Azure AD Connect cloud provisionning meet the needs for hybrid management. The following advantages are offered by this functionality.
Synchronizing an Azure AD from a multi-forest disconnected Active Directory forest. The disconnected Active Directory forest is isolated from the already synchronized Active Directory forest.
Simplified installation with agents. The agents have the function of bridge between Active Directory and Azure AD. The synchronization configuration is managed in the cloud.
Possibility to use several provisioning agents in order to have a high availability.
Install AAD Connect cloud provisioning agent
From the Azure AD portal http://aad.portal.azure.com, click on Azure AD Connect then on Manage provisionning.
Click on Download agent for download install file of the agent.
A new windows appear, click on Accept terms & Download.
AAD Agent can now be downloaded.
Run the previously downloaded file. A wizard appear, check I agree to the licence terms and privacy notice and click on Install.
Install is in progress …. If you install agent on Domain controller, you may encounter a permission problem. The service will not start and an error appears during installation. Change the account used by the service to an administrator account. At the installation level, click Retry.
When installation is finished, a new windows appear. Enter the credential of the Azure global admin account or user with delegated right.
Select your Active Directory forest and click on Add Directory.
Enter the credential of user Active Directory. My user does not have administrative rights. I only granted him the right to Replicating Directory Changes and Replicating Directory Changes All at the root of the domain (necessary for synchronizing the password hash).
Configuration is now complete, click on Confirm.
Click on Exit when configuration is finished.
On Azure AD portal, click on Review all agents for see all installed agents.
The list of agent appear.
Create new configuration
From the Azure AD portal, click on Azure AD Connect then on Manage provisionning.
Click on New configuration for create new configuration.
A new windows appear, click on All users for change the scope. If possible to synchronize all users or select organizational unit or selected security groups. I choose to synchronize security groups, so I check selected security groups.
Enter email address for receive notification if provisionning is not healthy. Click on Enabled for enable configuration and click on Save.
Configuration has been applied.