How to Sync Local Active Directory Users & Devices to Microsoft Entra ID (Hybrid Join)

In this step-by-step guide, I'll show you how to properly hybrid join on-premises Active Directory users, groups and devices to Microsoft 365 Entra ID, with Microsoft Entra ID Connect Sync.

Synchronizing users and devices from on-premises Active Directory (AD) with Microsoft Entra ID (formerly known as "Azure AD") allows users to use the same credentials to access either on-premises resources or Microsoft 365 cloud services, and administrators to manage user accounts and devices in both environments.

In simple words, if your organization uses an on-premises Active Directory (AD) directory but also relies on Microsoft 365 services, synchronizing your users and devices with Microsoft Entra ID (formerly Azure AD) helps unify identity management, simplify sign-ins, and improve security.

This guide explains how to sync local AD users and devices to Microsoft Entra ID using Microsoft Entra Connect sync tool (aka "Azure AD Connect").

How to Hybrid Join On-Premises Local Active Directory to Microsoft Entra ID with Microsoft Entra Connect sync tool (Azure AD Connect/Entra Connect).

Prerequisites

To synchronize Active Directory users and devices with Microsoft 365 Entra ID (Hybrid Join), you need the following:

• A Microsoft 365 Tenant with a verified external domain name.
• A Windows Server (2016 or later) joined to your on-premises Active Directory to run the Microsoft Entra ID Connect tool.
• A Global administrator account in Microsoft 365.
• A Domain administrator account in Active Directory.
• Network connectivity: Ports 80, 443 must be open to access Microsoft 365 Entra.
• Devices running Windows 10/11.

Step 1. Add & Verify your External Domain Name in Microsoft 365.

Before proceeding further, navigate to Microsoft 365 Domain setup page and make sure that your own external domain name is verified.

If you haven't added your own domain name yet, click Add domain and follow the on-screen instructions to add and verify your own domain name.*

* Note: The sync doesn't work with "onmicrosoft.com" domain names.

Step 2. Add a UPN suffix for your External Domain Name in Active Directory.

By default, local Active Directory users use the prefix "@localdomainname.LOCAL" to login to the domain. (e.g. if the username is "john.smith" and your local domain name is "wintips", the login name is "john.smith@wintips.local).

To enable users to sign in after synchronizing their accounts from on-premises AD to Microsoft Entra ID, you will need to add also the UPN suffix for your external – custom – domain name to Active Directory Domains and Trusts. To do this:

1. In your Active Directory server, open the Server Manager and from the Tools menu open Active Directory Domains and Trusts.

2. Right-click on Active Directory Domains and Trusts and click Properties.

3. Type your external – custom – domain name (the one you have verified in Microsoft 365 admin center) and click Add.

4. Finally, click Apply > OK to save the change.

Step 3. Change the UPN Suffix and set the SMTP proxy address on Every User in Active Directory.

After adding the UPN suffix, go ahead and change the logon name with the new UPN suffix and set the SMTP proxy addresses on each AD user. To do this:

1. In Server Manager open Active Directory users and computers.

2. Select the Users directory on the left.

3. Double-click on a domain user to open its Properties.

4. In General tab, type the user's email in Office 365 and click Apply. (e.g. "john.smith@yourcustomdomain").*

* Note: If you have already created an account for this user in Microsoft 365, make sure that all other user details here (e.g. First Name, Last Name, etc.) are the same as the user's account in Microsoft 365.

5. Select the Account tab and change the user's UPN suffix in logon name from "localdomainname.LOCAL" to your custom domain name. (e.g. from "john.smith@wintips.local" to "john.smith@yourcustomdomain.com". When done, click Apply to save the change.*

* Note: If the same user exists on both on-premises and in Microsoft 365, and has a different logon name in your local AD in the 'User logon name' field (e.g. "JSmith"), enter the same username as in Microsoft 365 (e.g. "john.smith" in this example).

6. Now select the Attribute Editor tab and double-click to edit the proxyaddresses attribute.

7. Here type "SMTP:" followed by the email address of the user in M365, then click Add and then OK. (e.g. "SMTP:john.smith@yourcustomdomain.com")

8. Click Apply > OK to save the changes.

9. Now, perform the same steps for every user in Active Directory you want to synchronize with Entra and then proceed to the next step.

Step 4. (Optional). Create a new organizational unit (OU) with users/devices to synchronize with Microsoft Entra ID.

Because synchronizing your on-premises Active Directory with Microsoft Entra ID may succeed or fail depending on the configuration, it is recommended to first create a new Organizational Unit (OU) and add there only a subset of users or devices you intend to synchronize.

This allows you to identify and resolve any synchronization issues or other problems after synchronization before proceeding to synchronize all on-premises AD users and computers with Microsoft Entra.

Step 5. Allow Automatic MDM Enrollment using Azure Credentials through a Group Policy.

In order to enroll the on-premises Windows devices in Intune, you must enable the automatic MDM enrolment via a local AD Policy. This policy will allow you or your corporate users to enroll a device in Intune using their Microsoft 365 credentials. To do that:

1. On the Server Manager, go to Tools and open the Group Policy Management.

2. Create a new Group Policy Object (GPO) and link it to your whole domain or to the organizational unit (OU) that contains the users and/or devices you want to synchronize with Microsoft Entra.

3. Open (Edit) the new GPO, and navigate to:

• Computer Configuration > Administrative Templates > Windows Components > MDM

4. Open the Enable automatic MDM enrolment using default Azure AD credentials policy.*

* Note: If the "Enable automatic MDM enrolment using default Azure AD credentials" policy is not there, see the instructions on the following articles on how to add it.

• How to Automatically Enroll Active Directory devices in Intune using Group Policy.
• Enroll a Windows device automatically using Group Policy.

5. Set the policy to Enabled and below select User Credential as the credential type to use for enrollment.

6. Close Group Policy Editor and run the "gpupdate /force" command to apply the new policy.

Step 6. Enable Automatic Enrollment in Intune Admin Center.

Now go ahead and allow the Windows devices to enroll in Intune by doing the following:

1. Navigate to Intune Admin Center > Devices > Windows > Enrollment and open Automatic Enrollment.

2. Set the MDM user scope to All* and the Windows information Protection (WIP) to All** and click Save.

* Notes:
1. If you don't want all users to be able to enroll their device in Intune, select "Some" in MDM User scope, and then select who you want to be able to enroll only.
2. If later, during the enrollment of a Windows device, you receive the error "Device Management could not be enabled" with "Error code: -2145833241 or 80192EE7", then set the Windows information Protection (WIP) to None and try again to enroll the device.

Step 7. Start the Microsoft Entra ID Sync process in the Microsoft Admin Center.

From your domain controller or any Windows Server 2022, Windows Server 2019, or Windows Server 2016 joined to your domain, do the following:

1. Navigate to Microsoft 365 admin center, select Setup on the left and then on the right, scroll down and click Add or sync users to Microsoft Entra ID.

2. On the Add or Sync users to Microsoft Entra ID screen, select Get Started and then click Next on the 'Overview' screen.

3. In 'User setup options' select the Continuous sync option to periodically sync the domain users and devices to Microsoft Entra ID.*

* Note: If you don't want to periodically sync all the users and devices to the cloud, select One-time sync.

4. On the "Sync preparation" screen, download the IdFix tool, which will help you to identify and correct errors like duplicates and formatting problems in your ‎Active Directory‎ Domain Services (AD DS) domain that might prevent the successful synchronization with Microsoft Entra ID.

Step 8. Run the "IdFix" tool to find and fix issues on your Active Directory.

1. Run the IdFix tool and then click OK in the 'IdFix Privacy Statement' window.

3. Click Query, and then wait for the tool to detect errors in your AD configuration.

4. Finally, and If errors found, read and follow the instructions in the IdFix documentation, to fix the invalid attributes on your AD configuration and then proceed to next step.

Step 9. Download the 'Microsoft Entra ID Connect Sync' tool (aka "AzureAD Connect").

1. After correcting the errors on your Active Directory with the IdFix tool, open again the 'Sync preparation' screen (in Office 365 Admin Center) and click Next.

2. On the 'Review synchronization tools' screen, select Microsoft Entra Connect Sync and click Next again.

3. Click to download the Microsoft Entra Connect Sync tool.

4. On the Microsoft Entra Connect | Get Started page that opens, select the Manage tab and then click Download Connect Sync Agent. Then Accept the agreement to download the "AzureADConnect.msi" tool.

5. When done, double-click on "AzureADConnect.msi" file and click Next to install the Azure AD Connect tool. Then, continue to next step.

Step 10. Configure Microsoft Entra Connect Sync to synchronize your Local Active Directory Objects to Microsoft Entra.

1. Run the Azure AD Connect tool, accept the license terms and click Continue.

2. On the next screen click Customize.

3. By default, Microsoft Entra Connect automatically install all required services. However, if you want, you can customize the configuration on this screen or click Install to continue.*

• Specify a custom installation location: Change the default path where Microsoft Entra Connect is installed.
• Use an existing SQL Server: Select this option, if you want to connect to an existing SQL Server that already hosts a Microsoft Entra Connect database.
• Use an existing service account: If you're connecting to a remote SQL Server instance or using an authenticated proxy, you can specify a managed service account or a password-protected service account in the domain.
• Specify custom sync groups: By default, Microsoft Entra Connect creates four local server groups during the installation of synchronization services: Administrators, Operators, Browse, and Password Reset. You can specify custom groups here instead.
• Import synchronization settings: Allows you to import settings from other versions of Microsoft Entra Connect,.

* Note: For more details about these options, look at this MS article: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-install-custom

4. Wait for the installation of the necessary components to complete.

5. On 'User sign-in' options, select the users' single sign-on method according your will or select Do Not configure and click Next, if you're unsure what to do.

• Password Hash Synchronization: Syncs on-premises stored passwords (in AD Domain Controller) to Microsoft 365 and authentication occurs in the cloud.
• Pass-through Authentication: Passwords are validated against the on-premises Active Directory domain controller and authentication is performed on-premises..
• Federation with AD FS: Redirects users to on-premises AD FS for sign-in and authentication occurs on-premises.
• Federation with PingFederate: Redirects users to an on-premises PingFederate server; authentication occurs on-premises.
• Do Not Configure: Skips sign-in setup; used if another federation or authentication solution already exists. For more information, see Single sign-on.
• Enable Single Sign-On (SSO): Optional feature for password hash sync or pass-through authentication to give users seamless sign-in on corporate networks.

* Note: For more details about these options, look at this MS article: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-install-custom

6. Now, enter the username of a Global administrator or a Hybrid Identity Administrator account in your Microsoft 365 tenant and click Next to sign in with their credentials.

7. Now click Add Directory to connect to your local active directory.

8. Now either choose to Create a new AD account (recommended)* or to use an existing domain account for periodic synchronization to Microsoft Entra. This account is called "AD DS Connector account" or  "Azure AD Connect service account" or "AAD Connect account".

* Note: I suggest to let the tool to create a new AD account with the required permissions for synchronization. If you choose to use an existing AD account, grant to that account the required permissions.

9. After connecting your local active directory, click Next to continue.

10. On the next screen leave selected the 'userPrincipalName' as the Microsoft Entra ID username and then check the option to Continue without matching all UPN suffixes to verified domains. Click Next.

11. The default option is to sync all domain and OUs. If you don't want this, select Sync selected domain and OUs and select the objects you want. When done, click Next.*

* For example, in this tutorial, I have created a specific OU named "M365Sync" with the users and devices I want to synchronize to Microsoft Entra. So here I have only selected the "M365Sync" object.

12. On the next screen, leave the default options and click Next.

13. On 'Filter users and devices' select if you want to Synchronize all users and devices (recommended option), or select Synchronize selected, type the name of the group that you want to synchronize and click Resolve.

* For example, in this tutorial, I have created a specific OU named "M365Sync" with the users and devices I want to synchronize to Microsoft Entra. So, here I have to selected "Synchronize all users and devices" (from the selected OU).

14. On "Optional Features" leave the default options or select the additional features you want (click the "?" symbol to learn more details about each one) and click the Next button.

15. If you have enabled the "Enable Single Sign-On" feature in "'User sign-in' options click Enter credentials and type the domain administrator account credentials. When done, click Next to continue.

16. Now review your synchronization settings and click Install.

17. Wait for installation/configuration to complete and when this done click Exit.

Step 11. Check for Synchronization Errors in Azure AD Connect.

1. On the Server where you installed the Azure AD Connect, open the Synchronization service manager.

2. On the Operations tab, check the most recent sync and make sure the Status says Success on all profiles.

Step 12. Check Synchronization Status & Errors in Microsoft Entra ID.

1. Go to the Microsoft Entra admin center > Entra ID > Entra Connect.

2. In the Microsoft Entra Connect page, select Connect Sync on the left and then on the right check when the last sync is occurred.

3. Then click Microsoft Entra Connect Health near the bottom to check for synchronization errors (if any).

3. Select Sync Errors on the left and if errors found troubleshoot them.

Step 13. Verify User Synchronization in Microsoft Entra ID.

To verify if a local AD user is synchronized with Microsoft Entra ID:

1. Navigate to Microsoft Entra admin center > Users > All Users.

2. If the domain user(s) you are syncing with Entra ID have synced, you should see "Yes" in the On-Premises Sync enabled column.

Step 14. Check Hybrid Joined Devices in Microsoft Entra ID.

To verify successful synchronization of a domain workstations with Microsoft Entra ID:

1. Navigate to Microsoft Entra admin center > Device> All devices.

2. If a device is hybrid joined, you should see "Microsoft Entra hybrid joined" in 'Join Type' column and if the device is successfully enrolled and managed in Intune "Microsoft Intune" in 'MDM' column.

Additional Help

If you want to check from a Windows device if it is hybrid connected to the Microsoft Entra ID (Microsoft Entra hybrid joined), open Command Prompt as Administrator and give the following command:

• dsregcmd /status

If both the AzureADJoined status and the DomainJoined status are YES, then the device is Microsoft Entra hybrid joined.

That's it! Let me know if this guide has helped you by leaving your comment about your experience. Please like and share this guide to help others.

If this article was useful for you, please consider supporting us by making a donation. Even $1 can a make a huge difference for us in our effort to continue to help others while keeping this site free:

• Author
• Recent Posts

Konstantinos Tsoukalas

Konstantinos is the founder and administrator of Wintips.org. Since 1995 he works and provides IT support as a computer and network expert to individuals and large companies. He is specialized in solving problems related to Windows or other Microsoft products (Windows Server, Office, Microsoft 365, etc.).

Latest posts by Konstantinos Tsoukalas (see all)

• How to Securely Allow SMTP Sending through Microsoft 365 using SMTP RELAY. - May 26, 2026
• How to Add a Shared Calendar in Outlook for Web (OWA) - May 20, 2026
• How to Stop Windows 11 from Downgrading GPU Drivers. - May 18, 2026