Azure AD Connect

From SambaWiki
Revision as of 04:35, 6 April 2023 by Abartlet (talk | contribs) (Split from Azure AD Sync per authors request with my permissions)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Azure AD Connect

Azure AD Connect - Prerequisites for the installation

  • Azure AD Connect must be installed on a domain-joined machine running Windows Server 2016 or later - note that Windows Server 2022 is not yet supported. You can deploy Azure AD Connect on Windows Server 2016, but because Windows Server 2016 has extended support, a paid support program may be required if you need assistance with this configuration. It is recommended that you use a domain-joined computer running Windows Server 2019.
  • The minimum required version for .NET Framework is 4.6.2, and newer versions of .NET are also supported.
  • Azure AD Connect cannot be installed on Small Business Server or Windows Server Essentials prior to 2019 (Windows Server Essentials 2019 is supported). The server must be running Windows Server Standard or later.
  • A full GUI must be installed on the Azure AD Connect server. Installation of Azure AD Connect on Windows Server Core is not supported.

Component requirements

  • Azure AD Connect depends on Microsoft PowerShell 5.0 and .NET Framework 4.5.1, and the server must have this version or a later version installed.
  • Enabling TLS 1.2 for Azure AD Connect

Azure AD Connect express Installation/Configuration

  • Log in as a local administrator on the server where you want to install Azure AD Connect. This should be the server that will be used as the synchronization server.
  • Navigate to AzureADConnect.msi and double-click it.
  • On the Welcome page, select the check box to agree to the license terms and click Next.
  • On the Express Settings screen, click Use Express Settings.


  • In the Connect to Azure AD screen, enter the username and password of a hybrid identity administrator for Azure AD. Click Next.

AADConnect2.PNG If an error occurs and you have connectivity issues, you can troubleshoot connectivity issues.

  • On the Connect to AD DS screen, enter the user name and password for an Enterprise Administrator account. You can enter the domain part in either NetBIOS or FQDN format, that is, "DAMAIN\administrator" or "\administrator". Click Next.


  • The Azure AD Logon Configuration page appears only if you have not completed the process to verify your domains under Prerequisites.

AADConnect4.PNG When this page is displayed, you should check each domain that is marked as Not Added and Not Verified. Ensure that the domains you are using have been verified in Azure AD. Click the refresh icon when you have verified your domains.

  • On the Ready to Configure screen, click Install.
    • Optionally, on the Ready to Configure page, clear the Start synchronization process when configuration is complete check box. Clear this check box if you want to make additional configuration settings, such as filtering. If you uncheck this option, the wizard will configure the synchronization, but the scheduler will remain disabled. It will not run until you enable it manually by running the installation wizard again.
    • If the Start synchronization as soon as configuration is complete check box remains selected, a complete synchronization of all users, groups and contacts will be performed immediately. Synchronization of all users, groups and contacts with Azure AD is triggered.
    • If you use Exchange in your on-premises Active Directory instance, you can also enable hybrid deployments in Exchange. Enable this option if you want to deploy Exchange mailboxes to the cloud and on-premises simultaneously.


  • When the installation is complete, click Finish.
  • THE MOST IMPORTANT THING FOR THE PASSWORD SYNC TO WORK UNDER SAMBA: Domain admin rights must be added to the MSOL user created by the software.


  • After the installation is complete, log out and log back in before using the Synchronization Service Manager or Synchronization Rule Editor.

Blocking issues

It appears that the primary blocking issue in this tools is that the user account is not an administrator, and current released Samba versions require that both GET_ALL_CHANGES rights and domain administrator privileges.