How to Synchronise Active Directory with the Cloud: A Practical Step-by-Step Guide
Synchronising Active Directory (AD) with cloud services allows businesses to manage users centrally while giving employees secure access to Microsoft 365, Azure, and other cloud applications. This guide explains how to do it properly, what tools are required, and common mistakes to avoid.
1. What You Need Before You Start
Before setting up synchronisation, ensure the following prerequisites are in place:
Infrastructure Requirements
-
On-premises Active Directory (Windows Server 2016+ recommended)
-
At least one healthy Domain Controller
-
A Microsoft 365 or Azure tenant
-
Global Admin credentials for Microsoft Entra ID (Azure AD)
-
Reliable internet connection
Best Practice Check
✔ AD health check completed
✔ No duplicate or broken user accounts
✔ Correct DNS configuration
✔ Proper time synchronisation (very important)
2. Choose the Right Synchronisation Method
Microsoft provides Azure AD Connect to sync AD with Azure AD.
Common Sync Options
-
Password Hash Synchronisation (Recommended)
-
Password hashes sync to Azure AD
-
Simple, reliable, and secure
-
Best for most businesses
-
-
Pass-Through Authentication
-
Passwords validated on-prem
-
Requires always-available Domain Controllers
-
More complex
-
-
AD FS (Federation)
-
Advanced setup
-
Suitable for large enterprises
-
Higher maintenance
-
Most SMEs should use Password Hash Sync.
3. Install Azure AD Connect (Step-by-Step)
Step 1: Download Azure AD Connect
-
Download from Microsoft official website
-
Install on a dedicated server (not a Domain Controller)
Step 2: Start Installation
-
Select Custom Installation (recommended)
-
Sign in with Azure Global Admin credentials
-
Sign in with on-prem AD admin credentials
Step 3: Select Synchronisation Method
-
Choose Password Hash Synchronisation
-
Enable Single Sign-On (SSO) if required
4. Select What to Synchronise (Critical Step)
OU Filtering
Do NOT sync the entire directory.
Best practice:
-
Create a dedicated OU (e.g.
Cloud-Users) -
Move only required users into that OU
-
Sync only that OU
Group & Device Filtering
-
Sync only security groups required
-
Sync devices if using Intune or Conditional Access
This reduces risk and keeps the cloud directory clean.
5. Configure Synchronisation Settings
Sync Frequency
-
Default: every 30 minutes
-
Can be adjusted (not recommended unless necessary)
Attribute Mapping
-
Ensure correct email attributes (
mail,proxyAddresses) -
Confirm UPN matches email address (e.g. user@company.com)
⚠ Incorrect UPNs are a common cause of login issues.
6. Test Before Going Live
Testing Checklist
✔ Test with 2–3 pilot users
✔ Confirm Microsoft 365 login works
✔ Verify password changes sync correctly
✔ Check Teams, Outlook, and SharePoint access
Only proceed when tests are successful.
7. Synchronising Active Directory with Microsoft 365
Once synced:
-
Users appear automatically in Microsoft 365
-
Licences can be assigned manually or via groups
-
Email, Teams, and OneDrive activate automatically
Best Practice
Use group-based licensing to automate user onboarding.
8. Synchronising Active Directory with Google Workspace
If using Google Workspace alongside Microsoft:
Tools Required
-
Google Cloud Directory Sync (GCDS)
-
SAML SSO configuration
Steps
-
Install GCDS on a Windows server
-
Connect GCDS to on-prem AD
-
Select users/groups to sync
-
Configure SSO so users log in with AD credentials
-
Schedule sync (daily or on demand)
This ensures one identity across platforms.
9. Security Best Practices After Synchronisation
Once sync is active:
-
Enable Multi-Factor Authentication
-
Apply Conditional Access policies
-
Protect admin accounts with stricter rules
-
Monitor login and sync logs regularly
-
Back up Azure AD Connect configuration
10. Common Problems and How to Avoid Them
| Problem | Solution |
|---|---|
| UPN mismatch | Align UPN with email domain |
| Duplicate users | Clean AD before syncing |
| Sync failures | Check DNS, permissions, logs |
| Account lockouts | Review password policies |
11. Ongoing Maintenance
Synchronisation is not “set and forget”.
Regular tasks:
-
Review sync logs monthly
-
Clean up stale AD accounts
-
Test recovery procedures
-
Keep Azure AD Connect updated
Final Thoughts
A properly synchronised Active Directory environment:
-
simplifies user management
-
improves security
-
reduces IT workload
-
supports hybrid and cloud-first working
When done incorrectly, it can create serious security and access issues — planning and testing are essential.
