Configuring Network Connectivity Between Active Directory and Azure Active Directory
Integrating an on-premises Active Directory (AD) environment with Azure Active Directory (Microsoft Entra ID) requires reliable and secure network connectivity. While Azure AD itself is a cloud-based identity service and does not rely on traditional network trusts, the synchronization and hybrid identity components do require proper network configuration.
This post outlines the network requirements, common architectures, and a practical example of a hybrid AD–Azure AD setup.
1. Understanding the Network Role in AD–Azure AD Integration
It is important to distinguish responsibilities:
-
On-premises Active Directory
Uses traditional networking, DNS, LDAP, Kerberos, and domain controllers. -
Azure Active Directory (Entra ID)
Is accessed over HTTPS and does not require direct network connectivity to domain controllers. -
Synchronization and authentication components
(such as Azure AD Connect or Pass-through Authentication agents) act as the bridge and do require outbound network access.
The network configuration ensures that identity data can securely flow from on-premises AD to Azure AD.
2. Common Network Architecture
A typical hybrid identity network design includes:
-
On-premises network hosting:
-
Domain Controllers
-
Azure AD Connect server
-
-
Secure outbound internet connectivity to Azure
-
Optional private connectivity for Azure workloads (VPN or ExpressRoute)
Azure AD Connect does not require inbound connections from Azure, which significantly reduces the attack surface.
3. Network Requirements
To enable communication between on-premises AD and Azure AD, ensure the following:
Outbound Connectivity
The Azure AD Connect server must be able to reach Microsoft endpoints over HTTPS (TCP 443), including:
-
Azure AD authentication endpoints
-
Microsoft Graph
-
Azure AD Connect services
No inbound firewall rules from the internet are required.
DNS Resolution
-
The Azure AD Connect server must resolve:
-
On-premises AD DNS zones
-
Public Microsoft DNS names
-
-
Domain controllers must be reachable via standard AD ports (LDAP, Kerberos, RPC).
Proxy and Firewall Support
If outbound internet access is restricted:
-
Configure a proxy that allows HTTPS traffic to Microsoft endpoints
-
Ensure authentication agents can bypass SSL inspection if required
4. Example: Hybrid AD–Azure AD Network Configuration
Scenario
An organization has:
-
An on-premises AD domain:
corp.contoso.local -
A virtual network in Azure hosting applications
-
A requirement for single sign-on to Microsoft 365 and Azure resources
Step 1: Prepare the On-Premises Network
-
Ensure domain controllers are reachable from the Azure AD Connect server
-
Verify AD ports are open internally:
-
TCP/UDP 389 (LDAP)
-
TCP 636 (LDAPS, optional)
-
TCP 88 (Kerberos)
-
TCP 445 (SMB)
-
RPC dynamic ports
-
Step 2: Configure Internet Access
-
Allow outbound HTTPS (TCP 443) from the Azure AD Connect server
-
Whitelist Microsoft identity endpoints if outbound filtering is enforced
Step 3: Install Azure AD Connect
-
Install Azure AD Connect on a domain-joined Windows Server
-
Choose the Hybrid Identity model (Password Hash Sync or Pass-through Authentication)
-
During setup, the server securely connects to Azure AD over HTTPS
Step 4: Optional Azure Network Connectivity
If Azure-hosted VMs must authenticate against on-prem AD:
-
Configure a Site-to-Site VPN or ExpressRoute
-
Set Azure VNet DNS servers to point to on-prem domain controllers
-
Ensure bidirectional connectivity between Azure subnets and AD networks
5. Security Best Practices
-
Use least-privilege service accounts for synchronization
-
Restrict Azure AD Connect server access to administrators only
-
Monitor sign-ins and sync activity with Azure Monitor and Entra ID logs
-
Avoid exposing domain controllers directly to Azure or the internet
6. Key Takeaways
-
Azure AD does not require direct network trust with on-prem AD
-
Azure AD Connect is the critical networking component
-
Outbound HTTPS connectivity is usually sufficient
-
VPN or ExpressRoute is only required when Azure resources need direct AD access
