Prepare Active Directory for Azure AD Connect

Clean up Active Directory objects

Your browser does not support video. Install Microsoft Silverlight, Adobe Flash Player, or Internet Explorer 9.

Develop your talent with more than 10,000 online courses from LinkedIn Learning

In this lesson, we will clean up Active Directory, although we don't really perform the clean up now, we'll just identify some of the things you need to be aware of when it comes to the topic of cleaning up Active Directory objects. So, this lesson, as I said, is mostly about identifying the things you need to check for prior to deploying the Azure Active Directory Connect tool, and performing your first synchronization. So, before you deploy Azure Active Directory Connect, you should make sure that your existing on-site Active Directory environment is ready to go.

So, if there are illegal characters in your UPN suffixes, for example, the synchronization of those objects will fail. So, beyond that, beyond the use of those invalid characters in your UPN suffixes, you should be mindful of these things, and I'll just highlight a few of the major points in terms of things you need to be aware of in terms of practical application, and in terms of test preparation. I'll also leave you with the reference to the full list of considerations for cleaning up Active Directory.

So, besides UPN suffixes and using valid characters in those UPN suffixes, you also need to take note of the current domain and forest functional level. So, the Azure Active Directory Connect tool supports server 2003 and later functional levels, although for all of the functions and features of this tool such as password write back, it needs to be operating in a 2008 or greater functional level in terms of the forest.

Password write back, by the way, is the ability, essentially, to synchronize changes to passwords, so if you have a user who changes his or her password using the tools in Office 365, and they do that online when they're connected to a web browser, then they go and try to log in at their domain-connected computer, they log on on the on-premises Active Directory environment, without password write back, that password change might be lost.

So, in order for that to happen, you need to make sure that the forest functional level is 2008 or greater. Similar thing with the server itself that's going to be running the Azure Active Directory Connect tool, it needs to be running Windows 2008 or later, and there's one other thing you need to be aware of, that it has to be running the full graphical user interface. You can't install the Azure Active Directory Connect tool on a server that does not have the full GUI on it.

Now, for the full list of possible considerations, I don't think you'll be tested on that full list, but for reference to look these things up later on, you can search for Azure Active Directory Connect prerequisites, and then that should bring you to a support article from Microsoft that will kind of run you through the entire gamut of things to be mindful of when you're running Azure Active Directory and cleaning up your on-premises Active Directory environment.

Now, before you actually do the installation and run that tool, make sure that you perform the following tasks. Remove any duplicate proxy address attributes. You should also remove any duplicate UPN attributes that may exist in you environment, and you should also ensure that, for group accounts, the member, alias, and display names are all populated so that they are synchronized correctly. The Azure Active Directory Connect tool is going to look for all of those attributes when it is syncing a group account.

We also mentioned earlier, a slide or two ago, about the UPN suffixes, I want to take a moment to point out the allowed characters in a UPN suffix. UPN suffixes will allow for letters, numbers, periods, dashes, and underscores, and in 90 to 99 percent of UPN suffixes that are used, all those suffixes will just use letters, in other words, it'll be what, for the most part, looks like it'll be letters and possible a period, it'll be something like or .info, things like that.

Now, all of that said, in identifying the things you should be aware of prior to performing your first Active Directory Connect synchronization, know that you don't have to remember all of this information outside of, you know, maybe, possibly, a test question. Microsoft has provided a cleanup tool for us that will do a lot of these things on our behalf, and that tool is called IdFix, which will automatically scan for the issues that I've just pointed out, as well as the other ones that I've referenced for you to go look up at your leisure.

But this is the tool you should be aware of that helps with the cleanup, and in the next lesson, we'll go ahead and install and run that tool.

LinkedIn Learning

LinkedIn Learning is an online learning platform that combines industry-leading content from with LinkedIn’s professional network of more than 500 million member profiles to provide highly personalized course recommendations and a more intuitive learning experience. Learn more.


  • Learn from recognized industry experts, and get the business, tech, and creative skills that are most in demand.

  • Receive personal recommendations based on your LinkedIn profile.

  • Stream courses from your computer or mobile device.

  • Take courses for every level – beginner to advanced.

  • Practice while you learn with quizzes, exercise files, and coding windows.

  • Provide learning for your team or entire organization, with an easy to use experience for managing users, curating content and measuring engagement

For businesses with 150+ licenses Request Office 365 onboarding assistance from FastTrack

You can request remote and personalized assistance with onboarding. Our FastTrack engineers will help you plan your Office 365 project, assess your technical environment, provide remediation guidance, and provide user adoption assistance. For businesses with at least 500 licenses, Microsoft also provides personalized assistance to migrate data to Office 365.

See the FastTrack Center Video:

Get started today:

Tip: Businesses with 1-149 licenses still have access to FastTrack guidance via links in the Admin Center and also available at

Network and system admins can prepare on-premises directories and connect to Azure to take advantage of managing Office 365 groups and users using common identities. Preparation, setup, and administration steps are demonstrated in this course using the Azure Active Directory (AAD) Connect tool. This course is designed to provide you with a better understanding of domain controllers, identity management, synchronization, and more. This course is also an exam preparation resource with topics that map to a corresponding domain in the Office 365 70-346 exam: Managing Office 365 Identities and Requirements.

Topics include:

  • Active Directory Connect and Office 365

  • Planning for non-routable domain names

  • Cleaning up Active Directory objects

  • Using the IDFix tool

  • Filtering Active Directory

  • Using AAD install

  • Synchronizing passwords and attributes

  • Creating and managing users and groups

  • Scheduling and forcing AD synchronization

Expand your Office skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.