On-prem identity Sync – Active Directory with Entra Connect
On-prem identity Sync – Active Directory with Entra Connect
Embedded Files
Objective
Objective
With this project it was my aim to simulate a real-world hybrid environment where on-premises Active Directory users and groups are synchronised with Microsoft Entra ID using Entra Connect. This lab demonstrates understanding of directory services, identity management, and cloud integration — key concepts for modern IT support and infrastructure roles.
Fig. 01 - Virtual Machine resources setup in Microsoft Azure
Fig. 02 - Microsoft Entra Connect installation screen
Lab Environment
Lab Environment
Virtual Machines:
SOU-LAB-DC1 – Windows Server (Domain Controller) with roles AD DS, DNS and DHCP. Domain set to fs-lab.local
SOU-MKT-01 – Windows 10 client joined to the domain for testing user accounts
Azure tenant: stevesitcareer.onmicrosoft.com / stevesitcareer.co.uk
Azure AD Connect installed on the domain controller
Network Setup:
Local VLAN configured for internal connectivity (192.168.x.x range)
Gateway and DNS pointing to SOU-DC-01 (fs-lab.local)
Implementation steps
Implementation steps
Environment preparation
With my Azure tenant already up and running and DC/Client machines configured I looked into the steps required for the sync to happen. On attempting to install Entra Connect I came across a warning about the fact my domain was a .local domain which is unroutable. I looked into the solution and discovered I had to add a routable UPN suffix (stevesitcareer.co.uk) within Active Directory Domains and Trusts.
Once this was done I needed to make sure that my test users were updated to use the UPN correctly so they could sync with Entra ID. As I had multiple users setup I researched and used the correct powershell script to batch-update the users.
This small configuration step ended up being a great reminder of how hybrid setups depend on naming consistency — if your local domain doesn’t match your public one, Azure won’t know what to do with your users until you fix that.
Fig. 03 - Adding UPN via ADDT
Fig. 04 - Powershell script updating UPN on user accounts
Once this was complete I then ran IDFix to find any potential sync problems before going forward. When I created the test users I never added a display name in AD Users & groups, which was flagged when running the query. This simple test showed how easily some errors could cause havoc with a sync if not checked beforehand. Especially with a large directory.
Once this was corrected it was time to run the sync and it worked flawlessly.
Fig. 05 - IDFix error corrections
Fig. 06 - Entra ID users screen confirming that AD users have synced correctly
Fig. 07 - Sync Service Manager on DC showing successful syncs
Reflection
Reflection
This project enhanced my understanding of the link between on-prem Active Directory and Entra ID and also re-enforced the idea that preparation is super important.
Without taking the time to plan and carry out checks you run into the posisbility of quite complex issues, especially on a large-scale enterprise setup. By taking it a step at a time you ensure smooth syncronisation.
It also showed that although a concept can initially seem complex or confusing, by actually carrying out the steps you can quickly get a good understanding of the practicalities, but also coming across real-world unpredicted issues helped to allow a deeper understanding.
Page updated
Google Sites
Report abuse