As an example, I will show you how to implement Azure AD Connect with password synchronization. The other options for the setup are similar:

1. First you need to download Azure AD Connect. In the setup, you will have to configure synchronization but you can redo your setup by looking for Azure AD Connect in the Windows Start menu:

2. Accept the license terms and click on the Continue button as shown in the following screenshot:

3. Click on the Customize button to continue:

4. Choose the Password Synchronization option and click on the Next button:

5. In the next window, enter the credentials for your Azure AD synch account:

6. On many websites, and also in Microsoft documentation, you will find terms such as DirSync and Azure AD Sync. Both have no longer been supported since Azure AD Connect reached a production state. Visit this website for more information: http://blog.azureandbeyond.com/2017/04/06/dirsync-azure-ad-sync-end-of-support/?fb_action_ids=1199177306847421&fb_action_types=news.publishes.

7. Next, you need to add your on-premises administrator account:

8. For the next step, you need to select the attribute in your on-premises domain that identifies the User Principal Name (UPN) in the Azure AD.

9. Microsoft's best practice is to select the principal user name of your on-premises domain. This isn't the best option in all scenarios:

Just from the field, it is not always helpful to choose the principal user. Depending on the domain, sometimes it is better to choose the email instead of the principal user name in Azure AD. That's because the primary email in a synced scenario is always the login name. So, if your login name is @company.onmicrosoft.com, the primary email will become this domain too.

10. The following diagram shows you an example of a decision path: when to choose UPN and when an email address. It's very basic but helps in most cases:

11. After you select which attribute will be your identifier, you need to set the AD filter. It isn't recommended to parse the whole AD DS for synchronization, because that would take a lot of time, unless you have a large on-premises AD. For faster synchronization, it is recommended to select only a subset of the on-premises AD objects; for example, select only the organizational units (OUs) that contain requested objects:

12. Now, choose how your users should be identified over your domain. Depending on your decision, you now select the principal user name or email:

13. Afterwards, configure the filter for your accounts. You can either synchronize all users and devices or use a filter group. Here, the best way is to have specified groups for your users. From a security and resource perspective, you shouldn't select all users; otherwise, you would sync unnecessary or possibly restricted accounts to Azure AD:

14. In the next steps, choose which features you want to have synced in addition to the attributes:

Some, such as the Exchange hybrid deployment and Device writeback options, are only available with certain AD extensions, or with additional subscriptions such as Azure AD premium or mobile device management such as Intune. Best field practice is to at least sync the Azure AD app and attribute filtering option. That will enable you to sync allowed apps and license attributes between Azure AD and AD, which is, for example, necessary if you license your Microsoft Office in your Terminal server environment with the Office 365 E3 or E5 plans. If you do not choose to enable the feature, it may be possible that some applications will not appear to be licensed. Office 365 installed on a Citrix Terminal Server is a good example of that. Without synchronization, Citrix does not know about the license details and the user receives an Office licensing login every time they start their Office applications on the Terminal Server.

15. In the next few windows, you can decide which Azure AD apps will be synced:

16. Afterward, you can limit the attributes from AD that will be transferred to Azure AD. Microsoft does not recommend limiting attributes:

17. Now, you can select which directory extension attributes from your on-premises environment are transferred to Azure AD. This is important for certain applications running in the cloud. In this walk-through, we will not select any attributes:

18. Once you've run through these steps, you can complete the installation. Outside a migration scenario, or as long as you don't want to enable high availability for Azure AD Connect, you can start synchronization. Otherwise, you should stage your installation first and start the first synchronization afterward:

19. To disable staging mode, you need to start Azure AD Connect from the Start menu again. It will act like a regular Azure AD Connect, except that the second wizard option is to disable staging mode:

You have now implemented a simple, SSO-enabled Azure AD and AD synchronization. After you've started synchronization, Azure AD Connect will replicate changes every hour between Azure AD and AD.

You can trigger synchronization manually by using either of the following PowerShell commands:

• With Start-ADSyncSyncCycle -PolicyType Delta, you sync all changes since the last sync.
• With Start-ADSyncSyncCycle -PolicyType Initial, you perform a full sync with all the settings you have configured in Azure AD Connect. It's likely to be what you would do when you start a sync after installation.