Azure AD Connect Synchronization

This document provides a comprehensive guide to understanding and configuring synchronization between your on-premises Active Directory and Azure Active Directory (Azure AD) using Azure AD Connect.

Introduction to Synchronization

Azure AD Connect synchronizes user, group, and contact information from your on-premises Active Directory to Azure AD. This allows users to have a single identity across both environments, enabling single sign-on (SSO) and consistent access to cloud resources.

Tip: Ensure your on-premises Active Directory schema meets the requirements for Azure AD Connect before installation. Refer to the Prerequisites article for details.

Key Synchronization Concepts

  • Connectors: Represent the data sources (e.g., on-premises AD, Azure AD).
  • Connectors Space: A staging area where data from each connector is imported.
  • Metaverse: A central repository where objects from different connectors are joined and reconciled.
  • Synchronization Rules: Define how data flows between connector spaces and the metaverse, and how objects are provisioned.
  • Export: The process of writing changes from the metaverse back to the connected directories.

Synchronization Modes

Azure AD Connect supports several synchronization scenarios:

  • Password Hash Synchronization (PHS): Synchronizes a hash of the user's password from on-premises AD to Azure AD.
  • Pass-through Authentication (PTA): Authenticates users directly against on-premises AD.
  • Federation (AD FS): Uses Active Directory Federation Services for authentication, often for more complex scenarios.

Configuring Synchronization

The Azure AD Connect wizard guides you through the installation and configuration process. Key steps include:

  1. Install Azure AD Connect: Download the latest version from the Microsoft Download Center.
  2. Connect to Directories: Provide credentials for your on-premises AD and Azure AD.
  3. Configure Sign-In Method: Choose between PHS, PTA, or Federation.
  4. Select Domains and OUs: Specify which parts of your on-premises AD to synchronize.
  5. Unique Identifying Attributes: Configure how users are uniquely identified.
  6. Filtering: Set up rules to include or exclude specific users, groups, or attributes.
Note: Customizing synchronization rules requires advanced knowledge and should be done with caution. Always back up your configuration before making significant changes.

Synchronization Cycle

By default, Azure AD Connect runs a full synchronization cycle approximately every 30 minutes. You can also trigger a synchronization cycle manually using PowerShell cmdlets. 


    # Import the ADSync module
    Import-Module ADSync

    # Start a full synchronization cycle
    Start-ADSyncSyncCycle -PolicyType Initial

    # Start an incremental synchronization cycle
    Start-ADSyncSyncCycle -PolicyType Delta

Troubleshooting Synchronization Issues

Common issues can arise from:

  • Incorrectly configured synchronization rules.
  • Permissions issues for the service account.
  • Network connectivity problems.
  • Schema mismatches or duplicate attribute values.

The Synchronization Service Manager tool provides detailed logs and error information. The Azure AD Connect Health agent also offers proactive monitoring and alerts for synchronization problems.

Warning: Do not modify the default synchronization rules directly. Instead, create custom rules with a higher precedence to override default behavior.

Further Reading