How to Integrate Windows Server with Azure Active Directory on Windows Server 2025
Integrating your on-premises Windows Server 2025 environment with Azure Active Directory (now branded as Microsoft Entra ID) is a foundational step for enabling hybrid identity, single sign-on, and modern security controls across your organization. Whether you are synchronizing user accounts, enabling seamless SSO for domain-joined machines, or deploying passwordless authentication through Microsoft Entra Kerberos, the integration between your local Active Directory Domain Services (AD DS) and Entra ID unlocks capabilities that on-premises infrastructure alone cannot provide. This guide walks through the primary integration paths available in Windows Server 2025 — from Azure AD Connect to Hybrid Azure AD Join and Entra Kerberos — and shows you how to configure each one using PowerShell and best practices.
Prerequisites
- Windows Server 2025 domain controller with Active Directory Domain Services installed
- An active Microsoft Azure subscription with a Microsoft Entra ID (Azure AD) tenant
- A verified custom domain in Microsoft Entra ID matching your on-premises UPN suffix
- Global Administrator role in the Entra ID tenant
- Enterprise Administrator or Domain Administrator credentials for on-premises AD
- Net Framework 4.7.2 or later on the sync server
- TLS 1.2 enabled on the server running Azure AD Connect
- Outbound connectivity on port 443 to Azure AD endpoints
Step 1: Choose Your Integration Method — Azure AD Connect vs Cloud Sync
Microsoft offers two primary agents for synchronizing on-premises AD to Entra ID. Azure AD Connect (the legacy full-featured sync engine) is appropriate for complex environments requiring custom attribute mappings, password writeback, device writeback, or hybrid Exchange deployments. Azure AD Connect Cloud Sync is the newer, lightweight agent-based approach that Microsoft now recommends for most greenfield deployments. It runs as a small agent on any domain-joined server, requires no dedicated sync server, and supports multiple disconnected forests.
To check which version of Azure AD Connect is currently installed (if upgrading an existing deployment), run the following on your sync server:
# Check installed version of Azure AD Connect
Get-ItemProperty -Path "HKLM:SOFTWAREMicrosoftAzure AD Connect" | Select-Object -Property Version
# Verify TLS 1.2 is enforced (required for Azure AD Connect)
[Net.ServicePointManager]::SecurityProtocol
# Should include Tls12
# Force TLS 1.2 if not already set
Set-ItemProperty -Path "HKLM:SOFTWAREMicrosoft.NETFrameworkv4.0.30319" `
-Name "SchUseStrongCrypto" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:SOFTWAREWow6432NodeMicrosoft.NETFrameworkv4.0.30319" `
-Name "SchUseStrongCrypto" -Value 1 -Type DWordStep 2: Install and Configure Azure AD Connect
Download the Azure AD Connect installer from the Microsoft Download Center or directly from the Entra ID portal under Hybrid management → Azure AD Connect. Run the installer on a dedicated member server (not a domain controller in production). During setup, choose between Express Settings — which configures password hash synchronization automatically — or Custom settings for fine-grained control.
The three primary authentication modes are:
- Password Hash Synchronization (PHS) — hashed credentials sync to Entra ID; sign-in works even if on-premises is unavailable. Recommended for most organizations.
- Pass-Through Authentication (PTA) — Entra ID validates credentials against on-premises AD in real time; hashes never leave your network.
- Federation (AD FS) — sign-in is delegated to your AD FS farm; required for smartcard or certificate-based authentication.
# After installation, verify the sync service is running
Get-Service -Name "ADSync" | Select-Object Name, Status, StartType
# Force an initial full synchronization cycle
Import-Module ADSync
Start-ADSyncSyncCycle -PolicyType Initial
# Check sync errors
Get-ADSyncRunStepResult | Where-Object { $_.RunStepResult -ne "success" } |
Select-Object ConnectorName, RunStepResult, StepNumber
# View synchronized objects count
(Get-ADSyncConnectorStatistics -ConnectorName "progressiverobot.com - AAD").ExportCountersStep 3: Configure Azure AD Connect Cloud Sync (Lightweight Agent)
For organizations preferring the agent-based model, install the Cloud Sync provisioning agent from the Entra ID portal. The agent installs on any domain-joined Windows Server 2025 machine and communicates outbound only — no inbound firewall rules are required.
# After installing the Cloud Sync agent, verify it is registered
Get-Service -Name "AADConnectProvisioningAgent" | Select-Object Name, Status
# Confirm agent version and registration status via module
Import-Module AADCloudSyncTools
Get-AADCloudSyncToolsJobStatus
# Test connectivity from the agent to Entra ID
Invoke-WebRequest -Uri "https://login.microsoftonline.com" -UseBasicParsing |
Select-Object StatusCode
# View provisioning logs (agent writes to Event Log)
Get-WinEvent -LogName "Microsoft-Windows-AADConnect-ProvisioningAgent/Operational" -MaxEvents 20 |
Select-Object TimeCreated, Id, MessageStep 4: Enable Hybrid Azure AD Join via Group Policy
Hybrid Azure AD Join registers your on-premises domain-joined Windows machines with Entra ID, enabling Conditional Access policies and device-based authentication. On Windows Server 2025, configure this via a GPO linked to the computer objects that should be registered.
# Verify Hybrid Azure AD Join configuration
dsregcmd /status | Select-String "AzureAdJoined|DomainJoined|WorkplaceJoined"
# On the Azure AD Connect server: enable Hybrid Azure AD Join
# (Run in the Azure AD Connect wizard or via PowerShell)
Import-Module ADSync
$domainName = "progressiverobot.com"
# Confirm SCP (Service Connection Point) is configured in AD
$scp = Get-ADObject -Filter { objectClass -eq "serviceConnectionPoint" } `
-SearchBase "CN=Configuration,DC=progressiverobot,DC=com" `
-Properties keywords
$scp | Select-Object DistinguishedName, keywords
# Create SCP if missing (sets the tenant discovery endpoint)
$tenantId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
$azureADName = "progressiverobot.onmicrosoft.com"
Set-ADObject -Identity $scp.DistinguishedName -Replace @{
keywords = @("azureADName:$azureADName", "azureADId:$tenantId")
}Step 5: Configure Azure AD Seamless Single Sign-On
Azure AD Seamless SSO automatically signs in domain-joined machines to Entra ID resources without requiring users to re-enter credentials. It works by creating a computer account named AZUREADSSOACC in your on-premises AD, which Entra ID uses as a Kerberos service principal. Enable it via Azure AD Connect or directly via the MSOnline PowerShell module.
# Install MSOnline module if needed
Install-Module MSOnline -Force -Scope CurrentUser
# Connect to MSOnline
Connect-MsolService
# Enable Seamless SSO for a domain
$domainFqdn = "progressiverobot.com"
Set-MsolDomainAuthentication -DomainName $domainFqdn -Authentication Managed
# Verify Seamless SSO is enabled on the tenant
Get-MsolDomain -DomainName $domainFqdn | Select-Object Name, Authentication
# Confirm AZUREADSSOACC account exists in AD
Get-ADComputer -Identity "AZUREADSSOACC" -Properties Description, PasswordLastSet |
Select-Object Name, Description, PasswordLastSet
# Roll over the Kerberos decryption key (do this every 30 days for security)
# Run from the Azure AD Connect server after importing AzureADSSO module
Import-Module .AzureADSSO.psd1
New-AzureADSSOAuthenticationContext
Update-AzureADSSOForest -OnPremCredentials (Get-Credential) -PreserveCustomPermissionsOnDesktopSsoAccountStep 6: Enable Microsoft Entra Kerberos for Passwordless Sign-In
Microsoft Entra Kerberos enables FIDO2 security keys and Windows Hello for Business cloud trust scenarios by allowing Entra ID to issue Kerberos tickets for on-premises resources. This is distinct from Seamless SSO and is required for passwordless hybrid sign-in on Windows Server 2025.
# Install the AzureADHybridAuthenticationManagement module
Install-Module AzureADHybridAuthenticationManagement -AllowClobber -Force
# Import the module
Import-Module AzureADHybridAuthenticationManagement
# Connect to both Entra ID and on-premises AD
$cloudCred = Get-Credential # Entra ID Global Admin
$onPremCred = Get-Credential # On-premises Domain Admin
# Create the Entra Kerberos server object in AD
Set-AzureADKerberosServer -Domain "progressiverobot.com" `
-CloudCredential $cloudCred `
-DomainCredential $onPremCred
# Verify the Entra Kerberos server object was created
Get-AzureADKerberosServer -Domain "progressiverobot.com" `
-CloudCredential $cloudCred `
-DomainCredential $onPremCred
# Enable FIDO2 passkey sign-in policy via Microsoft Graph (requires Graph module)
Install-Module Microsoft.Graph -Scope CurrentUser
Connect-MgGraph -Scopes "Policy.ReadWrite.AuthenticationMethod"
Update-MgPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration `
-AuthenticationMethodConfigurationId "Fido2" `
-BodyParameter @{
state = "enabled"
isAttestationEnforced = $false
}Step 7: Monitor Sync Health with Azure AD Connect Health
Azure AD Connect Health provides real-time monitoring, alerting, and usage analytics for your hybrid identity infrastructure. The Health agent is installed on each server in your sync and AD FS infrastructure and reports to the Entra ID portal.
# Install Azure AD Connect Health agent for AD DS monitoring
# Download from: https://go.microsoft.com/fwlink/?LinkID=820540
# After installation, register the agent:
Register-AzureADConnectHealthADDSAgent -AttributeFiltering $false -StagingMode $false
# Verify Health Agent service is running
Get-Service -Name "AdHealthAddsAgentUpdater","AdHealthAddsAgent" |
Select-Object Name, Status
# Check agent registration status
$healthAgentPath = "${env:ProgramFiles}Azure Ad Connect Health agent for AD DS"
& "$healthAgentPathAdHealthAddsAgentUpdater.exe" /GetAgentRegistrationInfo
# View recent sync errors in the Event Log
Get-WinEvent -ProviderName "Microsoft-Windows-ADSync" -MaxEvents 50 |
Where-Object { $_.Level -eq 2 } |
Select-Object TimeCreated, Id, Message |
Format-ListConclusion
Integrating Windows Server 2025 with Microsoft Entra ID is a multi-faceted process that spans directory synchronization, authentication configuration, device registration, and continuous monitoring. By choosing the right synchronization method — Azure AD Connect for complex environments or Cloud Sync for simpler deployments — and layering on Seamless SSO, Hybrid Azure AD Join, and Entra Kerberos, you create a robust hybrid identity platform that enables conditional access, passwordless authentication, and cloud-managed security policies. Regularly monitoring sync health through Azure AD Connect Health ensures that any replication errors or authentication failures are caught and resolved before they impact users. As Microsoft continues to evolve Entra ID capabilities, organizations running Windows Server 2025 are well-positioned to adopt these features incrementally without disrupting existing on-premises operations.
