Built by Musah Issah | IT Support Specialist | U.S. Air Force Reserves | CompTIA Security+ | Active DoD Secret Clearance
This lab documents the complete build of a Microsoft Entra ID (Azure AD) Hybrid Identity environment — syncing 51 on-premises Active Directory users from a Windows Server 2022 domain controller running in Hyper-V to Microsoft Azure Entra ID, with MFA enforced via Security Defaults.
This is a real home lab build — including the errors I hit, how I diagnosed them, and how I fixed them. Every screenshot is genuine.
┌─────────────────────────────────┐ ┌──────────────────────────────────┐
│ ON-PREMISES (Hyper-V) │ │ MICROSOFT AZURE CLOUD │
│ │ │ │
│ Windows Server 2022 (DC-01) │ │ Microsoft Entra ID │
│ Domain: company.org │◄───────►│ Tenant: musahissahghoutlook │
│ 51 AD Users across OUs: │ Entra │ .onmicrosoft.com │
│ - Finance │ Connect │ │
│ - IT-DEPT │ Sync │ 54 Users (51 synced + 3 cloud) │
│ - Sales │ │ Security Defaults: ENABLED │
│ - Users │ │ MFA: ENFORCED for all users │
└─────────────────────────────────┘ └──────────────────────────────────┘
| Technology | Purpose |
|---|---|
| Windows Server 2022 (Hyper-V) | On-premises domain controller |
| Active Directory Domain Services | Identity source — 51 users |
| Microsoft Entra Connect Sync v2.6.3.0 | Hybrid identity sync engine |
| Microsoft Entra ID (Azure AD) | Cloud identity platform |
| Microsoft Azure (Free Tier) | Cloud infrastructure |
| PowerShell | Automation and sync management |
| Security Defaults | MFA enforcement for all users |
- Created Microsoft Azure free account
- Accessed Microsoft Entra admin center as Global Administrator
- Added
musahissahghoutlook.onmicrosoft.comas alternative UPN suffix in on-premises Active Directory Domains and Trusts - Updated test user
arobinsonUPN toarobinson@musahissahghoutlook.onmicrosoft.com - Verified domain status as Available in Entra ID Custom Domain Names
Screenshot: Azure Portal → Entra Admin Center → Domain Verified
- Opened Active Directory Domains and Trusts on DC-01
- Added
musahissahghoutlook.onmicrosoft.comas Alternative UPN Suffix - Updated user accounts in ADUC to use the new UPN suffix
- This step is critical — without matching UPN suffixes, users sync but cannot sign into Azure
- Downloaded Entra Connect v2.6.3.0 from Entra Admin Center (not Microsoft Download Center — this changed in 2025)
- Ran custom installation wizard selecting Password Hash Synchronization
- Connected on-premises forest
company.org— configured MSOL service account with replication permissions - Selected OUs: Finance, IT-DEPT, Sales, Users (excluded Builtin, Computers, Domain Controllers)
- Clicked through UPN mismatch warning by selecting "Continue without matching all UPN suffixes"
- Opened Synchronization Service Manager on DC-01
- Confirmed 18 successful sync runs across both connectors
- Verified 54 users in Entra ID → All Users with On-premises sync enabled: Yes
- Users from all OUs synced successfully
- Enabled Security Defaults in Entra ID → Properties
- Security Defaults enforces:
- MFA required for all users on first cloud sign-in
- MFA always required for admin accounts
- Legacy authentication blocked
- All users must register MFA within 14 days
- Tested MFA enforcement: signed in as synced user
arobinson— immediately prompted for MFA setup
This section is the most valuable part of this repo. Real projects have real problems.
What happened: When the Entra Connect wizard asked to connect to Microsoft Entra ID, I entered my personal Outlook account (musah.issah.gh@outlook.com). Got error: User account from identity provider 'live.com' does not exist in tenant 'Microsoft Services'
Root cause: Entra Connect requires a cloud-only Entra ID work account — not a personal Microsoft/Outlook account.
Fix: Created a dedicated admin account syncadmin@musahissahghoutlook.onmicrosoft.com with Global Administrator role directly inside the Entra tenant, then used that account in the wizard.
Lesson: Always use a cloud-only @yourtenant.onmicrosoft.com account for Entra Connect — never a personal Microsoft account.
What happened: Tried to sign up for the Microsoft 365 Developer Program to get a free E5 tenant with Conditional Access. Got message: "You don't currently qualify for a Microsoft 365 Developer Program sandbox subscription."
Root cause: Microsoft tightened eligibility in 2024–2025. Accounts without active development activity on GitHub or Visual Studio are often denied.
Fix: Used the existing Azure free account tenant instead. The Entra ID Free tier that comes with every Azure account was sufficient to run Entra Connect and sync users. For MFA, used Security Defaults (no license required) instead of Conditional Access (requires P1/P2).
Lesson: The M365 Developer sandbox denial is extremely common. The Azure free tenant works perfectly for hybrid identity labs. Security Defaults provides equivalent MFA baseline protection for free.
What happened: During the final configuration step, Entra Connect tried to register itself as an application in the tenant but failed with: Application with identifier '0ca877e8...' was not found in the directory 'Microsoft Services'
Root cause: The wizard was still authenticated with the personal Outlook account from a previous failed attempt. The app registration tried to go to Microsoft Services (the personal account tenant) instead of my actual Entra tenant.
Fix:
- Found and deleted the orphaned app registration from Azure → App registrations → All applications
- Created the
syncadmin@musahissahghoutlook.onmicrosoft.comaccount properly - Signed that account into the Azure portal and completed password activation
- Reran the Entra Connect wizard using the syncadmin account — completed successfully
Lesson: When Entra Connect fails mid-installation, always clean up orphaned app registrations before rerunning. Check Azure → App Registrations → All Applications for any entries created on the failed run date.
What happened: Navigated to Identity → Protection → Conditional Access → tried to create a policy — the Create button was unclickable.
Root cause: Conditional Access requires Microsoft Entra ID P1 or P2 license. Azure free tier only includes Entra ID Free.
Fix: Switched to Security Defaults, which provides equivalent baseline MFA enforcement without requiring a paid license. This is actually the Microsoft-recommended configuration for organizations without P1/P2 licensing.
Lesson: Understand the licensing model. Security Defaults = free, tenant-wide MFA baseline. Conditional Access = paid, granular policy control. For a home lab, Security Defaults achieves the same security goal.
# Force an immediate delta sync from on-prem AD to Microsoft Entra ID
# Run on the server where Entra Connect is installed (DC-01)
Import-Module "C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync\ADSync.psd1"
Write-Host "Starting Entra Connect delta sync..." -ForegroundColor Cyan
Start-ADSyncSyncCycle -PolicyType Delta
Write-Host "Sync initiated. Check Synchronization Service Manager for results." -ForegroundColor Green# Bulk update UPN suffix for all users in a specific OU
$NewSuffix = '@musahissahghoutlook.onmicrosoft.com'
$OUPath = 'OU=Users,DC=company,DC=org'
$users = Get-ADUser -Filter * -SearchBase $OUPath
foreach ($user in $users) {
$newUPN = $user.SamAccountName + $NewSuffix
Set-ADUser $user -UserPrincipalName $newUPN
Write-Host "Updated: $($user.SamAccountName) -> $newUPN" -ForegroundColor Green
}# Check ADSync service status and last sync time
Get-Service ADSync
Get-ADSyncScheduler | Select-Object NextSyncCycleStartTimeInUTC, CurrentlyRunning, SyncCycleEnabledSee docs/security-decisions.md for full documentation.
Summary: Security Defaults enabled — enforcing MFA for all 54 users including 51 synced from on-premises AD. This is the Microsoft-recommended baseline security configuration for organizations without Entra ID P1/P2 licensing.
- Entra Connect only downloads from the Entra Admin Center — not the Microsoft Download Center (changed in 2025)
- Personal Microsoft accounts cannot be used for Entra Connect — always create a dedicated cloud-only admin account in your tenant
- The M365 Developer Sandbox denial is common — the Azure free tenant is sufficient for hybrid identity labs
- Clean up failed installations before retrying — orphaned app registrations cause AADSTS700016 errors
- UPN suffix matching is critical — without it, users sync but cannot authenticate to cloud resources
- Security Defaults is not a consolation prize — it's a legitimate, widely-used enterprise security baseline
| Metric | Value |
|---|---|
| Build time | ~6 hours including troubleshooting |
| Users synced | 51 on-premises users |
| Total users in Entra | 54 (including cloud-only admin accounts) |
| Sync runs completed | 18 (visible in Synchronization Service Manager) |
| Errors encountered | 4 |
| Errors resolved | 4 |
| MFA enforced | Yes — Security Defaults |
Musah Issah IT Support Specialist | New York, NY
- LinkedIn: linkedin.com/in/musah-issah-925ba2313
- Email: Babsissa90@gmail.com
- CompTIA Security+ | Microsoft Azure Fundamentals (AZ-900) | Active DoD Secret Clearance
- U.S. Air Force Reserves — Health Care Administration Specialist
This is Project 5 of my 10-project IT Support Portfolio. See my LinkedIn for the full series.