In today’s rapidly evolving IT landscape, organizations are increasingly looking to enhance their operations by switching to cloud-based environments. One crucial aspect of this transition is managing user identities and groups effectively in the cloud. Azure Active Directory (Azure AD) offers robust capabilities for cloud identity management, but for organizations with legacy on-premises Active Directory environments, a smooth migration process is essential.
In this blog, we’ll learn the process of configuring Azure AD Connect to support cloud-only users and groups, enabling users to seamlessly switch from hybrid environments to a cloud-only model. This blog will cover everything from initial setup and configuration to testing and rollback procedures, providing a step-by-step roadmap for users administrators.
Steps for setting Azure AD connect configurations and the stage for the current environment:
-
Login to Azure Portal.
-
Click on the Azure AD icon on the home screen.
-
From the Azure AD blade menu, select “Azure AD Connect.”
-
Within the Azure AD connect blade, check the sync status.
-
Ensure that it is set to ‘Enabled’ and check if there has been a recent sync cycle performed.
-
Login to the Azure AD connect server.
-
Open the Azure AD connect console.
-
If a current sync cycle is ongoing, wait for it to complete or the sync service console to stop the sync process.
-
Once the console is opened, click on ‘Configure.’
-
In the configuration wizard, select ‘View current configuration’ and click ‘Next.’
-
Capture screenshots of the settings displayed for later reference.
-
Include settings related to synchronization options, such as selected OUs and extension attributes.
-
Identify a test user managed within the on-premises Active Directory and synchronized by Azure AD Connect.
-
Note that the source for this user is listed as ‘Windows Server AD,’ indicating it’s a synchronized account.
Steps for disabling on-premises sync and beginning the Azure AD connect removing process:
-
Identify the test group for the scenario.
-
Note that the source for this group is ‘Windows Server AD,’ indicating it’s synchronized.
-
Launch a powershell console as an administrator on the Azure AD connect server.
-
Run the command to determine the PowerShell version installed.
-
Get-Host | Select-Object version
-
Now disable the sync cycle schedule, If the powershell version is acceptable
-
Set-ADSyncScheduler -SyncCycleEnabled $false
-
Confirm that the scheduler has been disabled.
-
Note that the services still report as ‘Healthy,’ indicating that the sync process is paused.
-
List Users and Verify Sync Configuration:
-
From a PowerShell console, run this command.
-
Connect-MsolService
-
Sign in with an account with the Global Administrator role.
-
Run the command to see the list of users.
-
Get-MsolUser
-
Verify and record synchronization configuration by running.
-
Get-MsolDirSyncFeatures
-
Test user login.
Steps for preparing to remove Azure AD Connect services:
- Check the current synchronization status using, a PowerShell console, run this command.
(Get-MsolCompanyInformation).directorysynchronizationenabled
- If synchronization is enabled, disable it using
Set-MsolDirSyncEnabled -EnableDirSync $false
Backup configuration and rules:
-
Create a backup of the Azure AD connect server virtual machine.
-
Copy the Azure AD Connect installer package and configuration files to a backup location.
-
Create a folder to store exported data.
-
Export Azure AD Connect configuration, run the following on powershell.
-
Get-ADSyncServerConfiguration.
Path “C:\PathToNewFolder\"
-
Export custom enabled sync rules from the Synchronization Rules Editor.
-
Navigating to Programs and features on the Azure AD connect server.
Uninstall Microsoft Azure AD Connect Server
-
Deselect uninstalling supporting components.
-
Complete the uninstallation wizard.
-
Verify removal and wait for changes.
-
Refresh the program list.
-
Monitor the Azure AD connect blade in the Azure portal for changes.
-
Add new attributes to past synchronized test users using the Azure AD portal.
-
Create a new cloud user in the custom domain.
-
Modify group memberships and test user logins to verify functionality.
-
Check the tenant sync status to ensure synchronization is disabled.
-
Re-enable synchronization if necessary using command.
-
Set-MsolDirSyncEnabled -EnableDirSync $true
-
Verify synchronization is re-enabled.
-
Re-establish sync with Azure AD Connect by running the installer for the same version.
-
Select the required settings and continue through the installation process.
-
Ensure objects are joining correctly in the synchronization service manager.
-
Change Azure AD connect server from staging mode to syncing mode.
-
Start the sync process.
-
Verify user and group objects in the Azure AD portal and their source.
Configuring Azure AD Connect to support cloud-only users and groups is a critical step in transitioning to a cloud-based identity management model. By following the outlined steps, organizations can smoothly migrate from hybrid environments to a cloud-only model while ensuring minimal disruption to user access and group memberships.
As organizations continue to embrace cloud technologies, mastering the configuration of Azure AD Connect for cloud-only scenarios becomes increasingly vital. With proper planning and execution, administrators can streamline identity management processes, enhance security, and improve overall operational efficiency in the cloud.