Overview: Azure AD Integration with Windows Server 2019
Integrating Windows Server 2019 with Azure Active Directory (Azure AD, now called Microsoft Entra ID) extends on-premises identity to the cloud. This enables single sign-on across Microsoft 365, Azure resources, and thousands of SaaS applications. The primary integration tool is Azure AD Connect, which synchronizes on-premises AD objects to Azure AD and optionally configures password hash synchronization, pass-through authentication, or federation.
Planning the Integration
Before deploying Azure AD Connect, decide on the authentication method: Password Hash Synchronization (PHS) stores a hash of password hashes in Azure AD and is the most resilient option; Pass-Through Authentication (PTA) validates credentials against on-premises AD in real time; Federation with AD FS provides the most control but the highest operational complexity. PHS is recommended by Microsoft for most organizations as it works even when on-premises connectivity is interrupted.
Prerequisites
# On the Windows Server 2019 server that will run Azure AD Connect:
# Minimum: 4 GB RAM, Windows Server 2019 with latest patches, .NET Framework 4.5.1+
# Check .NET version
(Get-ItemProperty 'HKLM:SOFTWAREMicrosoftNET Framework SetupNDPv4Full').Release
# Release >= 379893 means .NET 4.5.2+
# Install required PowerShell modules
Install-Module -Name AzureAD -Force
Install-Module -Name MSOnline -Force
# Ensure the server is domain-joined
(Get-WmiObject Win32_ComputerSystem).PartOfDomain
# Check AD Forest Functional Level (must be Windows 2003 or higher)
Get-ADForest | Select-Object Name, ForestMode
Get-ADDomain | Select-Object Name, DomainMode
Installing Azure AD Connect
Download the Azure AD Connect installer from the Microsoft Download Center. The installer walks through a wizard; the steps below reflect the decisions made in Express vs Custom setup:
# Download and install (command-line silent install is also supported)
# Invoke-WebRequest -Uri 'https://download.microsoft.com/download/AzureADConnect.msi' -OutFile 'C:InstallersAzureADConnect.msi'
# Start-Process msiexec.exe -ArgumentList '/i C:InstallersAzureADConnect.msi /quiet' -Wait
# After installation, launch the configuration wizard:
# Start > Azure AD Connect
# Express Settings (recommended for single AD forest, single Azure AD tenant):
# - Enables Password Hash Sync
# - Enables Auto Upgrade
# - Syncs all users and groups
# Custom Settings allows:
# - Selecting specific OUs to sync
# - Configuring attribute filtering
# - Choosing Pass-Through Auth or Federation
# - Adding additional AD forests
# Verify service account creation
Get-ADUser -Filter { Name -like 'MSOL_*' } | Select-Object SamAccountName, DistinguishedName
Get-ADUser -Filter { Name -like 'AAD_*' } | Select-Object SamAccountName, DistinguishedName
Configuring OU Filtering for Selective Sync
In most environments you want to sync specific OUs rather than the entire directory. Configure this in the Azure AD Connect wizard or post-installation via the Synchronization Service Manager:
# Open the Azure AD Connect wizard to modify settings
# Start-Process 'C:Program FilesMicrosoft Azure Active Directory ConnectAzureADConnect.exe'
# Alternatively, use PowerShell with the ADSync module (installed by Azure AD Connect)
Import-Module ADSync
# List current connectors
Get-ADSyncConnector | Select-Object Name, Type
# View current OU filter for the AD connector
$connector = Get-ADSyncConnector -Name 'corp.local'
$connector.ScopeFilter.ScopeFilterGroups
# After changing OU scope in the wizard, trigger a full sync
Start-ADSyncSyncCycle -PolicyType Initial
# Or for a delta sync (incremental)
Start-ADSyncSyncCycle -PolicyType Delta
# Monitor sync progress
Get-ADSyncConnectorRunStatus
Configuring Password Hash Synchronization
# Verify PHS is enabled
Get-ADSyncAADCompanyFeature
# Enable PHS if not already enabled
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector 'corp.local' `
-TargetConnector 'tenant.onmicrosoft.com - AAD' -Enable $true
# Force immediate password hash sync for a specific user (testing)
# This requires running on the domain controller
Invoke-ADSyncRunProfile -ConnectorName 'corp.local' -RunProfileName 'Delta Synchronization'
# Verify PHS is working - check the synchronization log
Get-EventLog -LogName Application -Source 'Directory Synchronization' -Newest 20 |
Select-Object TimeGenerated, EntryType, Message
Configuring Pass-Through Authentication (PTA)
PTA requires at least one Authentication Agent running on a domain-joined Windows Server 2019 machine. Install additional agents for redundancy:
# Download and install the PTA agent
# https://download.microsoft.com/download/...AADApplicationProxyConnectorInstaller.exe
# After installation, register the agent
# The wizard prompts for Azure AD global admin credentials
# Verify agents are registered in Azure AD portal:
# Azure AD > Security > Authentication methods > Pass-through authentication
# From PowerShell, check agent status
Get-Service 'AzureADConnectAuthenticationAgent'
Get-EventLog -LogName 'Application' -Source 'AzureADConnectAuthAgent' -Newest 20
Configuring AD FS for Federation (Advanced)
# Install AD FS role on Windows Server 2019
Install-WindowsFeature -Name ADFS-Federation -IncludeManagementTools
# Configure a new AD FS farm
$cert = Get-ChildItem 'Cert:LocalMachineMy' | Where-Object { $_.Subject -like '*adfs.corp.local*' }
Install-AdfsFarm `
-CertificateThumbprint $cert.Thumbprint `
-FederationServiceName 'adfs.corp.local' `
-FederationServiceDisplayName 'Corp AD FS' `
-ServiceAccountCredential (Get-Credential 'CORPsvc_adfs')
# Configure Azure AD Connect to use federation (done in AAD Connect wizard)
# This converts the domain in Azure AD to a federated domain:
# New-MsolFederatedDomain -DomainName corp.com (requires MSOnline module)
# Test AD FS sign-in
Test-AdfsServerHealth | Select-Object Name, Result, Detail
Verifying Synchronization and Troubleshooting
# Connect to Azure AD and verify synced objects
Connect-AzureAD # prompts for credentials
Get-AzureADUser -Filter "onPremisesSyncEnabled eq true" | Select-Object DisplayName, UserPrincipalName | Measure-Object
Get-AzureADGroup | Where-Object { $_.OnPremisesSyncEnabled -eq $true } | Measure-Object
# Check for sync errors
Get-ADSyncCSObject -ConnectorName 'tenant.onmicrosoft.com - AAD' `
-SearchString '*' | Where-Object { $_.HasSyncErrors }
# View Azure AD Connect synchronization log
Get-EventLog -LogName Application -Source 'ADSync' -Newest 50 |
Where-Object { $_.EntryType -in 'Error','Warning' } |
Select-Object TimeGenerated, EntryType, Message
# Force full synchronization
Start-ADSyncSyncCycle -PolicyType Initial
# Check last sync time
(Get-ADSyncConnector | Where-Object { $_.Type -eq 'Extensible2' }).RunProfiles |
Select-Object -ExpandProperty RunSteps | Sort-Object StartDate -Descending | Select-Object -First 5
Staged Rollout for Gradual Migration
Rather than cutting over all users from federation or PTA to PHS at once, staged rollout in Azure AD allows testing with a pilot group first:
# Enable staged rollout via MSOnline module
Install-Module MSOnline -Force
Connect-MsolService
# Enable staged rollout for PHS feature
Set-MsolDomainAuthentication -DomainName 'corp.com' -Authentication Managed
# Add a pilot group to staged rollout in the Azure portal:
# Azure AD > Azure AD Connect > Staged rollout > Enable staged rollout
# Assign the pilot security group
# Monitor: check sign-in logs in Azure AD portal
# Azure AD > Sign-in logs > filter by Application = 'Microsoft Azure Active Directory'
Conclusion
Integrating Windows Server 2019 on-premises Active Directory with Azure AD via Azure AD Connect is a foundational step toward a hybrid identity model. Whether using Password Hash Sync for simplicity and resilience, Pass-Through Authentication for real-time on-premises validation, or AD FS for maximum control, the result is unified identity across cloud and on-premises resources—a prerequisite for enabling Microsoft 365, Azure workloads, and Conditional Access policies that protect every sign-in.
