Prerequisites Before Installing Azure AD Connect

Posted on by
Prerequisites Before Installing Azure AD Connect — Series 02
SERIES 02 Prerequisites Before Installing Azure AD Connect
02 / 06
Pre-Installation Checklist

Before You Click
“Install”Read This

Missing a single prerequisite is the #1 cause of failed installations. This guide walks through every technical and administrative requirement — infrastructure, accounts, networking, and identity hygiene — before you touch the installer.

4+
Requirement Areas
3
Account Types Needed
443
Critical Outbound Port
2026
Hardening Deadline
CRITICAL: Version 2.5.79.0+ required by September 30, 2026 — older versions will be blocked by Microsoft backend CRITICAL: Version 2.5.79.0+ required by September 30, 2026 — older versions will be blocked by Microsoft backend CRITICAL: Version 2.5.79.0+ required by September 30, 2026 — older versions will be blocked by Microsoft backend CRITICAL: Version 2.5.79.0+ required by September 30, 2026 — older versions will be blocked by Microsoft backend
Your Pre-Installation Progress
0 of 12 items completed0%
Infrastructure ready
Server OS supported
Database planned
Local Admin account
Entra ID Admin account
On-prem AD account
Port 443 outbound open
TLS 1.2 enabled
PowerShell policy set
Domain verified in Entra
UPN suffixes aligned
Duplicate attributes cleared
Section 01

On-Premises Infrastructure

01
Active Directory Forest Functional Level
Minimum Requirement
  • Forest Functional Level: Windows Server 2003 or later
    Verify with PowerShell: Get-ADForest | Select-Object ForestMode. Most modern environments will already exceed this minimum.
02
The Sync Server Requirements
Critical Configuration
  • Supported OS — Windows Server 2016 / 2019 / 2022 / 2025
    Must be a domain-joined member server. Do not install on a Domain Controller — this causes GPO conflicts and security risks.
  • ❌ Server Core is NOT supported
    You must use Windows Server with Desktop Experience (GUI). The installation wizard requires a graphical interface to run.
💡 Best practice: Use a dedicated virtual machine. 4+ vCPUs, 8–16 GB RAM. If you’re syncing over 100,000 objects, allocate more CPU — the SQL workload is CPU-intensive during full sync cycles.
03
Database Selection
Based on Object Count
Database tier identified and provisioned
Your object count determines which SQL tier you need. Choose before running the installer.
Under 100,000 objects
SQL Server 2019 Express LocalDB
Auto-installed by the wizard. Zero configuration needed. Perfect for most small-to-mid organizations.
100,000+ objects
Full SQL Server (Standard / Enterprise)
Must be pre-installed and accessible. Required for performance and to avoid LocalDB size limits at scale.
Section 02

Account Permissions — The “Golden Trio”

Installation requires credentials for three distinct account types. Having the wrong permissions on any one of these is an immediate blocker. Prepare all three before you start.

🖥️
Account Type 1
Local Administrator
Local Admin
To install the software binaries, register Windows Services, and configure the ADSync service on the server itself.
☁️
Account Type 2
Entra ID (Cloud) Admin
Hybrid Identity Admin
To register the sync agent in Azure and auto-create the dedicated cloud service account used for ongoing synchronization.
🏢
Account Type 3
On-Premises AD Account
Enterprise Admin
To read your local users, groups, and set the required Replicate Directory Changes permissions for Password Hash Sync.
⚠️ Least-privilege alternative: For Express setup, Enterprise Admin is required. For custom setup, you can use a pre-created service account with only the specific AD permissions granted via dsacls. Always prefer least-privilege in production.
Section 03

Network & Security

04
Outbound Connectivity — Required Microsoft URLs
Port 443 · HTTPS

The sync server must reach Microsoft’s endpoints outbound. If you have a proxy or firewall, whitelist these — do not apply SSL inspection to Microsoft traffic.

443
*.msappproxy.net
*.microsoftonline.com
Core Azure AD sync & auth
443
*.servicebus.windows.net
Pass-Through Auth agent
443
*.blob.core.windows.net
Software updates & downloads
389/636
On-premises Domain Controllers
LDAP / LDAPS — AD queries
🚫 SSL/TLS deep packet inspection will break AD Connect. Proxy appliances that intercept HTTPS traffic to Microsoft endpoints must be configured to bypass or whitelist those destinations entirely.
05
TLS & PowerShell Configuration
Security Hardening
  • TLS 1.2 must be explicitly enabled on the server
    TLS 1.0 and 1.1 are deprecated and will cause sync failures. On older OS versions, TLS 1.2 may exist but not be the default — it must be forced via registry or IIS settings.
  • PowerShell Execution Policy: RemoteSigned
    Run Set-ExecutionPolicy RemoteSigned in an elevated PowerShell session. The installer and ADSync module use signed scripts that require this policy at minimum.
Section 04

Identity “Cleanliness”

The sync engine is unforgiving about dirty data. Messy on-premises AD attributes create duplicate cloud objects, quarantine errors, and silent sync failures that are painful to diagnose after the fact.

🌐
Verified Custom Domain
Add and verify your domain (e.g., contoso.com) in the Entra ID portal before installing. Users with unverified domains get a fallback @tenant.onmicrosoft.com UPN — breaking SSO.
🔗
UPN Suffix Alignment
If your local domain is contoso.local, add a UPN suffix (contoso.com) in AD and migrate users so their UPN matches their email: user@contoso.com.
🔍
Duplicate Attribute Check
No two users should share the same proxyAddress or mail attribute. Azure AD rejects duplicates with an AttributeValueMustBeUnique error and silently quarantines one object.
🧹
Run the IdFix Tool
Microsoft’s free IdFix tool scans your AD for format violations, duplicates, missing attributes, and invalid characters. Resolve all errors before installing.
IdFix download: Available at github.com/microsoft/idfix. Run it as Domain Admin, export the error report, and resolve every item marked ERROR before proceeding. Items marked WARN can be deferred.
⚠ Security Hardening MANDATORY MICROSOFT UPDATE — ACTION REQUIRED
Critical 2026
Hardening Requirement

Microsoft has implemented a mandatory security hardening update affecting all existing Azure AD Connect / Entra Connect deployments. Any installation running a version older than 2.5.79.0 will have its synchronization blocked entirely by the Microsoft backend after the deadline — regardless of whether it was previously working.

Minimum Required Version
2.5.79.0 or later
Hard Deadline
September 30, 2026
Consequence
Sync blocked by Microsoft
Get-ADSyncScheduler | Select-Object AzureADConnectBuildVersion
Pre-Flight Summary

Your Complete Checklist

Ready to Install? Confirm All Items Below
Click each to mark complete
  • Forest Functional Level ≥ Windows Server 2003
  • Dedicated domain-joined server with Desktop Experience (not Core)
  • Database tier confirmed (LocalDB or full SQL based on object count)
  • Local Administrator account on the sync server
  • Hybrid Identity Administrator (or Global Admin) in Entra ID
  • Enterprise Admin (or custom service account) in on-prem AD
  • Outbound Port 443 open to Microsoft URLs — no SSL inspection
  • TLS 1.2 enabled and enforced on the server
  • PowerShell Execution Policy set to RemoteSigned
  • Custom domain verified in the Entra ID portal
  • UPN suffixes aligned — no @.local or non-routable suffixes
  • IdFix run — zero errors, no duplicate proxyAddress or mail attributes
Microsoft Entra Connect — Prerequisites Guide  ·  Series 02 of 06  ·  Next: Installation & Initial Configuration →
Post Views: 9

Leave a Reply

Your email address will not be published. Required fields are marked *