Step 3: Configure hybrid identity

Synchronize identities

This is required for hybrid environments and applies to both the E3 and E5 versions of Microsoft 365 Enterprise

In this section, you'll synchronize your on-premises Active Directory Domain Services (AD DS) with the Azure Active Directory (Azure AD) tenant used by your Office 365 and Enterprise Mobility + Security (EMS) subscriptions.

Azure AD Connect is the supported Microsoft tool that guides you through synchronizing only the identities you really need from single or multi-forest AD DS environments to your Azure AD tenant. The following figure shows the basic process for Azure AD Connect synchronization.

How Azure AD Connect synchronizes your on-premises directory with Azure AD

  1. Azure AD Connect running on a server polls AD DS for changes in accounts, groups, and contacts.
  2. Azure AD Connect sends those changes to the Azure AD tenant of your Microsoft 365 subscription.

The first decision in your hybrid identity solution is your authentication requirement. The following options are options:

  • With managed authentication, Azure AD handles the authentication process for user sign-in. There are two methods for managed authentication:
    • Password Hash Sync (PHS) [Recommended and required for some premium features]. This is the simplest way to enable authentication for on-premises directory objects in Azure AD. Azure AD Connect extracts the hashed password from AD DS, does extra security processing on the password, and saves it in Azure AD. For more information, see Implement password hash synchronization with Azure AD Connect sync.
    • Pass-through Authentication (PTA) provides a simple password validation solution for Azure AD-based services. PTA uses an agent running on one or more on-premises servers to validate the user authentications directly with your on-premises AD DS. For more information, see User sign-in with Azure Active Directory Pass-through Authentication.
  • With federated authentication, the authentication process is redirected to another identity provider through an identity federation server, such as Active Directory Federation Services (AD FS), for a user’s sign-in. The identity provider can provide additional authentication methods, such as smartcard-based authentication. For more information, see Choosing the right authentication method for your Azure Active Directory hybrid identity solution.

After you've determined your hybrid identity solution, download and run the IdFix Directory Synchronization Error Remediation Tool to analyze your AD DS for issues.

After resolving all of the issues identified by the IdFix tool, see Implement password hash synchronization for guidance on installing the Azure AD Connect tool and configuring directory synchronization between your on-premises AD DS and the Azure AD tenant for your Office 365 and EMS subscriptions. After synchronization starts, you'll maintain your user accounts and groups with your on-premises identity provider, such as AD DS.

Microsoft provides a set of recommendations for identity and device access to ensure a secure and productive workforce.

  • For recommended requirements for hybrid environments, see the Active Directory with password hash sync column in prerequisites.

  • For recommended requirements for cloud only environments, see the Cloud only column in prerequisites.

Once your on-premises users and groups are present in Azure AD, you can start assigning licenses and using Exchange Online. To roll out Exchange Online to your users and migrate on-premises mailboxes, see Deploy Exchange Online for Microsoft 365 Enterprise.

Test Lab Guides for the Microsoft cloud Test Lab Guide: Password hash synchronization
Test Lab Guide: Pass-through authentication

As an interim checkpoint, you can see the exit criteria corresponding to this section.

Monitor synchronization health

This is optional and applies to both the E3 and E5 versions of Microsoft 365 Enterprise

In this section, you'll install an Azure AD Connect Health agent on each of your on-premises identity servers to monitor your identity infrastructure and the synchronization services provided by Azure AD Connect. The monitoring information is made available in an Azure AD Connect Health portal, where you can view alerts, performance monitoring, usage analytics, and other information.

Components of Azure AD Connect Health

The key design decision of how to use Azure AD Connect Health is based on how you are using Azure AD Connect:

  • If you’re using the managed authentication option, start with Using Azure AD Connect Health with sync to understand and configure Azure AD Connect Health.
  • If you're synchronizing just the names of the accounts and groups using federated authentication with Active Directory Federation Services (AD FS), start with Using Azure AD Connect Health with AD FS to understand and configure Azure AD Connect Health.

When you complete this section, you’ll have:

  • The Azure AD Connect Health agent installed on your on-premises identity provider servers.
  • The Azure AD Connect Health portal displaying the current state of your on-premises infrastructure and synchronization activities with the Azure AD tenant for your Office 365 and EMS subscriptions.

As an interim checkpoint, you can see the exit criteria for this section.

Next step

Configure secure user authentication