I deployed a lab environment to learn more about federation access between an “on-prem” lab environment and the cloud. I basically wanted to learn how to federate a custom domain in my Azure AD tenant from my Microsoft 365 subscription with on-prem directory.
In this post, I will show you how to set up Azure AD connect on a domain controller to sync and federate an Azure AD custom domain with on-prem directory. This is done to leverage on-prem Active Directory Federation Services (ADFS) and allow on-prem users to authenticate to cloud services with the same credentials.
What is Azure AD Connect?
Azure AD Connect is the Microsoft tool designed to meet and accomplish your hybrid identity goals.
WHy Use Azure AD Connect?
Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources.
Initialize Azure AD Connect Setup
Click on the Azure AD connect icon after downloading it and installing it your domain controller. You can download and install it with the following PowerShell commands (Remember this is not setting it up. Only installing Azure AD Connect resources)
Resolve-DnsName download.microsoft.com $AADConnectDLUrl="https://download.microsoft.com/download/B/0/0/B00291D0-5A83-4DE7-86F5-980BC00DE05A/AzureADConnect.msi" $exe="$env:SystemRoot\system32\msiexec.exe" $tempfile = [System.IO.Path]::GetTempFileName() $folder = [System.IO.Path]::GetDirectoryName($tempfile) $webclient = New-Object System.Net.WebClient $webclient.DownloadFile($AADConnectDLUrl, $tempfile) Rename-Item -Path $tempfile -NewName "AzureADConnect.msi" $MSIPath = $folder + "\AzureADConnect.msi" Invoke-Expression "& `"$exe`" /i $MSIPath /qn /passive /norestart"
Double-click on the Azure AD Connect Icon on the desktop
Do not select any options. Just keep the default setup and click
Select Sign-In Methods
We are going to use our “on-prem” ADFS server as the indentity provider to handle federation services. Therefore, we need to click on
Federation with AD FS
Enter Azure AD Global Admin Creds
Set Up Sync
Enter “On-Prem” Active Directory
Create Azure AD Sync Account
Set Up Azure Sign-In to use same creds as our “On-prem” directory
Select OUs to Sync
Synchronize All Users
Skip Optional Features
Provide Creds for On-prem Domain
Choose Existing ADFS Server
Select Azure AD domain to federate with on-prem directory
Ready to configure
Verify Federation Connectivity
Subscribe to Open Threat Research Blog
Get the latest posts delivered right to your inbox