Part 2 of this guide will be focused on the next steps following Part 1 of the homelab hybrid environment domain configuration which are the Azure Setup and Entra Connect Sync Setup. The Azure Setup is creating a new tenant and the Entra Connect Sync is installing the setup on the APP1 virtual machine we created.
Azure Setup
- Create Azure free trial/pay-as-you-go account using this link: https://signup.microsoft.com/createaccount?culture=en-us&scenario=PartnerCenter&origin=pc
- This will allow you to create a new tenant with Entra ID Free licensing. Microsoft recently updated the requirements to create a workforce account which includes Entra ID to require a paid/trial Azure subscription
- If the above link does not work, this link will allow you to create an Azure account (new customers can trial for 12 months): https://azure.microsoft.com/en-us/pricing/purchase-options/azure-account?icid=portal
- Microsoft Learn article about Entra ID tenants: https://learn.microsoft.com/en-us/microsoft-365/education/guide/1-reference/introduction-microsoft-entra-id
- You will need to supply a credit card to secure the new account creation and if there are any charges that occur
- Entra ID Free should be enough for your homelab but if you wish to upgrade, Microsoft has the following options:
- Entra ID P1 –> $6/user/month (annual commitment)
- Entra ID P2 –> $9/user/month (annual commitment)
- Entra Suite –> $12/user/month (annual commitment), requires Entra ID P1 or package that includes Entra ID P1, special pricing for Entra P2 and Microsoft 365 E5 customers
- Entra ID Governance –> $7/user/month (annual commitment)
- Microsoft Entra plans and pricing: https://www.microsoft.com/en-us/security/business/microsoft-entra-pricing
- This blog has a good Entra ID licensing overview (note that Microsoft has/is updating pricing and plans July 2026 so this guide has slightly outdated pricing): https://atonementlicensing.com/blog/entra-id-licensing/
- This will allow you to create a new tenant with Entra ID Free licensing. Microsoft recently updated the requirements to create a workforce account which includes Entra ID to require a paid/trial Azure subscription
- Once you have your Azure account created, you will now have a tenant with Microsoft Entra ID that is accessible in the Microsoft 365 Admin Center, Microsoft Entra Admin Center, and Azure Admin Portal
- Microsoft 365 Admin Center: https://admin.cloud.microsoft/
- Microsoft Entra Admin Center: https://entra.microsoft.com/
- Azure Admin Portal: https://portal.azure.com/
- Entra ID will be a service to navigate and can be found here: https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview
- If you purchased a TLD, we can now add the custom domain to our tenant in any of the three admin locations
- Locate “Custom Domain Names” under Entra ID (or Settings > Domains in M365 Admin Center)
- Enter your custom domain name then click Add Domain
- In a new tab/window, navigate to your domain registrar and log into your domain management portal so we can add a TXT record to confirm that we own the domain
- Add the TXT record in your domain management’s portal with the information provided from Microsoft
- Back in your tab/window for the Custom Domain Name adding, click Verify
- Exit back to the Custom Domain Name and click Refresh to confirm that new domain has been added plus verified
- Repeat the process again for any sub-domains needed which for our homelab we used a subdomain of our main custom domain for our AD domain name
- If applicable, assign the sub-domain as your primary domain in your tenant
- Return back to your Custom Domain Names home page and refresh to confirm the changes
- Entra ID tenant is now ready for Entra Connect Sync configuration to start synchronizating users from Active Directory into Entra ID
Entra Connect Sync Setup
- Log into the APP1 virtual machine to begin the Entra Connect Sync configuration
- Entra Connect Sync download is no longer available from the Microsoft Download Center and needs to be started from the Microsoft Entra Admin Center in the Entra Connect blade
- Open Edge and navigate to the Entra Connect blade in Entra Admin Center found here: https://www.microsoft.com/en-us/download/details.aspx?id=47594
- Download the Connect Sync Agent by going to the “Get Started” tab in the Entra Connect blade, make sure you scroll down to the Connect Sync agent instead of the Cloud Sync agent at the top of the page for this homelab guide
- The filename will be AzureADConnect.msi (Microsoft still has not updated the filename or other parts of the application to Entra ID you will notice)
- Beginning with Entra Connect Sync version 2.5.76.0 or later, it is required to use certificate authentication by using an app registration. It is recommended to use the default Managed by Microsoft Entra Connect option but you are able to bring your own certificate or application if needed. https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/authenticate-application-id
- Start the install of Microsoft Entra Connect Sync
- Accept the terms and notice then click Continue
- Likely you are fine to use Express Settings for a new single AD forest setup but we will go with Customize Settings to ensure we select the options we want
- Unless there is a specific reason on the next step to change anything, keep all options unchecked then click Install
- Keep the selection on “Password Hash Synchronization” for the Sign On method. We’ll keep “Enable single sign-on” option unchecked as Seamless Single Sign-on is considered legacy, not needed any longer (for devices that are Entra registered or joined and how Primary Refresh Tokens are handled), and a potential security risk.
- Enter your Entra ID username from the new tenant we created (the first account from the initial tenant creation is assigned the Global Administrator admin role)
- You might have to add the website(s) as trusted to view the authentication window, click Add twice then Close for the website(s) requested
- You might encounter an error about javascript being blocked here, if so click back and try the step again now that the websites are added as trusted
- Re-enter your Entra ID username and click Next
- Supply your password and click Sign In
- Select your domain forest and click Add Directory
- The next step will ask permission to create a new AD account for the synchronization, this option is usually the right choice, enter your AD Admin account credentials that we added Enterprise Admin role using DOMAINNAME\USERNAME for username, then click OK.
- Assuming no issues, confirm the selection and then click Next
- Assuming you have already verified your custom domain in Entra, you will confirm that the Active Directory UPN Suffix matches the Microsoft Entra ID Domain. If there is not a match, it will display that warning. Confirm the attribute anchor of userPrincipalName (UPN) between AD and Entra then click Next.
- Select the OUs needed (I have selected the Enterprise OU and the Groups OU) for the sync then click Next
- Unless there’s a specific need, leave the options unchanged on the next screen and click Next
- Unless there’s a specific need to filter our users or devices, leave the options on the next screen to sync all users and devices then click Next
- Optional features, we will enable “Password Writeback” and “Group Writeback” then click Next
- Group Writeback, locate the Groups OU in the domain forest and select it. Then we will enable “Writeback Group Distinguished Name with cloud Display Name (Preview)” option which will create an AD group object for any groups created in Entra then click Next
- Review the configuration settings then if ready, click Install with the “Start the synchronization process when configuration completes.” selected. There is an option to enable staging mode if you are preparing a Entra Connect Sync server to be a backup server for your configuration.
- This will take a few minutes to complete the installation
- Review the installation, address anything needed, and then click Exit
- In case you get a notification about your account not being a member of the required security group, reboot your server and check again
- Locate “Synchronization Service” in the “Azure AD Connect” folder in your Applications and open the application. I recommend adding a Desktop shortcut and pinning the icon to your taskbar to make it easier. The “Azure AD Connect” application is for the setup and configuration of Entra Connect Sync.
- This is where you can get an overview of recent sync runs with their status, time, etc.
- By default, the sync cycle interval is configured to run every 30 minutes from the last run. You can view the sync schedule status using PowerShell with this command:
Get-ADSyncScheduler - If there’s a reason to adjust the sync interval, you can change it using PowerShell with this command:
Set-ADSyncScheduler -CustomizedSyncCycleInterval 01:00:00 - Based on my work experience, I would recommend creating a desktop shortcut for running a Delta Sync and a Full Sync powershell command. The easiest way is to create a new text document on the Desktop with the needed PowerShell command then save it as a .ps1 file. This will allow you to easily start either sync cycle ad-hoc outside of the normal sync schedule. https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sync-feature-scheduler
- Delta Sync –>
Start-ADSyncSyncCycle -PolicyType Delta - Full Sync –>
Start-ADSyncSyncCycle -PolicyType Initial 
- Delta Sync –>
- Accept the terms and notice then click Continue
- We can now confirm that our on-premise synchronized users and groups from Active Directory are now showing up in your Entra ID tenant as users and groups. We can also confirm that our primary domain has been adjusted to our custom domain from the default onmicrosoft.com domain.
- Now when new users are created in Active Directory, they will be created/added in Entra ID. This also means groups created in either AD or Entra will be created in the other side. Password writeback was also enabled so changes made on either system will sync to the system.
