Deploy Microsoft 365 Directory Synchronization in Microsoft Azure

Microsoft Entra Connect (formerly known as the Directory Synchronization tool, Directory Sync tool, or the DirSync.exe tool) is an application that you install on a domain-joined server to synchronize your on-premises Active Directory Domain Services (AD DS) users to the Microsoft Entra tenant of your Microsoft 365 subscription. Microsoft 365 uses Microsoft Entra ID for its directory service. Your Microsoft 365 subscription includes a Microsoft Entra tenant. This tenant can also be used for management of your organization's identities with other cloud workloads, including other SaaS applications and apps in Azure.

You can install Microsoft Entra Connect on an on-premises server, but you can also install it on a virtual machine in Azure for these reasons:

  • You can provision and configure cloud-based servers faster, making the services available to your users sooner.
  • Azure offers better site availability with less effort.
  • You can reduce the number of on-premises servers in your organization.

This solution requires connectivity between your on-premises network and your Azure virtual network. For more information, see Connect an on-premises network to a Microsoft Azure virtual network.

Note

This article describes synchronization of a single domain in a single forest. Microsoft Entra Connect synchronizes all AD DS domains in your Active Directory forest with Microsoft 365. If you have multiple Active Directory forests to synchronize with Microsoft 365, see Multi-forest Directory Sync with Single Sign-On Scenario.

Overview of deploying Microsoft 365 directory synchronization in Azure

The following diagram shows Microsoft Entra Connect running on a virtual machine in Azure (the directory sync server) that synchronizes an on-premises AD DS forest to a Microsoft 365 subscription.

Microsoft Entra Connect tool on a virtual machine in Azure synchronizing on-premises accounts to the Microsoft Entra tenant of a Microsoft 365 subscription with traffic flow.

In the diagram, there are two networks connected by a site-to-site VPN or ExpressRoute connection. There's an on-premises network where AD DS domain controllers are located, and there's an Azure virtual network with a directory sync server, which is a virtual machine running Microsoft Entra Connect. There are two main traffic flows originating from the directory sync server:

  • Microsoft Entra Connect queries a domain controller on the on-premises network for changes to accounts and passwords.
  • Microsoft Entra Connect sends the changes to accounts and passwords to the Microsoft Entra instance of your Microsoft 365 subscription. Because the directory sync server is in an extended portion of your on-premises network, these changes are sent through the on-premises network's proxy server.

Note

This solution describes synchronization of a single Active Directory domain, in a single Active Directory forest. Microsoft Entra Connect synchronizes all Active Directory domains in your Active Directory forest with Microsoft 365. If you have multiple Active Directory forests to synchronize with Microsoft 365, see Multi-forest Directory Sync with Single Sign-On Scenario.

There are two major steps when you deploy this solution:

  1. Create an Azure virtual network and establish a site-to-site VPN connection to your on-premises network. For more information, see Connect an on-premises network to a Microsoft Azure virtual network.

  2. Install Microsoft Entra Connect on a domain-joined virtual machine in Azure, and then synchronize the on-premises AD DS to Microsoft 365. This involves:

    • Creating an Azure Virtual Machine to run Microsoft Entra Connect.

    • Installing and configuring Microsoft Entra Connect.

    Configuring Microsoft Entra Connect requires the credentials (user name and password) of a Microsoft Entra administrator account and an AD DS enterprise administrator account. Microsoft Entra Connect runs immediately and on an ongoing basis to synchronize the on-premises AD DS forest to Microsoft 365.

Before you deploy this solution in production, you can use the instructions in The simulated enterprise base configuration to set up this configuration as a proof of concept, for demonstrations, or for experimentation.

Important

When Microsoft Entra Connect configuration completes, it does not save the AD DS enterprise administrator account credentials.

Note

This solution describes synchronizing a single AD DS forest to Microsoft 365. The topology discussed in this article represents only one way to implement this solution. Your organization's topology might differ based on your unique network requirements and security considerations.

Plan for hosting a directory sync server for Microsoft 365 in Azure

Prerequisites

Before you begin, review the following prerequisites for this solution:

  • Review the related planning content in Plan your Azure virtual network.

  • Ensure that you meet all Prerequisites for configuring the Azure virtual network.

  • Have a Microsoft 365 subscription that includes the Active Directory integration feature. For information about Microsoft 365 subscriptions, go to the Microsoft 365 subscription page.

  • Provision one Azure Virtual Machine that runs Microsoft Entra Connect to synchronize your on-premises AD DS forest with Microsoft 365.

    You must have the credentials (names and passwords) for an AD DS enterprise administrator account and a Microsoft Entra Administrator account.

Solution architecture design assumptions

The following list describes the design choices made for this solution.

  • This solution uses a single Azure virtual network with a site-to-site VPN connection. The Azure virtual network hosts a single subnet that has one server, the directory sync server that is running Microsoft Entra Connect.

  • On the on-premises network, a domain controller and DNS servers exist.

  • Microsoft Entra Connect performs password hash synchronization instead of single sign-on. You don't have to deploy an Active Directory Federation Services (AD FS) infrastructure. To learn more about password hash synchronization and single sign-on options, see Choosing the right authentication method for your Microsoft Entra hybrid identity solution.

There are other design choices that you might consider when you deploy this solution in your environment. These include the following:

  • If there are existing DNS servers in an existing Azure virtual network, determine whether you want your directory sync server to use them for name resolution instead of DNS servers on the on-premises network.

  • If there are domain controllers in an existing Azure virtual network, determine whether configuring Active Directory Sites and Services might be a better option for you. The directory sync server can query the domain controllers in the Azure virtual network for changes in accounts and passwords instead of domain controllers on the on-premises network.

Deployment roadmap

Deploying Microsoft Entra Connect on a virtual machine in Azure consists of three phases:

  • Phase 1: Create and configure the Azure virtual network

  • Phase 2: Create and configure the Azure virtual machine

  • Phase 3: Install and configure Microsoft Entra Connect

After deployment, you must also assign locations and licenses for the new user accounts in Microsoft 365.

Phase 1: Create and configure the Azure virtual network

To create and configure the Azure virtual network, complete Phase 1: Prepare your on-premises network and Phase 2: Create the cross-premises virtual network in Azure in the deployment roadmap of Connect an on-premises network to a Microsoft Azure virtual network.

This is your resulting configuration.

Phase 1 of the directory sync server for Microsoft 365 hosted in Azure.

This figure shows an on-premises network connected to an Azure virtual network through a site-to-site VPN or ExpressRoute connection.

Phase 2: Create and configure the Azure virtual machine

Create the virtual machine in Azure using the instructions Create your first Windows virtual machine in the Azure portal. Use the following settings:

  1. On the Basics pane, select the same subscription, location, and resource group as your virtual network. Record the user name and password in a secure location. You'll need these later to connect to the virtual machine.

  2. On the Choose a size pane, choose the A2 Standard size.

  3. On the Settings pane, in the Storage section, select the Standard storage type. In the Network section, select the name of your virtual network and the subnet for hosting the directory sync server (not the GatewaySubnet). Leave all other settings at their default values.

Verify that your directory sync server is using DNS correctly by checking your internal DNS to make sure that an Address (A) record was added for the virtual machine with its IP address.

Use the instructions in Connect to the virtual machine and sign on to connect to the directory sync server with a Remote Desktop Connection. After signing in, join the virtual machine to the on-premises AD DS domain.

For Microsoft Entra Connect to gain access to Internet resources, you must configure the directory sync server to use the on-premises network's proxy server. You should contact your network administrator for any additional configuration steps to perform.

This is your resulting configuration.

Phase 2 of the directory sync server for Microsoft 365 hosted in Azure.

This figure shows the directory sync server virtual machine in the cross-premises Azure virtual network.

Phase 3: Install and configure Microsoft Entra Connect

Complete the following procedure:

  1. Connect to the directory sync server using a Remote Desktop Connection with an AD DS domain account that has local administrator privileges. See Connect to the virtual machine and sign on.

  2. From the directory sync server, open the Set up directory synchronization for Microsoft 365 article and follow the directions for directory synchronization with password hash synchronization.

Caution

Setup creates the AAD_xxxxxxxxxxxx account in the Local Users organizational unit (OU). Do not move or remove this account or synchronization will fail.

This is your resulting configuration.

Phase 3 of the directory sync server for Microsoft 365 hosted in Azure.

This figure shows the directory sync server with Microsoft Entra Connect in the cross-premises Azure virtual network.

Assign locations and licenses to users in Microsoft 365

Microsoft Entra Connect adds accounts to your Microsoft 365 subscription from the on-premises AD DS, but in order for users to sign in to Microsoft 365 and use its services, the accounts must be configured with a location and licenses. Use these steps to add the location and activate licenses for the appropriate user accounts:

  1. Sign in to the Microsoft 365 admin center, and then click Admin.

  2. In the left navigation, click Users > Active users.

  3. In the list of user accounts, select the check box next to the user you want to activate.

  4. On the page for the user, click Edit for Product licenses.

  5. On the Product licenses page, select a location for the user for Location, and then enable the appropriate licenses for the user.

  6. When complete, click Save, and then click Close twice.

  7. Go back to step 3 for additional users.

See also

Microsoft 365 solution and architecture center

Connect an on-premises network to a Microsoft Azure virtual network

Download Microsoft Entra Connect

Set up directory synchronization for Microsoft 365