Today’s digital landscape requires businesses of all sizes to efficiently and securely manage user identities and their access to various resources. This framework, known as Identity Access Management (or IAM), addresses the challenges and complexities of user access to sensitive information.
According to Statista, many Chief Information Security Officers (CISOs) state that human error is their organization's greatest cyber vulnerability. Security training for employees is beneficial in mitigating identity compromise; however, additional protocols should be implemented to avoid major consequences.
As internet usage continues to rise, so does the volume of personal data and information. Hence, businesses are taking advantage of cyber opportunities such as automating internal processes, adopting cloud services, and enhancing internal processes with new digital technologies.
Entra ID (formerly Azure AD) is a cloud-based identity and hybrid identity management service provided by Microsoft. To help streamline the process, Microsoft offers Entra ID Connect to help you synchronize on-premises directories with Entra ID.
Below is a step-by-step guide to help you install Entra ID Connect. Learn how to choose the right server, installation type, and featured tools to enhance your cybersecurity ecosystem by managing and controlling the digital identities within your systems and network.
But first, what is Entra ID Connect?
Entra ID Connect is a tool for simplifying the integration of on-premises Active Directory (AD) with Entra ID. It enables you to sync user accounts, passwords, and other on-premises attributes to allow seamless access to cloud resources.
Installation prerequisitesBefore installing Entra ID Connect, ensure that the following:
- Do you have an Entra ID tenant? If not, get a free Azure trial. To manage Entra ID Connect, use the Azure portal or Office portal
- Add and verify the domain name you plan to use in Entra ID
- For on-premises Active Directory domains, the AD schema version and forest functional level must be Windows Server 2003 or later in order to run domain controllers. The domain controller used by Entra ID must be writable (a reActive Directory-only domain controller is not supported).
Choosing an Option for Entra ID Connect Server
Choose a server that meets the minimum requirements and suits your organization’s needs.
Hardware requirements:
- A server running Windows Server 2016 or later
- Sufficient memory, disk space, and processing power to handle synchronization operations
-
Microsoft .Net Framework 4.6.2 or higher is required
Network connectivity:
-
The server should have access to on-premises Active Directory and the internet to communicate with Entra ID
Firewall considerations:
- Ensure that the necessary ports and IP ranges for communication are open on the server and the network firewall
-
Refer to Microsoft’s documentation for specific port requirements
Prepare your on-premises schema:
- Use IdFix to identify errors and troubleshoot, such as duplicates and formatting problems in your directory, before you synchronize
-
Review optional sync features you can enable in Entra ID
Installation Type for Entra ID Connect
Entra ID Connect has two installation types: Express and customized.
Express
Express is the most common option - used by 90% of all new installations. It assumes that you have the following:
- A single Active Directory forest on-premises
- An enterprise admin account you can use
-
Less than 100,000 objects in your on-premises Active Directory
Features you get:
- Password hash Entra ID Sync from on-premises to Entra ID for single sign-on
- A configuration that syncs users, groups, contacts, and Windows 10 computers
- Synchronization of all eligible objects in all domains and all OUs (if you wish not to sync all OUs, you can use Express on the last page, unselect Start the sync process, then rerun the installation wizard and change the OU filtering in configuration options and enable scheduled sync)
- Automatic upgrades are enabled to make sure you are up-to-date with the latest version
Custom Installation
Are you looking for more features and options than express? Use the custom path when your organization does not check off the cases described in the Express configuration above.
Use the custom path when:
- You do not have access to an enterprise admin account in Active Directory
- You have more than one forest, or you plan to synchronize more than one forest in the future
- You have domains in your forest that are not reachable from the Connect server
- You plan to use federation or pass-through authentication for user sign-in configuration
- You have more than 100,000 objects and need to use a full SQL Server
- You plan to use group-based filtering and not only domain or OU-based filtering
Choose the Right Authentication For Your Entra ID
The authentication method is a critical component of an organization’s presence in the cloud. Once Entra ID becomes your new control panel, authentication will be the foundation of your cloud access. Consider factors such as the time, current infrastructure, complexity, and budget needed to choose an authentication method. Here are a few authentication forms to choose from:
Password hash synchronization (cloud authentication): requires the least effort regarding deployment, maintenance, and infrastructure. This synchronization service is typically for organizations that only need users to sign in to their Microsoft Office 365, SaaS apps, and other Entra ID-based resources.
Pass-through authentication (cloud authentication): requires one or more (three recommended) lightweight agents installed on existing servers. This authentication needs unconstrained network access to domain controllers, including on-premises. Learn more about pass-through authentication security in this deep dive.
Federated authentication: relies on an external trusted system to authenticate users. Certain organizations aim to utilize their pre-existing federated system investment alongside their Entra ID solution; however, Entra ID does not have direct control of the maintenance and management of the federated system.
Installing Entra ID Connect with Express Settings:
Download Entra ID Connect:
- Visit the Microsoft Entra ID Connect download page.
- Select the appropriate version and download the installer.
Run the Entra ID Connect Installer:
- Double-click the downloaded installer to start the installation process.
- Review and accept the license terms.
-
Choose the installation type: Express or Custom. Express installation is ideal for most scenarios.
Configure Entra ID Connect:
- Sign in with your Entra ID global administrator account
- Select the appropriate configuration option based on your environment:
- ”Express Settings”: This option automatically configures the most common settings
-
”Customize”: Allows you to customize the synchronization settings and configure optional features
Connect to On-Premises Active Directory:
- Enter the credentials of an account with sufficient permissions to access the on-premises Active Directory
- Specify the domain and organizational unit (OU) to synchronize
Connect to Entra ID:
- Sign in with your Entra ID global administrator account
- Select the Entra ID tenant you want to synchronize with
Configure Sync Options:
- Choose the synchronization method: “Password Hash Synchronization,” “Pass-through Authentication,” or “Federation.”
- Customize any additional sync settings, such as filtering or configuring write-back options
Verify and Start Synchronization:
- Review the configuration summary
-
If everything looks correct, click “Install” to start the synchronization process
Entra ID Connect is a powerful tool that simplifies the synchronization of Entra ID with on-premises Active Directory. If you need further guidance, contact Trusted Tech Team and leverage our subject matter experts.
Trusted Tech Team is an accredited Microsoft CSP Direct Bill Partner, carrying multiple Solutions Partner designations and the now-legacy Microsoft Gold Partner competency. Based in Irvine, California, we report trends affecting IT pros everywhere.
If your organization uses Microsoft Office 365 or Azure, you may be eligible to receive a complimentary savings report from a Trusted Tech Team Licensing Engineer. Click here to schedule a consultation with our team now to learn how much you can save today.