Choose the solution suits you

There are two solution for the Hybrid AD: Password Hash Sync or Pass-through Authentication. See the explaination, go here:

i will use Password Hash Sync in my example as it is the simplest way to enable authentication for on-premises directory object in Azure AD.


  • setup on premises AD

Create Directory on Azure

When you create a Azure account, system create a default directory for you based on your registered account email. To create a AD with same name as your on premises AD, go to the Azure Active directory in Azure Portal, click “Create a Directory” in the right bottom corner.

Then type your Organization name, which is a title of this Directory and initial Domain name, which will be added in front of; select the Country where you reside.

After the creation, you can switch to the directory and check the setting. To enable the AD connect, I would like to create an account(ADconnect) for this service. tick Show password to note down the temporary password.

Don’t try to connect to Azure now, the password created here should be changed before the account is ready to go. Or you will receive error message “azure the password has expired updated password and try again” when you logon the AD connect.

Go to in web browser, logon with this account, type the temporary password to login, it will ask you to setup your own password, type the temporary password and a password and confirm. now you are ready to go!

Go back to Azure portal, click Azure AD connect, then click Download Azure AD connect, it open the page to download this tool. On the on premises Domain controller, logon with Domain Admin, open this page, download.

  1. Navigate to and double-click AzureADConnect.msi.
  2. On the Welcome screen, select the box agreeing to the licensing terms and click Continue.
  3. On the Express settings screen, click Use express settings.
  4. On the Connect to Azure AD screen, enter the username ( and password of a global administrator for your Azure AD. Click Next.
  5. On the Connect to AD DS screen, enter the username and password for an enterprise admin account. You can enter the domain part in either NetBios or FQDN format, that is, FRANKFU\frank or FRANKFU.CLICK\frank. Click Next.
  6. The Azure AD sign-in configuration page only shows if you did not complete verify your domains in the prerequisites. Unverified domains
    If you see this page, then review every domain marked Not Added and Not Verified. Make sure those domains you use have been verified in Azure AD. Click the Refresh symbol when you have verified your domains. On the Ready to configure screen, click Install.

  7.  Click the start menu, go to “Azure AD Connect”, Open the “Synchronization Service”, you can find the Sync interval is 30 minutes, and status. Double check on the Azure portal, the status tells the same.

    By now the AD Password Hash Sync is setup.


Disconnect from Azure AD


Open PowerShell (Run as Administrator).

Install Microsoft Online module for Azure Active directory using the following command:

Install-Module -Name MSonline

If prompted to continue, input “Y” and press enter. Any subsequent confirmations can be accepted by inputting “A” for “Yes to All” and pressing Enter.

Input login credentials using the following PowerShell command:

$msolcredential = get-credential

You will be prompted to authenticate. Use the global administrator account within your Azure Active Directory tenant (ex. and the corresponding password.

Initiate Connection to Azure Active Directory using the following PowerShell command:

connect-msolservice -credential $msolcredential

Uninstall Azure AD Connect application (and services) from your local domain environment using Control Panel.

Once you have AD Connect uninstalled, you will still need to disable the service through Azure Active Directory. To do so, use the following PowerShell command.

Set-MsolDirSyncEnabled -EnableDirSync $false

You will be prompted to confirm, press Y to confirm and then press Enter.

To verify that directory sync was fully disabled, use the following PowerShell command:


A returned value of False will validate the deactivation.