This article describes the prerequisites and the hardware requirements for Azure Active Directory (Azure AD) Connect.
Before you install Azure AD Connect
Azure AD
You need an Azure AD tenant. You get one with an Azure free trial. You can use one of the following portals to manage Azure AD Connect:
The Azure portal.
The Office portal.
Add and verify the domain you plan to use in Azure AD. For example, if you plan to use contoso.com for your users, make sure this domain has been verified and you're not using only the contoso.onmicrosoft.com default domain.
An Azure AD tenant allows, by default, 50,000 objects. When you verify your domain, the limit increases to 300,000 objects. If you need even more objects in Azure AD, open a support case to have the limit increased even further. If you need more than 500,000 objects, you need a license, such as Microsoft 365, Azure AD Premium, or Enterprise Mobility + Security.
Prepare your on-premises data
Use IdFix to identify errors such as duplicates and formatting problems in your directory before you synchronize to Azure AD and Microsoft 365.
Review optional sync features you can enable in Azure AD, and evaluate which features you should enable.
On-premises Active Directory
The Active Directory schema version and forest functional level must be Windows Server 2003 or later. The domain controllers can run any version as long as the schema version and forest-level requirements are met. You might require a paid support program if you require support for domain controllers running Windows Server 2016 or older.
The domain controller used by Azure AD must be writable. Using a read-only domain controller (RODC) isn't supported, and Azure AD Connect doesn't follow any write redirects.
Using on-premises forests or domains by using "dotted" (name contains a period ".") NetBIOS names isn't supported.
We recommend that you enable the Active Directory recycle bin.
PowerShell execution policy
Azure Active Directory Connect runs signed PowerShell scripts as part of the installation. Ensure that the PowerShell execution policy will allow running of scripts.
The recommended execution policy during installation is "RemoteSigned".
For more information on setting the PowerShell execution policy, see Set-ExecutionPolicy.
Azure AD Connect server
The Azure AD Connect server contains critical identity data. It's important that administrative access to this server is properly secured. Follow the guidelines in Securing privileged access.
The Azure AD Connect server must be treated as a Tier 0 component as documented in the Active Directory administrative tier model. We recommend hardening the Azure AD Connect server as a Control Plane asset by following the guidance provided in Secure Privileged Access.
To read more about securing your Active Directory environment, see Best practices for securing Active Directory.
Installation prerequisites
Azure AD Connect must be installed on a domain-joined Windows Server 2016 or later. We recommend using domain-joined Windows Server 2022. You can deploy Azure AD Connect on Windows Server 2016 but since Windows Server 2016 is in extended support, you may require a paid support program if you require support for this configuration.
The minimum .NET Framework version required is 4.6.2, and newer versions of .NET are also supported. .NET version 4.8 and greater offers the best accessibility compliance.
Azure AD Connect can't be installed on Small Business Server or Windows Server Essentials before 2019 (Windows Server Essentials 2019 is supported). The server must be using Windows Server standard or better.
The Azure AD Connect server must have a full GUI installed. Installing Azure AD Connect on Windows Server Core isn't supported.
The Azure AD Connect server must not have PowerShell Transcription Group Policy enabled if you use the Azure AD Connect wizard to manage Active Directory Federation Services (AD FS) configuration. You can enable PowerShell transcription if you use the Azure AD Connect wizard to manage sync configuration.
If AD FS is being deployed:
The servers where AD FS or Web Application Proxy are installed must be Windows Server 2012 R2 or later. Windows remote management must be enabled on these servers for remote installation. You may require a paid support program if you require support for Windows Server 2016 and older.
You must configure TLS/SSL certificates. For more information, see Managing SSL/TLS protocols and cipher suites for AD FS and Managing SSL certificates in AD FS.
You must configure name resolution.
It is not supported to break and analyze traffic between Azure AD Connect and Azure AD. Doing so may disrupt the service.
If your Hybrid Identity Administrators have MFA enabled, the URL https://secure.aadcdn.microsoftonline-p.com must be in the trusted sites list. You're prompted to add this site to the trusted sites list when you're prompted for an MFA challenge and it hasn't been added before. You can use Internet Explorer to add it to your trusted sites.
If you plan to use Azure AD Connect Health for syncing, ensure that the prerequisites for Azure AD Connect Health are also met. For more information, see Azure AD Connect Health agent installation.
Harden your Azure AD Connect server
We recommend that you harden your Azure AD Connect server to decrease the security attack surface for this critical component of your IT environment. Following these recommendations will help to mitigate some security risks to your organization.
We recommend hardening the Azure AD Connect server as a Control Plane (formerly Tier 0) asset by following the guidance provided in Secure Privileged Access and Active Directory administrative tier model.
Restrict administrative access to the Azure AD Connect server to only domain administrators or other tightly controlled security groups.
Create a dedicated account for all personnel with privileged access. Administrators shouldn't be browsing the web, checking their email, and doing day-to-day productivity tasks with highly privileged accounts.
Follow the guidance provided in Securing privileged access.
Deny use of NTLM authentication with the AADConnect server. Here are some ways to mitigate this: Configure the AADConnect server for Kerberos-only authentication.
SQL Server
The minimum version of SQL Server supported by Azure AD Connect is SQL Server 2012. We recommend using SQL Server 2019 or newer versions of SQL Server.
Azure AD Connect provides an embedded SQL Server Express instance if you don’t already have a SQL Server instance for use. This instance is suitable for small and medium-sized organizations. For larger organizations, or organizations with high availability and scalability requirements, we recommend that you use a full version of SQL Server installed on a separate server.
If you want to use a custom SQL Server instance for Azure AD Connect, you must ensure that the SQL Server instance is configured to support the following:
SQL Server authentication.
TCP/IP protocol enabled.
Allow remote connections.
The SQL Server instance must be running a supported version of SQL Server. See the Azure AD Connect documentation for the list of supported versions.
Ensure that SQL Server is configured for the appropriate collation. Azure AD Connect requires the collation to be set to SQL_Latin1_General_CP1_CI_AS.
Service accounts
The following accounts are used by Azure AD Connect:
Azure AD Connect Service Account: This account is used by the Azure AD Connect service. It requires the following permissions:
Local administrator on the Azure AD Connect server.
Replicating Directory Changes and Replicating Directory Changes All permissions in Active Directory.
Azure AD Connect Sync Service Account: This account is used by the synchronization service. It requires the following permissions:
Local administrator on the Azure AD Connect server.
Replicating Directory Changes and Replicating Directory Changes All permissions in Active Directory.
Accounts used by the Azure AD Connect service and sync service should be protected. Use strong passwords, and consider using managed service accounts.
Connectivity and network
The Azure AD Connect server must be able to communicate with both your on-premises Active Directory and Azure AD.
The following ports must be open on the firewall to allow communication:
TCP port 443 for HTTPS traffic to Azure AD.
TCP port 389 for LDAP traffic to your on-premises Active Directory.
TCP port 636 for LDAPS traffic to your on-premises Active Directory.
Ensure that the following URLs are accessible from the Azure AD Connect server: