How to Install and Configure Microsoft Entra Connect for Directory Sync

Before installing Entra Connect, you need to clean up your Active Directory to prevent synchronization errors. Download and run the IdFix tool to identify and fix common AD issues.

Download IdFix from the Microsoft Download Center and run it on a domain controller or management workstation:

# Run IdFix as Administrator
# Navigate to the downloaded IdFix folder
.\IdFix.exe

In IdFix, click Query to scan your directory. The tool will identify objects with errors like duplicate proxyAddresses, invalid characters in userPrincipalName, or missing mail attributes.

Review each error and click Edit to fix issues automatically, or manually correct them in Active Directory Users and Computers. Common fixes include:

• Removing duplicate email addresses
• Fixing invalid characters in UPN
• Adding missing mail attributes for mail-enabled objects

Microsoft Entra Connect requires TLS 1.2 for secure communication with Azure services. Check and enable TLS 1.2 if needed.

Run this PowerShell script to verify TLS 1.2 configuration:

# Check TLS 1.2 registry settings
$tls12Client = Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'Enabled' -ErrorAction SilentlyContinue
$tls12Server = Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'Enabled' -ErrorAction SilentlyContinue

if ($tls12Client.Enabled -eq 1 -and $tls12Server.Enabled -eq 1) {
    Write-Host "TLS 1.2 is properly configured" -ForegroundColor Green
} else {
    Write-Host "TLS 1.2 needs configuration" -ForegroundColor Red
}

If TLS 1.2 is not enabled, configure it with these registry changes:

# Enable TLS 1.2
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'Enabled' -Value 1 -PropertyType DWORD -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'DisabledByDefault' -Value 0 -PropertyType DWORD -Force

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'Enabled' -Value 1 -PropertyType DWORD -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'DisabledByDefault' -Value 0 -PropertyType DWORD -Force

Restart-Computer

Ensure your server can reach these Microsoft endpoints:

• https://login.microsoftonline.com
• https://aadcdn.msauth.net
• https://aadcdn.msftauth.net

Download the latest version of Microsoft Entra Connect directly from the Microsoft Entra admin center to ensure you get the most current release.

Navigate to the Microsoft Entra admin center:

1. Open a web browser and go to https://entra.microsoft.com
2. Sign in with your Global Administrator account
3. Navigate to Identity > Hybrid management > Microsoft Entra Connect
4. Click Connect Sync
5. Click Download the latest Entra Connect Sync Version

This downloads the AzureADConnect.msi file. Transfer this file to your designated Entra Connect server if you downloaded it from a different machine.

Before proceeding, verify your server meets the minimum requirements:

• 4 GB RAM minimum
• 70 GB available disk space
• Dual-core 1.6 GHz processor
• Domain-joined Windows Server 2016 or later

Run the Entra Connect installer and choose custom installation for maximum control over synchronization settings. This approach is recommended over Express installation for production environments.

Right-click the AzureADConnect.msi file and select Run as administrator. Follow these steps in the installation wizard:

1. Welcome page: Accept the license terms and privacy notice
2. Express Settings: Click Customize instead of Use express settings
3. Install required components: Leave default selections unless you need specific features like SQL Server Express or custom service account
4. Click Install to install prerequisites

The installation of required components typically takes 2-3 minutes. You'll see progress for:

• .NET Framework components
• PowerShell modules
• SQL Server Express LocalDB
• Microsoft Online Services Sign-In Assistant

Configure how users will authenticate and establish the connection to your Microsoft Entra ID tenant.

On the User sign-in page, select your authentication method:

• Password Hash Synchronization: Most common choice - syncs password hashes to Azure
• Pass-through Authentication: Validates passwords against on-premises AD
• Federation with AD FS: For organizations with existing ADFS infrastructure

For this tutorial, select Password Hash Synchronization and click Next.

On the Connect to Azure AD page, enter your Global Administrator credentials:

Username: admin@yourtenant.onmicrosoft.com
Password: [Your Global Admin Password]

If your account has MFA enabled, you'll be prompted to complete the additional authentication step. Make sure your browser allows pop-ups from Microsoft domains.

After successful authentication, you'll see your tenant information displayed, including the tenant name and verified domains.

Establish the connection between Entra Connect and your on-premises Active Directory forest.

On the Connect your directories page:

1. Your AD forest should be automatically detected and listed
2. Click Add Directory next to your forest
3. Select Create new AD account (recommended) or use existing credentials
4. Enter Enterprise Admin credentials for your domain:

Username: DOMAIN\EnterpriseAdmin
Password: [Enterprise Admin Password]

Entra Connect will create a service account (typically named MSOL_[random]) with the necessary permissions for directory synchronization. This account will have:

• Replicating Directory Changes permissions
• Replicating Directory Changes All permissions
• Read permissions on all AD objects

If you have multiple forests, repeat this process for each forest you want to synchronize.

Click Next after successfully adding all directories.

Select which domains and organizational units (OUs) to synchronize. This step is crucial for controlling what gets synchronized to Microsoft Entra ID.

On the Domain and OU filtering page, you'll see your AD forest structure. You can choose to:

• Sync all domains and OUs: Synchronizes everything (default)
• Sync selected domains and OUs: Gives granular control

For production environments, it's recommended to select specific OUs. Expand your domain and check the boxes for OUs containing:

• User accounts that need Microsoft 365 access
• Security groups
• Distribution groups
• Mail-enabled contacts
• Computer accounts (if needed for device management)

Common OUs to exclude:

• Service accounts OU
• Test/development user accounts
• Disabled user accounts OU
• Legacy computer accounts

Example selection:
✓ Users
✓ Groups  
✓ Mail Contacts
✗ Service Accounts
✗ Disabled Users
✗ Test Accounts

Configure how Entra Connect will uniquely identify users and map attributes between on-premises AD and Microsoft Entra ID.

On the Uniquely identifying your users page:

1. Users are represented only once across all directories: Select this if users exist in only one forest
2. Source Anchor: Choose the attribute that uniquely identifies users

For the source anchor, you have these options:

• Let Azure manage the source anchor: Recommended for most scenarios
• ms-DS-ConsistencyGuid: Good for multi-forest scenarios
• ObjectGUID: Traditional choice, but less flexible

Select Let Azure manage the source anchor for the best experience.

On the User Principal Name configuration:

• userPrincipalName: Standard choice, uses the UPN from AD
• Alternate ID: Use a different attribute like mail or employeeID

Choose userPrincipalName unless you have specific requirements for alternate ID.

Set up user and device filtering, then enable optional features based on your organization's needs.

On the Filter users and devices page:

• Synchronize all users and devices: Default option
• Synchronize selected: Allows filtering by groups or attributes

For most organizations, select Synchronize all users and devices. If you need filtering, you can configure it based on:

• Group membership
• Attribute values (like department or location)

On the Optional features page, consider enabling:

• Exchange hybrid deployment: If you have Exchange on-premises
• Exchange mail public folders: For public folder access in Exchange Online
• Azure AD app and attribute filtering: For advanced scenarios
• Password writeback: Allows password changes in Azure to sync back to AD
• Group writeback: Syncs Microsoft 365 groups back to on-premises AD
• Device writeback: For hybrid Azure AD join scenarios

For a basic setup, you typically don't need to enable additional features initially.

Finalize the installation and verify that directory synchronization is working correctly.

On the Ready to configure page:

1. Review all your configuration settings
2. Ensure Start the synchronization process when configuration completes is checked
3. Click Install

The installation process will:

• Apply your configuration settings
• Create synchronization rules
• Initialize the sync engine database
• Start the first synchronization cycle

This process typically takes 5-10 minutes. After completion, verify synchronization in multiple ways:

Check Entra Connect Server:

# Open PowerShell as Administrator
Import-Module ADSync

# Check sync status
Get-ADSyncScheduler

# View last sync results
Get-ADSyncRunProfile

Check Microsoft 365 Admin Center:

1. Go to https://admin.microsoft.com
2. Navigate to Users > Active users
3. Look for synced users (they'll have a green sync icon)
4. Check Health > Directory sync status

Check Microsoft Entra Admin Center:

1. Go to https://entra.microsoft.com
2. Navigate to Identity > Hybrid management > Microsoft Entra Connect
3. Review the sync status dashboard