Wednesday, 25 June 2025

Microsoft EntraID (Azure Active Directory)

         

 

Active Directory to Entra ID and M365 User Sync

This document outlines the process of synchronizing user accounts from an on-premises Active Directory (AD) environment to Entra ID (formerly Azure Active Directory) and Microsoft 365 (M365). It covers the tools, configurations, and best practices involved in ensuring a seamless and consistent user identity experience across both environments.

Introduction

Synchronizing your on-premises Active Directory with Entra ID and Microsoft 365 is a crucial step for organizations adopting cloud services. This synchronization allows users to use their existing AD credentials to access M365 applications and resources, simplifying user management and improving security. The primary tool used for this synchronization is Microsoft Entra Connect (formerly Azure AD Connect).

Microsoft Entra Connect


Microsoft Entra Connect is a Microsoft tool designed to achieve hybrid identity by synchronizing on-premises Active Directory to Entra ID. It handles the following key tasks:

  • Synchronization: Copies user, group, and other objects from your on-premises AD to Entra ID.
  • Authentication: Provides options for password synchronization, pass-through authentication, and federation with AD FS.
  • Health Monitoring: Monitors the health of your synchronization infrastructure.

Prerequisites

Before installing and configuring Entra Connect, ensure the following prerequisites are met:

  • Active Directory: A functional on-premises Active Directory environment.
  • Entra ID Tenant: An active Entra ID tenant with global administrator privileges.
  • Server Requirements: A dedicated server meeting the hardware and software requirements for Entra Connect. Refer to the official Microsoft documentation for the latest specifications. The server should be domain-joined.
  • Network Connectivity: The server running Entra Connect must have network connectivity to both the on-premises Active Directory and the internet (for communication with Entra ID).
  • Permissions: Appropriate permissions are required for the Entra Connect account to read and write to both Active Directory and Entra ID. A dedicated service account is recommended.
  • Firewall Rules: Ensure that the necessary firewall rules are in place to allow communication between the Entra Connect server, Active Directory, and Entra ID.

Installation and Configuration

  1. Download Entra Connect: Download the latest version of Entra Connect from the Microsoft website.
  2. Run the Installer: Execute the downloaded file to start the installation process.
  3. Express Settings vs. Custom Installation: Choose between Express Settings or Custom Installation. Express Settings are suitable for simple environments with a single AD forest. Custom Installation provides more control over the configuration.
  4. Connect to Entra ID: Provide the credentials for your Entra ID global administrator account.
  5. Connect to Active Directory: Provide the credentials for the Active Directory account with the necessary permissions.
  6. Synchronization Options: Configure the synchronization options, including:
    • Organizational Units (OUs): Select the OUs to be synchronized to Entra ID. This allows you to scope the synchronization to specific users and groups.
    • User Identification: Choose the attribute to use for identifying users (e.g., userPrincipalName, mail).
    • Optional Features: Enable optional features such as password hash synchronization, password writeback, and group writeback.
  7. Authentication Method: Select the authentication method to use:
    • Password Hash Synchronization (PHS): Synchronizes the hash of the user's password to Entra ID. This is the simplest and most common method.
    • Pass-through Authentication (PTA): Authenticates users against the on-premises Active Directory in real-time.
    • Federation with AD FS: Uses Active Directory Federation Services (AD FS) for authentication.
  8. Configure Single Sign-On (SSO): Configure seamless single sign-on (SSO) to allow users to access M365 applications without being prompted for credentials.
  9. Review and Install: Review the configuration settings and click "Install" to begin the synchronization process.

Verification and Monitoring

After the installation is complete, verify that the synchronization is working correctly:

  • Entra ID Portal: Check the Entra ID portal to confirm that users and groups are being synchronized from Active Directory.
  • Synchronization Service Manager: Use the Synchronization Service Manager (MIISClient.exe) to monitor the synchronization process and troubleshoot any errors. This tool provides detailed information about the synchronization operations.
  • Event Logs: Review the event logs on the Entra Connect server for any errors or warnings related to the synchronization process.
  • Microsoft 365: Verify that users can log in to Microsoft 365 applications using their Active Directory credentials.

Best Practices

  • Staging Server: Use a staging server to test configuration changes before implementing them in production.
  • Regular Monitoring: Monitor the health of the Entra Connect server and the synchronization process regularly.
  • Password Policy: Ensure that the password policy in Entra ID is consistent with the password policy in Active Directory.
  • Attribute Filtering: Use attribute filtering to control which attributes are synchronized to Entra ID.
  • Documentation: Document the configuration of Entra Connect and the synchronization process.
  • Regular Updates: Keep Entra Connect updated to the latest version to benefit from bug fixes and new features.
  • Plan for Disaster Recovery: Have a plan in place for disaster recovery in case of a failure of the Entra Connect server.

Troubleshooting

  • Synchronization Errors: Review the Synchronization Service Manager for detailed information about synchronization errors.
  • Authentication Issues: Check the event logs on the Entra Connect server and the Active Directory domain controllers for authentication errors.
  • Connectivity Problems: Verify that the Entra Connect server has network connectivity to both Active Directory and Entra ID.
  • Permission Issues: Ensure that the Entra Connect account has the necessary permissions to read and write to both Active Directory and Entra ID.

Conclusion

Synchronizing your on-premises Active Directory with Entra ID and Microsoft 365 is a critical step for organizations adopting cloud services. By following the steps outlined in this document and adhering to best practices, you can ensure a seamless and secure user identity experience across both environments. Remember to consult the official Microsoft documentation for the most up-to-date information and guidance.

 

Advanced Intune Interview Questions

         

 

Advanced Intune Troubleshooting Questions

๐Ÿ”ง Device Enrollment & Management

  1. How do you troubleshoot a device that fails to enroll into Intune?

    • Check MDM authority, licensing, time sync, event logs (DeviceManagement-Enterprise-Diagnostics-Provider).

  2. A device is Azure AD joined but not showing in Intune. What do you check?

    • Confirm auto-enrollment is enabled, MDM URLs in registry, licensing, and sync status.

  3. Where do you find logs for Windows 10/11 enrollment issues?

    • Event Viewer > Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider

    • Also use mdmdiagnosticstool.exe -area DeviceEnrollment -cab <path>

  4. What happens if a device has both SCCM and Intune co-management enabled but is not syncing policies?

    • Check co-management workload slider, device sync status, and registry path HKLM\SOFTWARE\Microsoft\DeviceManageabilityCSP.

๐Ÿ’ผ App Deployment

  1. How do you troubleshoot a Win32 app that fails to install via Intune?

    • Review IntuneManagementExtension.log, check detection rules, install command, and return codes.

  2. What does "Not Applicable" mean under app installation status?

    • The app didn’t meet the assignment criteria (e.g., OS version, architecture).

  3. Why is a required app stuck in “Pending”?

    • Device hasn't checked in, content not downloaded, or assignment not targeted correctly.

  4. Where are Win32 app logs stored on a device?

    • C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log

๐Ÿ“œ Policy & Profile Troubleshooting

  1. How do you troubleshoot a configuration profile not applying?

    • Check Settings > Accounts > Work/School, Event Viewer logs, and dsregcmd /status output.

  2. How do you verify a configuration profile was applied?

  • Intune portal → Devices → Configuration profiles → Device status

  • Use Get-CimInstance -Namespace root\cimv2\mdm\dmmap (WMI).

  1. How do you check for failed PowerShell script deployments?

  • Review IntuneManagementExtension.log

  • Ensure correct execution context (System vs User)

  1. Why would a compliance policy not mark a device as non-compliant?

  • Check if device sync is current, policy is assigned, and conditions are matched.

๐Ÿ” Security & Conditional Access

  1. A device is compliant but access to email is blocked. Why?

  • Check Conditional Access policy priority, filters, and sign-in logs in Azure AD.

  1. How do you troubleshoot BitLocker not applying via Intune?

  • Check if TPM is enabled, profile settings are correct, and Event Viewer > Microsoft-Windows-BitLocker-API.

  1. Why is Defender Antivirus policy not being enforced?

  • May be overridden by GPO or not meeting assignment conditions. Check logs at:

    • C:\ProgramData\Microsoft\Windows Defender\Platform\*\MpCmdRun.log

  1. How do you confirm a device is using MDM for Windows Update management?

  • Settings > Update & Security > View configured update policies

  • Registry: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

๐Ÿงช Reporting & Monitoring

  1. What are the key places to check device compliance?

  • Intune > Devices > Compliance policies

  • Azure AD > Devices > Compliance state

  1. How do you generate a device compliance report?

  • Intune > Reports > Device compliance > Export

  • Or use PowerShell + Microsoft Graph API

  1. What logs help troubleshoot Autopilot failures?

  • C:\Windows\Logs\Autopilot

  • C:\ProgramData\Microsoft\Windows\Provisioning\Logs\Setupact.log

  1. How do you troubleshoot Company Portal not showing apps?

  • Confirm device is enrolled, app assignments are correct, and user is licensed.

๐Ÿ› ️ Misc & Deep-Dive

  1. What’s the difference between device sync and policy refresh?

  • Sync fetches policies from Intune; refresh applies or re-applies them on the device.

  1. Why would a profile apply on some devices and not others in the same group?

  • Check filters, group membership, OS version, and license availability.

  1. How do you re-trigger app deployment or policy application manually?

  • Run intune device sync via Company Portal or PowerShell:

    powershell

    Invoke-IntuneDeviceSync

  1. How do you capture all Intune diagnostic logs from a device?

  • Run:

    powershell

    mdmdiagnosticstool.exe -area all -cab C:\Temp\IntuneLogs.cab

  1. Why is Intune not removing a retired device’s corporate data?

  • The device may be offline, or the retire command hasn’t reached the device yet. Wait or trigger a manual sync.