Always Beyond Team
Managed IT Services
Is Your Business Secure?
Take our FREE 2-minute IT Security Scorecard and get instant insights—no strings attached.
👉 Start Assessment
Azure AD Connect: Setup and Configuration Guide
Learn how to set up and configure Azure AD Connect to sync your on-premises Active Directory with Microsoft Entra ID, enabling seamless hybrid identity for your organization.
Azure AD Connect: The Complete Setup and Configuration Guide for IT Pros
If your organization runs Windows Server Active Directory on-premises and also uses Microsoft 365 or Azure services, then Azure AD Connect is the critical bridge that keeps both worlds in sync. Without it, your on-premises users and cloud users exist in separate silos — meaning separate passwords, separate management headaches, and a serious hit to productivity. In this guide, you and your team will get a thorough walkthrough of what Azure AD Connect is, how it works, step-by-step setup instructions, and best practices to keep your hybrid identity environment healthy and secure.
What Is Azure AD Connect?
Azure AD Connect (now increasingly referred to under the umbrella of Microsoft Entra Connect following Microsoft’s rebranding of Azure Active Directory to Microsoft Entra ID) is a free Microsoft tool that synchronizes your on-premises Active Directory with Azure Active Directory (Azure AD / Microsoft Entra ID). Think of it as the translator between your local domain controller and Microsoft’s cloud identity platform.
With Azure AD Connect in place, your users can sign in to Microsoft 365, Azure resources, SharePoint Online, Teams, and thousands of third-party SaaS applications using the same credentials they already use on their company network. This concept is called hybrid identity — and it’s the foundation of nearly every modern Microsoft environment.
Key Capabilities
- Password Hash Synchronization (PHS): Hashes of user passwords are synced to Azure AD, enabling cloud sign-in without on-premises dependency.
- Pass-through Authentication (PTA): Authentication requests are validated against your on-premises AD in real time.
- Federation with AD FS: Full federation using Active Directory Federation Services for organizations needing advanced claims-based authentication.
- Group and Device Writeback: Cloud-created groups and devices can be written back to your on-premises AD.
- Azure AD Seamless Single Sign-On (SSO): Users on domain-joined machines are automatically signed in to cloud apps without any extra prompts.
How Azure AD Connect Works
At its core, Azure AD Connect runs a synchronization engine that reads objects (users, groups, contacts, devices) from your on-premises Active Directory, applies transformation rules, and writes a corresponding representation to Azure AD. This sync process runs on a schedule — by default every 30 minutes — though you can trigger a manual sync at any time.
The sync engine uses three key components:
- Connector Space: A staging area that holds a copy of objects from each connected directory (your on-prem AD and Azure AD).
- Metaverse: The central store where objects from all connected systems are joined and transformed into a unified view.
- Rules Engine: A set of inbound and outbound synchronization rules that determine which attributes get synced and how transformations are applied.
When a change is detected in your on-premises AD (a new user, a password change, a group membership update), the sync engine picks it up during the next sync cycle, processes it through the metaverse, and pushes the change to Azure AD. The result: your cloud environment reflects your on-prem directory within minutes.
Authentication Methods Compared
| Method | How It Works | On-Prem Dependency | Best For |
|---|---|---|---|
| Password Hash Sync (PHS) | Password hashes synced to Azure AD | No (sign-in survives on-prem outage) | Most organizations — simple, resilient |
| Pass-through Authentication (PTA) | Sign-in validated against on-prem AD in real time | Yes (requires PTA agent) | Organizations with strict password policy enforcement needs |
| AD FS Federation | Full token-based federation via ADFS farm | Yes (requires ADFS infrastructure) | Large enterprises with complex claims requirements |
| Seamless SSO (add-on) | Kerberos ticket used for silent auth on domain-joined PCs | Yes (at time of sign-in) | All methods — improves user experience on corporate devices |
Step-by-Step: How to Set Up Azure AD Connect
Before you begin, make sure you have the following prerequisites in place. Taking a few extra minutes here will save you significant troubleshooting time later.
Prerequisites
- A Windows Server 2016 or later machine dedicated to running Azure AD Connect (do not install on a domain controller).
- An on-premises Active Directory domain with a forest functional level of Windows Server 2003 or higher.
- A verified custom domain in your Azure AD / Microsoft 365 tenant (e.g., yourcompany.com).
- An Enterprise Admin account for your on-prem AD and a Global Administrator account for Azure AD.
- The Azure AD Connect server must have internet access to reach Microsoft’s endpoints.
- TLS 1.2 enabled on the server (required for modern Azure AD Connect versions).
Step 1: Download Azure AD Connect
Navigate to the Microsoft Download Center and download the latest version of AzureADConnect.msi. Always use the latest release — Microsoft regularly updates Azure AD Connect with security patches and new features. As of 2026, Microsoft is transitioning users to Microsoft Entra Connect Sync, so check whether the newer version applies to your environment.
Step 2: Run the Installer and Choose Your Setup Mode
Launch the MSI on your dedicated server. You’ll be presented with two setup options:
- Express Settings — Recommended for single-forest environments. Automatically configures Password Hash Synchronization and Seamless SSO. If your environment is straightforward, this is the fastest path.
- Customize — Use this for multi-forest setups, if you need Pass-through Authentication or AD FS federation, or if you want granular control over attribute filtering and sync scope.
Step 3: Connect to Azure AD
Enter the credentials of your Azure AD Global Administrator account. Azure AD Connect will validate your tenant and check for existing directory configurations. If you’re using a federated domain, the wizard will detect this and adjust accordingly.
Step 4: Connect Your On-Premises Active Directory
Enter the credentials of an account with Enterprise Admin privileges in your on-premises forest. Azure AD Connect will use this account (or create a dedicated service account — recommended) to read directory data. For multi-forest environments, you’ll add each forest separately in this step.
Step 5: Configure Sign-In Method
Choose your preferred authentication method: Password Hash Synchronization, Pass-through Authentication, or Federation with AD FS. For most SMBs and mid-market organizations, Password Hash Synchronization with Seamless SSO offers the best balance of simplicity, resilience, and user experience. If your organization requires that passwords never leave your premises, choose Pass-through Authentication.
Step 6: Set the UPN (User Principal Name)
Azure AD Connect will compare the UPN suffixes in your on-premises AD with the verified domains in your Azure AD tenant. If users in your AD have UPNs like user@yourcompany.local (a non-routable suffix), you’ll need to either add an alternate UPN suffix in AD that matches your verified domain, or use the UPN mapping feature in Azure AD Connect to handle the translation. This is one of the most common setup issues — address it before proceeding.
Step 7: Configure Filtering (Optional but Recommended)
By default, Azure AD Connect syncs all users, groups, and contacts from all OUs in your forest. In most real-world environments, you’ll want to filter what gets synced:
- OU-based filtering: Sync only specific organizational units (e.g., only your corporate employees, not service accounts or test OUs).
- Attribute-based filtering: Use a custom attribute (like extensionAttribute1) to tag objects that should or shouldn’t be synced.
- Domain-based filtering: If you have multiple domains in your forest, select only those that need cloud presence.
Step 8: Enable Optional Features
The wizard will present optional features including:
- Exchange Hybrid: Enable if you’re running Exchange on-premises alongside Exchange Online. This syncs additional attributes needed for hybrid mail flow.
- Password Writeback: Allows users who reset their password in Azure AD (via self-service password reset) to have that change written back to on-prem AD. Highly recommended.
- Group Writeback: Writes Microsoft 365 Groups back to on-prem AD as distribution groups.
- Device Writeback: Required for certain conditional access scenarios involving hybrid Azure AD joined devices.
Step 9: Configure Staging Mode (Highly Recommended)
Before going live, consider installing a second Azure AD Connect server in Staging Mode. A staging server runs all the sync logic and imports data but does not export changes to Azure AD or your on-prem AD. It acts as a warm standby — if your primary server fails, you can promote the staging server in minutes. This is a best practice that many organizations skip, only to regret it during an outage.
Step 10: Complete the Installation and Verify
Click Install to complete the setup. Azure AD Connect will perform an initial synchronization, which depending on your directory size may take anywhere from a few minutes to several hours. Verify success by:
- Opening the Synchronization Service Manager (included with Azure AD Connect) and checking that the latest sync cycle completed with no errors.
- Logging into the Azure AD / Microsoft Entra admin center and confirming that your on-prem users appear under Users → All Users.
- Running the IdFix tool if you haven’t already — it identifies objects in your on-prem AD with attributes that will cause sync errors (duplicate UPNs, invalid characters, etc.).
Best Practices for Azure AD Connect
1. Keep Azure AD Connect Updated
Microsoft releases updates regularly, and older versions eventually reach end of support. Running an unsupported version exposes your environment to security vulnerabilities and sync reliability issues. Enable auto-upgrade where possible, and at minimum check for new releases quarterly.
2. Monitor Sync Health with Azure AD Connect Health
Azure AD Connect Health is a cloud-based monitoring service available in the Azure portal (requires Azure AD Premium P1 or P2). It provides dashboards for sync errors, latency alerts, and agent health. Set up email alerts for sync failures so your team knows immediately when something breaks — don’t wait for users to report that they can’t sign in.
3. Use a Dedicated Service Account with Least Privilege
During setup, let Azure AD Connect create its own service account rather than using your Enterprise Admin credentials for ongoing sync operations. The auto-created account is granted only the permissions needed for sync — nothing more. This follows the principle of least privilege and reduces your attack surface.
4. Enable Password Writeback for Self-Service Password Reset
Password Writeback paired with Azure AD Self-Service Password Reset (SSPR) is one of the highest-ROI features you can enable. Users can reset their own passwords from any device, any time — reducing helpdesk tickets dramatically. Once you have Azure AD Connect in place, enabling this feature takes only a few clicks.
5. Document Your Sync Rules Before Customizing
Azure AD Connect includes a built-in Synchronization Rules Editor. If you need to customize attribute mappings or filtering logic, always create new rules rather than modifying the default ones. Default rules can be overwritten during upgrades. Keep a written record of every custom rule you create, including the business reason — your future self (and your team) will thank you.
6. Run IdFix Before Initial Sync
The Microsoft IdFix tool scans your on-prem AD for objects with attributes that will cause Azure AD Connect sync errors — things like duplicate proxy addresses, UPN format issues, or characters that Azure AD doesn’t accept. Running IdFix before your first sync can save you hours of post-deployment troubleshooting. Download it from the Microsoft GitHub repository; it’s free.
7. Plan Your Disaster Recovery Story
If your Azure AD Connect server goes offline, new users and password changes in your on-prem AD won’t propagate to the cloud. Have a plan: maintain a staging server, document the steps to promote it, and test the failover process at least annually. Also make sure someone on your team knows how to trigger a manual sync via PowerShell (Start-ADSyncSyncCycle -PolicyType Delta) when needed.
Common Azure AD Connect Issues and How to Fix Them
Sync Errors: Duplicate Attribute
One of the most common sync errors is a duplicate attribute conflict — typically a duplicate UPN or proxy address. When two on-prem objects try to sync with the same email address or UPN, Azure AD Connect will quarantine one of them. The fix: use IdFix to identify duplicates before sync, and resolve them in your on-prem AD. Azure AD also has a Duplicate Attribute Resiliency feature that can automatically quarantine conflicting values rather than failing the entire object sync.
Password Hash Sync Not Working
If passwords aren’t syncing, check that: (1) the Password Hash Synchronization feature is enabled in Azure AD Connect settings, (2) the Azure AD Connect service account has the Replicating Directory Changes and Replicating Directory Changes All permissions in your on-prem AD, and (3) there are no firewall rules blocking outbound connections on port 443 from the Azure AD Connect server.
Sync Cycle Stuck or Not Running
Use the Synchronization Service Manager to check the current sync state. If the scheduler is disabled, re-enable it via PowerShell: Set-ADSyncScheduler -SyncCycleEnabled $true. If you see a sync in progress that appears frozen, check the Event Viewer on the Azure AD Connect server for errors.
Frequently Asked Questions About Azure AD Connect
Is Azure AD Connect free?
Yes — the Azure AD Connect tool itself is free to download and use. However, some features like Azure AD Connect Health monitoring dashboards require Azure AD Premium P1 or P2 licensing. Password Hash Sync, Pass-through Authentication, and Seamless SSO are all available without Premium licensing.
What’s the difference between Azure AD Connect and Azure AD Connect Cloud Sync?
Azure AD Connect (server-based) is a traditional sync engine installed on a Windows Server. Azure AD Connect Cloud Sync (also called Microsoft Entra Cloud Sync) is a newer, lightweight agent-based solution that handles sync via the cloud. Cloud Sync is simpler to set up and maintain and supports multi-forest scenarios without complex infrastructure — but it doesn’t yet support all the features of the full Azure AD Connect (e.g., Exchange Hybrid writeback, some advanced filtering scenarios). For new deployments, evaluate Cloud Sync first; use traditional Azure AD Connect when you need its full feature set.
How often does Azure AD Connect sync?
By default, Azure AD Connect runs a delta sync every 30 minutes, which processes only objects that have changed since the last cycle. A full sync (which processes all objects) runs less frequently. You can trigger an immediate delta sync via PowerShell: Start-ADSyncSyncCycle -PolicyType Delta. This is useful after making bulk changes in your on-prem AD that you want reflected in the cloud quickly.
What happens to Azure AD if my Azure AD Connect server goes down?
If your Azure AD Connect server goes offline, existing users can still sign in to Azure AD — the cloud directory keeps working. What stops working is the propagation of new changes: new accounts, password changes, group membership updates, and attribute edits won’t reach the cloud until sync resumes. This is why maintaining a staging server and monitoring sync health is critical. With Password Hash Sync enabled, users can also continue to sign in even if their on-prem domain controllers are unreachable, since the password hashes are stored in Azure AD.
Should I use Azure AD Connect or migrate to cloud-only identity?
The right answer depends on your organization’s situation. If you run on-premises applications that require Active Directory authentication (line-of-business apps, file servers, printers, legacy systems), you need hybrid identity — and Azure AD Connect is how you bridge the two. If you’re a smaller organization with no on-prem infrastructure and everything is cloud-native, a cloud-only Azure AD setup is simpler and eliminates the maintenance overhead of the sync infrastructure. Many organizations start hybrid and gradually migrate workloads to the cloud over time, eventually decommissioning Azure AD Connect when they no longer have on-prem AD dependencies.
Ready to Build a Resilient Hybrid Identity Environment?
Azure AD Connect is foundational infrastructure — when it’s configured correctly, your users barely notice it exists. When it’s misconfigured or neglected, it becomes a source of sign-in failures, helpdesk calls, and security gaps. Getting it right from the start, with proper monitoring, staging servers, and documented custom rules, is what separates a solid hybrid identity environment from a fragile one.
At Always Beyond, your team specializes in designing, deploying, and managing hybrid Microsoft environments for IT professionals and SMBs. Whether you’re setting up Azure AD Connect for the first time, migrating from a legacy sync configuration, or troubleshooting persistent sync errors, we’re here to help you build something that works — and keeps working.
Contact the Always Beyond team today to talk through your hybrid identity needs and get a plan that fits your environment.
Ready to Make IT One Less Thing to Worry About?
Book a no-pressure consultation to see how Always Beyond can help you simplify, secure, and future-proof your IT.
See exactly how your current IT setup measures up to our Hack Free standards. Enter your business email to receive:
- Free 10-point security scorecard for your business
- Complete Hack Free Guarantee eligibility checklist
- Exclusive case studies from our protected clients
