Introduction to Azure Active Directory and Hybrid Identity
Azure Active Directory (Azure AD), now rebranded as Microsoft Entra ID, is Microsoft’s cloud-based identity and access management service. Unlike traditional on-premises Active Directory Domain Services (AD DS), which relies on Kerberos and LDAP within your network perimeter, Azure AD is built for the modern web — it uses OAuth 2.0, OpenID Connect, and SAML 2.0 to authenticate users against cloud applications, Microsoft 365, and thousands of SaaS platforms.
In most enterprise environments, you will not replace on-premises AD with Azure AD — you will integrate the two in a hybrid identity model. Users are provisioned in on-premises AD DS, synchronized to Azure AD via Azure AD Connect, and then able to authenticate to both on-premises resources and cloud services using a single identity. This guide walks through the full integration process on Windows Server 2022, from planning through ongoing operations.
Before you start, ensure your on-premises forest is at a minimum forest functional level of Windows Server 2003 (though 2016 is strongly recommended). Your Azure tenant must be active, and you should have Global Administrator rights in Azure AD and Domain Admin rights on-premises.
Understanding Azure AD Connect
Azure AD Connect is the Microsoft tool that bridges on-premises AD DS and Azure AD. It runs as a service on a member server (never on a domain controller), pulls identities from AD DS, and synchronizes them to Azure AD every 30 minutes by default. The sync is one-way by default — changes in AD DS flow up to Azure AD — though write-back features can be enabled for specific attributes like passwords and group memberships.
Azure AD Connect supports three authentication methods. Password Hash Synchronization (PHS) copies a hash of the password hash to Azure AD, meaning cloud authentication is handled directly by Azure AD without dependency on on-premises infrastructure. Pass-Through Authentication (PTA) forwards authentication requests to on-premises AD in real time via a lightweight agent, meaning passwords never leave your network. Federation with AD FS offloads all authentication to your on-premises AD FS infrastructure, providing maximum control but also maximum complexity and an on-premises dependency for cloud logins.
For most organizations without strict compliance requirements mandating that passwords never exist in the cloud, Password Hash Synchronization is the recommended choice due to its resilience — if your on-premises infrastructure goes down, users can still authenticate to cloud services.
Installing Azure AD Connect on Windows Server 2022
Download the Azure AD Connect installer from the Microsoft Download Center or directly from the Azure portal under Azure AD > Azure AD Connect. Install it on a dedicated member server running Windows Server 2022 with at least 4 GB RAM and .NET Framework 4.6.2 or later. Do not install it on a domain controller.
Run the installer. You will be prompted to choose between Express Settings and Custom Settings. Express Settings configures Password Hash Sync, enables automatic upgrades, and uses a single forest with default sync scope. If you have multiple forests, complex OU structures, or need filtering, choose Custom.
For a Custom installation, the wizard will ask you to:
1. Select your authentication method (PHS, PTA, or Federation with AD FS).
2. Connect to Azure AD with your Global Administrator credentials.
3. Add each on-premises AD DS forest and provide enterprise admin credentials for each.
4. Configure the Azure AD sign-in — map your on-premises UPN suffix to a verified Azure AD domain.
5. Configure filtering (OU-based or group-based).
6. Configure optional features: password writeback, group writeback, Exchange hybrid, device writeback, and directory extension attribute sync.
After the wizard completes, the Azure AD Connect service starts and an initial full synchronization runs automatically.
Configuring OU-Based Sync Filtering
By default, Azure AD Connect syncs all users, groups, and contacts from all OUs in your domain. In most production environments, you want to limit this scope. OU filtering is the most common approach.
Open the Azure AD Connect configuration wizard again by re-running the installer and selecting Customize synchronization options. Navigate to the Domain/OU Filtering step. Deselect OUs that contain service accounts, test accounts, or computer objects that should not sync to Azure AD.
You can also filter by group. This is useful during pilots — create a group, add pilot users, and configure Azure AD Connect to sync only members of that group. Note that group-based filtering is global across all connectors and cannot be combined with OU filtering in a granular per-OU way.
After changing filtering, force a sync to apply the new scope immediately:
Start-ADSyncSyncCycle -PolicyType DeltaFor a full sync (re-evaluates all objects):
Start-ADSyncSyncCycle -PolicyType InitialPassword Hash Synchronization Deep Dive
When PHS is enabled, Azure AD Connect does not sync your actual passwords. It extracts the MD4 hash of each user’s password from the on-premises AD (using the same replication mechanism that domain controllers use), applies additional salting and hashing (PBKDF2 with HMAC-SHA256, 1000 iterations), and uploads the result to Azure AD. The original password or even the original MD4 hash is never transmitted.
Password hash sync runs every two minutes as a separate process independent of the standard 30-minute attribute sync. When a user changes their password on-premises, the new hash reaches Azure AD within approximately two minutes.
Password hash sync also enables leaked credential detection — Microsoft cross-references synced password hashes against known breached credential databases and flags matches in Azure AD Identity Protection.
Pass-Through Authentication Configuration
If your organization requires that passwords never be stored outside your network, use Pass-Through Authentication. After enabling PTA during Azure AD Connect setup, a lightweight authentication agent is installed on the Azure AD Connect server. You should install additional PTA agents on other servers for redundancy — three agents total is a recommended minimum for production.
Install additional PTA agents by downloading the Authentication Agent installer from the Azure portal (Azure AD > Azure AD Connect > Pass-through authentication). Run it on additional Windows Server 2022 member servers. Each agent registers itself with Azure AD automatically using your Global Administrator credentials.
To verify agents are healthy:
Get-AzureADPassThroughAuthenticationAgentThe output shows each agent’s status (Active/Inactive) and the server it is installed on.
Hybrid Azure AD Join for Servers
Hybrid Azure AD join registers on-premises domain-joined machines with Azure AD, giving them a cloud identity. This is primarily valuable for workstations (enabling Conditional Access policies that require compliant devices), but it applies to servers as well in some scenarios.
To enable hybrid Azure AD join, open the Azure AD Connect wizard, select Configure device options, and then choose Configure Hybrid Azure AD join. Select your operating system types (Windows current and/or downlevel) and verify your Service Connection Points (SCPs) are configured correctly — Azure AD Connect creates an SCP in the Configuration partition of your AD forest that tells devices where to find the Azure AD tenant.
Verify the SCP in AD:
Get-ADObject -Filter {objectClass -eq "serviceConnectionPoint"} -SearchBase "CN=Configuration,DC=yourdomain,DC=com" -Properties *After a device completes hybrid join, you can verify its registration status locally with:
dsregcmd /statusLook for AzureAdJoined: YES and DomainJoined: YES in the output.
Seamless Single Sign-On
Azure AD Seamless SSO allows users on domain-joined machines inside the corporate network to sign in to cloud services without entering their password again. It works by having Azure AD Connect create a computer account named AZUREADSSOACC in each AD domain. A Kerberos service ticket is obtained for this account transparently when a user accesses an Azure AD-integrated application, which Azure AD validates to establish the session.
Enable Seamless SSO in the Azure AD Connect wizard under Change user sign-in. After enabling, the feature is active at the Azure AD level, but you must also configure client browsers via Group Policy to include Azure AD endpoints in the Intranet zone (to allow silent Kerberos ticket issuance).
Deploy the following URLs to the Intranet zone via GPO (Computer Configuration > Windows Settings > Security Settings > Internet Explorer Zones or equivalent for Edge):
https://autologon.microsoftazuread-sso.com
https://aadg.windows.net.nsatc.netVerify Seamless SSO is enabled in your tenant:
Get-AzureADTenantDetail | Select-Object -ExpandProperty EnableSeamlessSsoManaging Users That Sync to Azure AD
A key operational rule: do not modify synchronized users directly in Azure AD. Changes made in the Azure portal to synced attributes will be overwritten on the next sync cycle. All attribute changes must be made in on-premises AD DS.
Attributes that are sync-sourced include displayName, mail, department, manager, telephoneNumber, and the UPN. Cloud-only attributes like Azure AD group memberships for cloud groups and license assignments can be managed in Azure AD without conflict.
To check which on-premises attributes are being synchronized, use the Synchronization Service Manager on the Azure AD Connect server:
Start-Process "C:Program FilesMicrosoft Azure AD SyncUIShellmiisclient.exe"In the Metaverse Designer tab, you can see all attributes in the metaverse and their flow rules.
To update a user attribute on-premises and force it to Azure AD:
Set-ADUser -Identity jsmith -Department "Engineering"
Start-ADSyncSyncCycle -PolicyType DeltaMonitoring the Sync Cycle and Connector Run Status
Azure AD Connect exposes PowerShell cmdlets for monitoring. To see the status of the last sync run:
Get-ADSyncConnectorRunStatusThis returns the current state of each connector (AD and Azure AD) — Running, Idle, or an error state. For detailed run history:
Get-ADSyncRunProfileResult -NumberRequested 10To view sync statistics — how many objects were added, updated, deleted, or errored in the last run:
$runs = Get-ADSyncRunProfileResult -NumberRequested 1
$runs | Select-Object -ExpandProperty StepDetailsAzure AD Connect Health Monitoring
Azure AD Connect Health is a cloud-based monitoring service that provides visibility into the health of your synchronization infrastructure. It requires an Azure AD Premium P1 license. Install the Connect Health agent on the Azure AD Connect server:
Install-Package -Name MicrosoftAzureADConnectHealthAgentOr download and run the MSI from the Azure portal. After installation, register the agent:
Register-AzureADConnectHealthSyncAgent -Credentials (Get-Credential)Once connected, the Azure AD Connect Health blade in the Azure portal shows sync latency graphs, export errors, object counts per connector, and alerts for synchronization failures. Configure alert notifications to email your operations team when sync errors exceed a threshold.
Troubleshooting Synchronization Errors
The most common sync errors are duplicate attribute conflicts (two on-premises objects have the same UPN or ProxyAddress) and object type mismatches. Azure AD reports these as synchronization errors in the Azure portal under Azure AD > Azure AD Connect > Sync errors.
To investigate errors locally on the Azure AD Connect server, query the connector space:
Get-ADSyncCSObject -ConnectorName "yourdomain.com" -DistinguishedName "CN=JohnSmith,OU=Users,DC=yourdomain,DC=com"For duplicate attribute errors, use the IdFix tool (downloadable from Microsoft) to scan your on-premises AD for UPN duplicates, illegal characters, and formatting issues before sync. Fix them on-premises, then run a delta sync.
To check whether a specific user has sync errors:
Get-ADSyncCSObject -ConnectorName "yourdomain.onmicrosoft.com" -DistinguishedName "CN=JohnSmith,OU=Users,DC=yourdomain,DC=com" | Select-Object -ExpandProperty SyncObjectErrorDetailsFor soft-match conflicts — where an Azure AD object was created manually before sync was configured — you can hard-match it by setting the ImmutableId in Azure AD to match the on-premises objectGUID:
$guid = (Get-ADUser -Identity jsmith).ObjectGUID
$immutableId = [System.Convert]::ToBase64String($guid.ToByteArray())
Set-AzureADUser -ObjectId "[email protected]" -ImmutableId $immutableIdKeeping Azure AD Connect Updated
Azure AD Connect receives regular updates from Microsoft that add features, fix bugs, and address security vulnerabilities. Automatic upgrade is enabled by default for Express installations. To check whether auto-upgrade is enabled:
Get-ADSyncAutoUpgradeIf it returns Disabled, enable it:
Set-ADSyncAutoUpgrade -AutoUpgradeState EnabledTo check the current version:
(Get-ADSyncScheduler).SynchronizationCycleStartedTime
Get-ADSyncDatabaseConfiguration | Select-Object -Property ADSyncVersionMicrosoft will retire older versions of Azure AD Connect periodically. Monitor the Microsoft documentation for end-of-support dates and plan upgrades before support ends.
Summary
Integrating Windows Server 2022 with Azure Active Directory via Azure AD Connect is a foundational step toward a hybrid cloud identity model. By synchronizing on-premises identities to Azure AD, you enable users to access cloud applications with the same credentials they use on the corporate network, support modern authentication policies like Conditional Access and MFA, and lay the groundwork for features like Hybrid Azure AD Join, Seamless SSO, and password writeback. The key operational practices are to always manage synchronized identities from on-premises AD DS, monitor the sync health actively via Azure AD Connect Health, and keep the Azure AD Connect agent updated to maintain security and compatibility.
