Following the availability of the Azure Active Directory Connect tools allowing multi forest synchronization, attributes selection and much more (and even more to come ), this post will details the installation and configuration steps.

• First download the tool from http://go.microsoft.com/fwlink/?LinkId=511690 

IMPORTANT this synchronization tool is not available from the usual link shown on the Office 365 Admin portal – this is one still support only ONE AD Forest

• Install the prerequisites on a Windows Server 2008, 2008 R2, 2012 or 2012 R2
• Framework 4.5
• PowerShell

Azure Active Directory Connect Installation

• And start the pretty straight forward installation

• Enter your Azure AD (or Office 365) global admin credentials; as for the ‘standard’ Office 365 DIrSync, I would recommend to use a dedicated cloud account with complex password which never expires. The good point with this tool is you can use it to provision your Azure Active Directory even if you don’t have an Office 365

If you forgot to enable the directory synchronization feature on your Azure/Office 365 tenant you will get the following error; the good news is you can still do it as it is pretty quick to be enabled (off course it may depend )

If your account is not global administrator, you will get the following error – the problem here is it does not say you are not a global administrator, just you are not authorized to access the AAD.

An error occurred. Error code: 6. Error Description: Your credentials are not authorized to access Windows Azure Active Directory.

• Then you can add your On Premise AD Forests (off course this tool can work with only ONE AD Forest too ). Once again, I recommend to use a dedicated service account for this – good news, this account does not need to have other privileges than a ”standard” user. Don’t forget to enter the service credential like domain\user

• Then you have to define a way to identity users across your forests in case you have duplicate user account across each forest (you can even choose your own attribute) as well as what attribute to use as source anchor for AAD

To know more about user matching, go to http://go.microsoft.com/fwlink/?LinkID=395087#UserMatchingHelp

• Then you enable optional features like Azure AD Premium password write back or Exchange Hybrid. If you are using Azure Access Control to publish application, you can also define this option.

NOTE if enable Password Write Back here BUT do not have it enabled on your AAD, the setup will continue and does not notify you

• If you don’t enable the Azure AD App and attribute filtering you are almost done

• If you enable the Azure AD App and attribute filtering you have to define which application and attributes you want to use

• You are done. Just validate your configuration and let the tool configure itself

• As usual, if you want to use OU (or attributes) based filtering, do not start the synchronization now and open the MIIS console (C:\Program Files\Microsoft Azure AD Sync\UIShell\miisclient.exe)

NOTES

1. You can not start manually the synchronization using the well known PowerShell command Start-OnlineCoexistenceSync. If you want to start manual synchronization, you need to run the scheduled task (see below)
2. There is no more web.config to setup the schedule of the synchronization which is set to every 3 hours by default (as for Office 365 DIrSync). Now there is a schedule task called Azure AD Sync Scheduler. At this time, Microsoft does not say if this is supported to change the scheduling or not (I was told during the beta they will not support this)

Azure Active Directory Connect Configuration Change

After setting up AAD Connect, you may need to change some settings such as enabling/disabling option features, adding/removing an AD Forest…

To so, first disable the schedule task (to ensure no operations are {or will be} in progress during your configuration update) and then just launch the Directory Sync tool again (using the shortcut on the desktop – or by going directly to C:\Program Files\Microsoft Azure AD Connection Tool\DirectorySyncTool.exe)

Remove an AD Forest

After starting again the tool, just reach the Connect to AD DS step and click on the cross on the left side of the forest you want to remove