Jump to content




Sign in to follow this  
Peter van der Woude

How to integrate Microsoft Intune and System Center 2012 R2 Configuration Manager with Single Sign-On – Part 3: Configure directory synchronization



Recommended Posts

In the first part of this blog series I went through the introduction and the prerequisites and in the second part I went through the installation and configuration of AD FS. This third part of the blog series will be all about configuring, configuring and configuring. First it's required to add the public domain name to the Microsoft Online Services, then I'll add the public domain name as a UPN to the users and then I'll enable active directory synchronization.

Enable Active Directory Synchronization
The first thing is that I have to enable Active Directory synchronization in the Microsoft Online Services. This allows me to synchronize our on-premises users to the Azure AD.

  • First connect to the Microsoft Online Services by using the following command, which will prompt for credentials. In the credentials dialog box provide the credentials of the Microsoft Intune subscription.
    • Connect-MsolService –Credential $cred
    • SSO_Intune_Cred.jpg
  • After that it’s possible to enable Active Directory synchronization by using the following command.
    • Set-MsolDirSyncEnabled -EnableDirSync $true
  • After using the command to enable Active Directory synchronization it’s required to confirm the action by simply answering with Y.
    • SSO_AD_Sync.jpg
  • To verify a successful configuration, simply logon to the Account portal and verify the Active Directory synchronization setting by navigating to Management > Users. It should display the following information.
    • SSO_AD_Sync_Active.jpg

Add public User Principal Name to users
To enable the user to use the public domain name to logon to their devices, and the Microsoft Online Services, it’s necessary to add the public domain name as their primary User Principal Name (UPN). These configurations will be done through PowerShell.

  • To add a UPN for a forest use the following command. In that command the Identity is the forest name and the UPNSuffixes is the public domain name.
    • Set-ADForest -Identity "PTCLOUD" -UPNSuffixes @{Add="petervanderwoude.nl"}
  • To verify the success of the PowerShell action, simply open the Properties of one of the Active Directory Domains and Trusts and check the UPN Suffixes tab.
    • SSO_ADDT_UPN.jpg
  • To set the UPN as a user’s primary UPN use the following command. In that command the SearchBase is the OU that contains the required users and the UserPrincipalName is the public domain name.
    • Get-ADUser -Filter * -SearchBase 'OU=NORMAL USERS,OU=USERS,OU=PTCLOUD,DC=PTCLOUD,DC=LOCAL' -Properties userPrincipalName | foreach { Set-ADUser $_ -UserPrincipalName "$($_.samaccountname)@petervanderwoude.nl"}
  • To verify the success of the PowerShell action, simply open the Properties of one of the users and check the Account tab.
    • SSO_ADDS_Prop.jpg

Install and configure Microsoft Azure Active Directory Sync Services
The next thing is to install and configure the Microsoft Azure Active Directory Sync Services. This tool will allow us to synchronize the on-premises user with the Azure AD.

  • On the Welcome to Azure AD Sync page, specify an Installation path, select I agree to the License terms and click Install.
    • SSO_AADSS_1.jpg
  • On the Connect to Azure AD page, specify the credentials of the Microsoft Intune subscription and click Next.
    • SSO_AADSS_2.jpg
  • On the Connect to AD DS page, specify the information of the on-premises forest (see prerequisites) and click Add Forest.
    • SSO_AADSS_3.jpg
  • After the forest is added click Next.
    • SSO_AADSS_4.jpg
  • On the Uniquely identifying your user page, click Next.
  • On the Optional features page, click Next.
  • On the Ready to configure page, click Configure.
  • On the Finished page, click Finish.

Verify user synchronization
After setting up the user synchronization it’s important to verify the success.

  • In the Account portal, navigate to Management and click Users. In the Users overview it should start showing the synchronized users.
    • SSO_Intune_SynchronizedUsers.jpg
    • Note: In my overview it shows a user with the public domain name UPN, a user without and the initial administrator.

Share this post


Link to post
Share on other sites


Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  


×