Here’s a detailed guide for setting up a hybrid deployment of Entra ID (formerly Azure AD) with your on-premises Active Directory (AD). This will enable synchronization and user authentication across both environments.
Step 1: Review Prerequisites
- Ensure Licensing Requirements: Verify that you have the necessary Entra ID Premium P1 or P2 licenses for hybrid identity capabilities, such as Conditional Access and seamless single sign-on.
- Directory Health: Confirm your on-premises Active Directory is healthy (no replication or DNS issues).
Step 2: Set Up Entra ID Tenant
- Create or Access Your Entra ID Tenant: If not already done, create an Entra ID tenant via the Azure portal.
- Add a Custom Domain: To ensure your on-premises users map correctly to Entra ID, add your custom domain (e.g.,
yourdomain.com
) in Entra ID. Verify ownership via DNS settings.
Step 3: Install and Configure Entra ID Connect
- Download Entra AD Connect: Obtain the latest version of Entra ID Connect from Microsoft’s official download page.
https://www.microsoft.com/en-us/download/details.aspx?id=47594
- Install Entra AD Connect:
- Run the installer on a server with access to your on-prem AD.
- Choose the “Express Settings” option if you want default settings, or select “Custom Settings” for more control (recommended for large environments).
- Sync Setup:
- During setup, choose the domain(s) and organizational unit(s) you want to sync to Entra ID.
- Enable Password Hash Synchronization for seamless single sign-on or, if required, configure Pass-through Authentication to enable user authentication against on-prem AD.
- If necessary, enable Hybrid Azure AD Join for Windows 10 or later devices to allow these devices to be managed by both Entra ID and on-prem AD.
Step 4: Configure Conditional Access and Security Policies
- Set Up Conditional Access Policies: To secure Entra ID resources, configure Conditional Access policies. For instance, you can enforce multi-factor authentication (MFA) or restrict access by location.
- Enable MFA: Configure MFA as required, using methods like the Microsoft Authenticator app, SMS, or hardware keys. These settings can be applied to users in specific roles or groups.
- Enforce Password Policies: Use Entra ID’s password protection policies to mitigate common password threats.
Step 5: Verify Synchronization and Hybrid Identity Functionality
- Test Synchronization: Check the status of your sync process by going to the Entra ID Connect Health portal.
- Validate Access: Log in with a synchronized user account to both on-prem AD resources and Entra ID services. Ensure that users can access resources seamlessly across both environments.
Step 6: Enable Device Sync and Hybrid Join
- Configure Hybrid Azure AD Join (optional but recommended for device management):
- In Entra ID Connect, configure device options to allow Windows 10 or newer devices to join both Entra ID and on-prem AD.
- This allows single sign-on and device-based Conditional Access for enrolled devices.
- Verify Device Join Status: Ensure that devices appear in Entra ID as Hybrid Azure AD Joined.
Step 7: Finalize and Monitor
- Regularly Monitor Entra ID Connect Health: Use Entra ID Connect Health for monitoring sync errors and alerts.
- Implement Role-Based Access Control (RBAC): Set up RBAC to manage permissions in your Entra ID environment. Assign only the necessary permissions to administrators.
Additional Resources
Hybrid identity with Active Directory and Microsoft Entra ID in Azure landing zones
What is hybrid identity with Microsoft Entra ID?
Configure Microsoft Entra hybrid join