-ItemProperty -Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Name 'SystemDefaultTlsVersions' -Value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -PropertyType 'DWord' -Force | Out-Null

If (-Not (Test-Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319'))
{
    New-Item 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Force | Out-Null
}
New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Name 'SystemDefaultTlsVersions' -Value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -PropertyType 'DWord' -Force | Out-Null

If (-Not (Test-Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server'))
{
    New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null
}
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'Enabled' -Value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'DisabledByDefault' -Value '0' -PropertyType 'DWord' -Force | Out-Null

If (-Not (Test-Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client'))
{
    New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null
}
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'Enabled' -Value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'DisabledByDefault' -Value '0' -PropertyType 'DWord' -Force | Out-Null

Another prerequisite in our configuration is to have the E-mail field filled in for the Active Directory user accounts that will be synchronized in Entra. I'm in a case where the local domain is private (std.priv) and therefore different from that of Entra-ID (std.rocks). It is therefore the E-mail field that will contain the link between the on-premise account and the one in Entra-ID.

Active Directory user properties window for 'butters stotch.' The E-mail field shows 'b.st
otch@std.rocks,' indicating the user's assigned email address.

Installing Microsoft Entra Connect

Download the latest version of Microsoft Entra Connect from the official Microsot website: https://www.microsoft.com/en-us/download/details.aspx?id=47594.

Microsoft Entra Connect download page with language selection and download button highlighted.

Check the box I agree to the license… and click on Continue:

Microsoft Entra Connect Sync installation screen. The welcome page outlines the purpose of the tool, guiding users through setting up identity synchronization. A checkbox to agree to the license terms and privacy notice is highlighted, required before continuing the setup.

On the Express Settings page, click on Customize:

Microsoft Entra Connect Sync Express Settings screen. The page describes the default configuration steps for synchronizing a single Active Directory forest. A highlighted arrow points to the 'Customize' button, suggesting users can select advanced deployment options instead of using express settings.

On the Install required components page, click on Install:

Microsoft Entra Connect Sync installation screen showing required components. Options include specifying custom installation settings, using an existing SQL server, and importing synchronization settings. The 'Install' button is highlighted, indicating the next step to proceed with the installation.

On the User sign-in page, select Password Hash Synchronization, then click Next:

Microsoft Entra Connect Sync screen for User Sign-In options. The selected method is 'Password Hash Synchronization,' highlighted as a preferred option for enabling seamless sign-in. Other options include pass-through authentication, federation with AD FS, and PingFederate. The 'Next' button is highlighted to proceed.

On the Connect to Microsoft Entra ID page, enter a tenant administrator ID in the USERNAME box and click Next:

Microsoft Entra Connect Sync screen prompting to connect to Microsoft Entra ID. The field 'USERNAME' shows 'administrator@std.rocks' as the input. The user must enter administrator credentials to proceed. The 'Next' button is highlighted to continue to the next step.

Microsoft sign-in prompt asking for credentials. The username 'administrator@std.rocks' is pre-filled. Users are instructed to proceed by clicking 'Next' or access other sign-in options.

On the Connect your directories page, select your on-premise forest, then click on Add Directory:

Microsoft Entra Connect Sync screen for connecting directories. The directory type is set to 'Active Directory' with 'std.priv' entered as the forest name. An arrow points to the 'Add Directory' button, highlighting the next action to configure the directory connection.

In the AD forest account window, select the Create New AD Account option, and enter your domain administrator username and password to automatically create an account that will be used to synchronize user accounts and passwords:

$Microsoft Entra Connect Sync screen for AD forest account setup. The screen prompts for an Enterprise Admin username and password, with 'STD.PRIV\administrator' entered as the username. The 'OK' button is highlighted, indicating the next step to proceed with the configuration.$

The on-premise domain should appear:

Microsoft Entra Connect Sync screen showing configured directories. The directory 'std.priv (Active Directory)' is listed with a green checkmark, indicating successful configuration. The 'Next' button is highlighted to proceed to the next step.

As my on-premise domain is std.priv, we cannot use userPrincipalName as an attribute on the Entra ID sign-in configuration page, please ensure that the value mail is selected in the USER PRINCIPAL NAME drop-down list. Also check the Continue without matching all UPN suffixes to verified domains box and click Next:

Microsoft Entra Connect Sync sign-in configuration screen. It shows mapping of Active Directory UPN suffix 'std.priv' to Microsoft Entra ID domain. The 'User Principal Name' is set to use the 'mail' attribute. Checkbox to continue without matching all UPN suffixes is selected. On the right, an attribute editor window displays user details, including the 'mail' attribute.

On the Domain and OU filtering page, select Sync selected domains and OUs and expend your domain. Then check the Active Directory OU containing the user accounts you wish to synchronize:

Microsoft Entra Connect Sync screen for Domain and OU filtering. The option to 'Sync selected domains and OUs' is chosen, with 'STD_USERS' selected for synchronization. On the right, an Active Directory window displays user accounts under the 'STD_USERS' organizational unit. The 'Next' button is highlighted to proceed.

On the Uniquely identifying your users page, click on Next:

Microsoft Entra Connect Sync screen for uniquely identifying users. Options include selecting how users are identified across on-premises directories, with 'Users are represented only once across all directories' chosen. Azure is set to manage the source anchor. The 'Next' button is highlighted to proceed.

On the Filter users and devices page, click on Next:

Microsoft Entra Connect Sync screen for filtering users and devices. The option 'Synchronize all users and devices' is selected, with the alternative to synchronize specific groups by entering a group name or DN. The 'Next' button is highlighted to proceed.

On the Optional features page, Password hash synchronization should be selected. Click on Next:

Microsoft Entra Connect Sync screen for selecting optional features. 'Password hash synchronization' is checked, indicating it is enabled. Other options include Exchange hybrid deployment, password writeback, and device writeback. The 'Next' button is highlighted to proceed.

On the Ready to configure page, check Start the synchronization process when configuration completes, then click on Install:

Microsoft Entra Connect Sync screen indicating readiness to configure. The option 'Start the synchronization process when configuration completes' is checked. The list outlines configuration tasks, including enabling password hash synchronization and setting up connectors. The 'Install' button is highlighted to begin the process.

Once installation is complete, click on Exit:

Microsoft Entra Connect Sync screen showing configuration completion. It confirms that the synchronization process has been initiated. Messages provide additional recommendations, including enabling the Active Directory Recycle Bin and configuring the source anchor attribute. The 'Exit' button is highlighted to close the setup.

Microsoft Entra admin center showing the 'Users' page. The list displays user accounts, including 'butters stotch,' 'eric cartman,' and 'stan marsh,' with details such as user principal names and synchronization status. The interface indicates that Azure Active Directory is now Microsoft Entra ID.

Note that you can perform a manual synchronization with this PowerShell command (use the Policytype Initial parameter to perform a full synchronization):

PS C:\> Start-ADSyncSyncCycle -PolicyType Delta