Connect your Amazon Managed Microsoft AD to Microsoft Entra Connect Sync - Amazon Directory Service
PrerequisitesStep 1: Create an Active Directory domain userStep 2: Download Entra Connect SyncStep 3: Run Windows PowerShell ScriptStep 4: Install Entra Connect Sync
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Connect your Amazon Managed Microsoft AD to Microsoft Entra Connect Sync

This tutorial walks you through the necessary steps to install Microsoft Entra Connect Sync to sync your Microsoft Entra ID to your Amazon Managed Microsoft AD.

In this tutorial, you do the following:

  1. Create an Amazon Managed Microsoft AD domain user.

  2. Download Entra Connect Sync.

  3. Use Windows PowerShell to run a script to provision the appropriate permissions for the newly created user.

  4. Install Entra Connect Sync.

Prerequisites

You will need the following to complete this tutorial:

Step 1: Create an Active Directory domain user

This tutorial assumes you already have an Amazon Managed Microsoft AD as well as an EC2 Windows Server instance with Active Directory Administration Tools installed. For more information, see Install the Active Directory Administration Tools for Amazon Managed Microsoft AD.

  1. Connect to the instance where the Active Directory Administration Tools were installed.

  2. Create an Amazon Managed Microsoft AD domain user. This user will become the Active Directory Directory Service (AD DS) Connector account for Entra Connect Sync. For detailed steps on this process, see Create a user.

Step 2: Download Entra Connect Sync

  • Download Entra Connect Sync from Microsoft website onto the EC2 instance that is the Amazon Managed Microsoft AD admin.

Warning

Do not open or run Entra Connect Sync at this point. The next steps will provision the necessary permissions for your domain user created in Step 1.

Step 3: Run Windows PowerShell Script

$modulePath = "C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1"

try {
    # Attempt to import the module
    Write-Host -ForegroundColor Green "Importing Module for Azure Entra Connect..."
    Import-Module $modulePath -ErrorAction Stop
    Write-Host -ForegroundColor Green "Success!"
}
catch {
    # Display the exception message
    Write-Host -ForegroundColor Red "An error occurred: $($_.Exception.Message)"
}

Function Set-EntraConnectSvcPerms {
    [CmdletBinding()]
    Param (
        [String]$ServiceAccountName
    )

    #Requires -Modules 'ActiveDirectory' -RunAsAdministrator

    Try {
        $Domain = Get-ADDomain -ErrorAction Stop
    } Catch [System.Exception] {
        Write-Output "Failed to get AD domain information $_"
    }

    $BaseDn = $Domain | Select-Object -ExpandProperty 'DistinguishedName'
    $Netbios = $Domain | Select-Object -ExpandProperty 'NetBIOSName'

    Try {
        $OUs = Get-ADOrganizationalUnit -SearchBase "OU=$Netbios,$BaseDn" -SearchScope 'Onelevel' -Filter * -ErrorAction Stop | Select-Object -ExpandProperty 'DistinguishedName'
    } Catch [System.Exception] {
        Write-Output "Failed to get OUs under OU=$Netbios,$BaseDn $_"
    }

    Try {
        $ADConnectorAccountDN = Get-ADUser -Identity $ServiceAccountName -ErrorAction Stop | Select-Object -ExpandProperty 'DistinguishedName'
    } Catch [System.Exception] {
        Write-Output "Failed to get service account DN $_"
    }

    Foreach ($OU in $OUs) {
        try {
        Set-ADSyncMsDsConsistencyGuidPermissions -ADConnectorAccountDN $ADConnectorAccountDN -ADobjectDN $OU -Confirm:$false -ErrorAction Stop
        Write-Host "Permissions set successfully for $ADConnectorAccountDN and $OU"

        Set-ADSyncBasicReadPermissions -ADConnectorAccountDN $ADConnectorAccountDN -ADobjectDN $OU -Confirm:$false -ErrorAction Stop
        Write-Host "Basic read permissions set successfully for $ADConnectorAccountDN on OU $OU"
    }
    catch {
        Write-Host "An error occurred while setting permissions for $ADConnectorAccountDN on OU $OU : $_"
    }
    }
}
Show moreShow less

Step 4: Install Entra Connect Sync

  1. Once the script has completed, you can run the downloaded Microsoft Entra Connect (formerly known as Azure Active Directory Connect) configuration file.

  2. A Microsoft Azure Active Directory Connect window opens after running the configuration file from the previous step. On the Express Settings window, select Customize.

    Microsoft Azure Active Directory Connect window with customize button highlighted.

  3. On the Install required components window, select the Use an existing service account checkbox. In SERVICE ACCOUNT NAME and SERVICE ACCOUNT PASSWORD, enter the AD DS Connector account name and password for the user you created in Step 1. For example, if your AD DS Connector account name is entra, the account name would be corp\entra. Then select Install.

    Install required components window with use existing service account and domain account selected, and the service account name and password provided.

  4. On the User Sign-in window, select one of the following options:

    1. Pass-through Authentication - This option allows you to sign in to your Active Directory with your username and password.

    2. Do not configure - This allows you to use federated sign in with Microsoft Entra (formerly known as Azure Active Directory (Azure AD)) or Office 365.

      Then select Next.

  5. On the Connect to Azure window, enter your Global Administrator username and password for Entra ID and select Next.

  6. On the Connect your directories window, choose Active Directory for DIRECTORY TYPE. Choose the forest for your Amazon Managed Microsoft AD for FOREST. Then select Add Directory.

  7. A pop-up box appears requesting your account options. Select Use existing AD account. Enter the AD DS Connector account username and password created in Step 1 and then select OK. Then select Next.

    AD forest account pop-up box with the use existing AD account selected and domain username and password provided.

  8. On the Azure AD Sign-in window, select Continue without matching all UPN suffixes to verified domains, only if you do not have a verified vanity domain added to Entra ID. Then select Next.

  9. On Domain/OU filtering window, select the options to suit your needs. For more information, see Entra Connect Sync: Configure filtering in Microsoft documentation. Then select Next.

  10. On the Identifying Users, Filtering and Optional Features window, keep the default values and select Next.

  11. On the Configure window, review the configuration settings and select Configure. The installation for Entra Connect Sync will finalize and users will begin to synchronize with Microsoft Entra ID.