Microsoft recently announced that Azure AD Connect Cloud Sync had reached GA (general availability), adding another option for directory synchronization with Microsoft 365. This article provides a background on directory synchronization and why it is fundamental for your journey to the cloud. Then we will discuss the solutions and give you the information you need to pick the right solution. Let’s begin with some basics.
Rather watch or listen to a video? Jeff joins Steve Goodman to discuss the important info you need to know before you consider implementation in this new featured video.
What is Azure AD Sync, and Why Do I Need It?
Most organizations run Active Directory on-premises. This directory is usually the source of authority for all users, groups, and computers in a Windows domain. The domain provides a way to centrally manage accounts, passwords, policies, and permissions on-premises.
When an on-premises organization decides to use Microsoft 365, it needs a way to bring those on-premises accounts into Azure AD to use the new cloud services like Exchange Online, Teams, SharePoint Online, etc. Most organizations want to use their existing on-premises accounts rather than create new accounts and manage different passwords. That is where Azure AD Connect comes in. Both Azure AD Connect and Azure AD Connect Cloud Sync synchronize and link objects from AD to Azure AD and synchronize password hashes (not passwords) to maintain a single sign-on experience.
Azure AD Connect
Azure AD Connect has a long and storied past. It is based on Microsoft Identity Manager (MIM), which is used to bridge multiple on-premises authoritative systems and authentication stores. MIM is the sixth generation of Microsoft identity management solutions since they bought two similar technologies in 1997 and 1999.
While MIM can be expensive and bridges multiple authoritative directories, Azure AD Connect is free and purpose-built to bridge Active Directory with Azure Active Directory. This is known as hybrid identity.
Azure AD Connect is installed on an on-premises domain-joined server and is even supported to be installed on a domain controller. It only requires an outbound HTTPS connection to Microsoft 365 servers.
Capabilities
Since its humble beginnings of syncing a single AD to a single Azure AD tenant, Azure AD Connect’s capabilities have expanded significantly. Currently, this includes:
- Synchronization between
- Single forest, single Azure AD tenant.
- Multiple forests, single Azure AD tenant.
- Single or multiple forests, multiple Azure AD tenants (requires that each object is only represented once in all tenants).
- LDAPv3-compatible identity stores.
- Password Hash Synchronization (PHS) – use Azure AD as your organization’s identity provider by synchronizing password hashes to Azure AD.
- Pass-Through Authentication (PTA) – use your organization’s Domain Controllers as your identity provider without having to deploy a full-blown AD FS configuration.
- Federation integration with Active Directory Federation Services (AD FS).
- Health monitoring of both Active Directory and the synchronization process.
- Accommodating up to 10GB of database space (up to 100,000 objects) using LocalDB. If your organization exceeds this limit, use a full SQL Server.
- Organizational Unit, group, or attribute filtering.
- Exchange hybrid writeback capabilities for organizations with Exchange Server.
- Exchange Public Folder address synchronization for directory-based edge blocking.
- Password writeback capabilities to support self-service password reset (SSPR).
- Office 365 Group writeback to prevent email address overlaps.
- Directory extension attribute synchronization to extend the schema in Azure AD to include specific attributes consumed by LOB apps and Microsoft Graph Explorer.
- Robust synchronization rule editing capabilities.
- Seamless single sign-on (SSSO) capabilities that allow domain-joined users and computers to access Microsoft 365 workloads without being prompted to sign-in every time.
- Hybrid Azure AD Join capabilities.
- Device writeback capabilities that allow organizations to use on-premises conditional access and Windows Hello.
- Synchronizing directory changes every 30 minutes and password changes almost immediately when using password hash sync.
Cybersecurity Risk Management for Active Directory
Discover how to prevent and recover from AD attacks through these Cybersecurity Risk Management Solutions.
Azure AD Connect Cloud Sync
Microsoft realizes that it is unfortunate that your organization’s journey to the cloud-first requires installing more software on-premises. Azure AD Connect Cloud Sync is a cloud service alternative to Azure AD Connect software. The organization deploys one or more lightweight agents in their on-premises environment to bridge AD and Azure AD. The configuration is done in the cloud.
The service provides some of the features and capabilities that Azure AD Connect provides, making it useful for some merger and acquisition scenarios. It is important to note that Azure AD Connect Cloud Sync does not support Exchange hybrid, which reduces the number of useful scenarios.
Capabilities
Azure AD Connect Cloud Sync has many of the same features and capabilities as Azure AD Connect with the following differences:
- Lightweight agent installation model.
- Adds high availability using multiple agents.
- Allows connectivity to multiple disconnected on-premises AD forests
- Synchronizes directory changes more frequently than Azure AD Connect.
- Can be used in addition to Azure AD Connect.
- Does not support Exchange hybrid writeback.
- Does not support LDAPv3-compatible identity stores.
- Does not support device objects.
- No hybrid Azure AD join.
- No support for Windows Hello.
- Does not support directory attribute synchronization.
- Does not support Pass-Through Authentication (PTA).
- Does not support synchronization rule editing capabilities.
- Does not support writeback for passwords, devices, or groups.
- Does not support cross-domain references.
As you can see, there are several gaps in functionality that limit the use of Azure AD Connect Cloud Sync. It is expected that Microsoft may close these gaps with future updates. The fact that this is a cloud-based service means that they can iterate rather quickly. I would not expect Exchange hybrid support anytime soon, though.
Appropriate Use Cases for Each
Choosing which directory synchronization solution to use requires a full understanding of what your organization’s needs are.
Azure AD Connect has the most features and compatibility. Almost all customers I encounter use Exchange Server or Exchange Online. The lack of Exchange hybrid support with Azure AD Connect Cloud Sync limits the use of that solution.
If you don’t need Exchange hybrid support or any of the other unsupported features, Azure AD Connect Cloud Sync can be a quick and easy way to configure AD directory synchronization with Azure AD. Examples include mergers and acquisitions where the organization being acquired has limited IT experience. By installing a simple, lightweight agent on a domain server, the acquiring organization can configure and manage directory synchronization from their tenant.
The marketing slides and videos introducing Azure AD Connect Cloud Sync often talk about the “heavy infrastructure investment” required for Azure AD Connect. A LocalDB database is installed with Azure AD Connect and has a 10GB limit (about 100,000 objects). Unless your organization’s Active Directory exceeds this, there is no requirement for additional infrastructure at all. Azure AD Connect can be installed on any existing domain-joined server running Windows Server 2012 or later or directly on a domain controller. It only requires an outbound HTTPS connection to the Internet.
Organizations with over 100,000 objects would likely save money with Azure AD Connect Cloud Sync since it does not require a full SQL server deployment. Still, organizations this size are usually running Exchange.
A scenario where Azure AD Connect Cloud Sync might be useful is one where an organization has AD on-premises but uses Google Workspace for email. This organization can sync their directory to Azure AD and then begin migrating Google mail to Exchange Online.
Azure AD Connect Cloud Sync is also the appropriate choice when connecting to multiple disconnected on-premises AD forests. Azure AD Connect requires line-of-site connectivity between multiple on-premises AD forests. This can be useful in some merger and acquisition scenarios.
Ultimately, you should deploy Azure AD Connect Cloud Sync if it provides the features and compatibility your organization needs. Otherwise, you will need to use the more fully-featured Azure AD Connect.
Security Considerations for Protecting Access to Azure AD Connect and Azure AD Connect Cloud Sync
Organizations should treat any server running Azure AD Connect or the Azure AD Connect Cloud Sync agent as a tier-0 asset – the same as a domain controller – since it is responsible for directory synchronization with Azure AD. Organizations should restrict administrative access to the Azure AD Connect server to only domain administrators or other tightly controlled security groups.
Azure AD Connect installation and configuration must be run with an Enterprise Admin account in AD and requires a Global Administrator account in the tenant.
Azure AD Connect Cloud Sync must be installed with an AD account with local admin permission on the server or Domain Admin permissions on a domain controller and requires a tenant account with Hybrid Identity Administrator or Global Administrator roles in the tenant.
For Azure AD Connect, the user account used to install it is automatically added to the local ADSyncAdmins security group. The best practice is to add Domain Admins to this group so more than one account can manage directory synchronization. Remove the individual user account that was used to install Azure AD Connect from this group.
The account used for configuration requires specific rights and is only used for installation or configuration. Directory synchronization will not be impacted if the account is disabled or deleted.
Both synchronization solutions use the highest TLS available in Windows Server. To ensure that Azure AD Connect and Azure AD Connect Cloud Sync use TLS 1.2 set the following registry keys, then restart the server:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001
Summary
Both Azure AD Connect and Azure AD Connect Cloud Sync provide ways for organizations to synchronize AD with Azure AD. Both solutions are easy to deploy and provide the features that organizations need to provide a unified sign-in experience to Microsoft 365.
Understand your organization’s requirements. Azure AD Connect Cloud Sync is the preferred way to synchronize on-premises AD to Azure AD, assuming you can get by with its limitations. Azure AD Connect provides the most feature-rich synchronization capabilities, including Exchange hybrid support.
From a security perspective, treat your organization’s Azure AD Connect server or agent the same as a domain controller and other Tier 0 resources.
Does this mean, with AD Connect Cloud Sync I could sync my on-prem AD and can manage all Exchange related attributes online? –> Kind of a hybrid deployment but having Exchange exclusively online?
The Real Person!
The Real Person!
Waiting for this answer since a year. I tried The EXchange Hybrid Writeback configuration with Cloud Sync six months ago, all configured following this article, but still can’t edit emails aliases or other sync settings forom any console in 365. https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/exchange-hybrid. Nobody on the web seems to talk about it, but it will really make life of many IT admins easier. Even if all light are green, I receive error saying ” Unable to update the specified properties for on-premises mastered Directory Sync objects…” when I try to edit mailbox properties (Like email addresses) from any console in 365. Anybody has any clue?
This artickle talks a lot about Exchange but I think that issue has now been resolved?
The official docs page say both tools can Synchronize Exchange online attributes
https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/what-is-cloud-sync#:~:text=Synchronize%20Exchange%20online%20attributes
Can you run AADC on premise to sync one forest and AADC Cloud to sync to sync a totally different forest but nothing syncing to the same Tenant?
Can you run AADC on premise to sync one forest and AADC Cloud to sync to sync a totally different forest but both syncing to the same Tenant?
Yes, that is a supported scenario: https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/tutorial-existing-forest
Can you run both AAD Connect AND Cloud Sync to the same on-prem AD and Azure AD? We currently have AAD Connect running but would like to install an Azure Enterprise Application (SuccessFactors) that requires Cloud Sync to be installed.
Hi Chris,
It’s unsupported to use more than one sync server in the same tenant. See https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies#single-forest-multiple-sync-servers-to-one-azure-ad-tenant
Although this article is about AAD Connect, it extends to AAD Connect and AAD Cloud Sync, as well.
Thanks for the reply, Jeff.
Information about this appears to be changing as I found this link https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/what-is-cloud-sync.
In the embedded video (at about 9:40) the speaker mentions that you can use both on the same on-prem AD. BUT they must be scoped differently. Good to know info but it doesn’t help me with my particular situation.
Thanks, Chris. As with all things in the Microsoft cloud, the technologies and feature sets are always evolving. I recommend subscribing to Office 365 for IT Pros to keep up with all the changes. https://gum.co/O365IT/
Syncing from multiple AD instances to the same tenant is supported with Cloud Sync: https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/tutorial-existing-forest
I may be misunderstanding setup, but if it is supposed to be cloud first why can’t you create cloud users that replicate on prem? Also how does Cloud Sync handle self service passwords of users?
AD cloud sync does not support any form of synchronization with on prem AD. Self service password reset is not supported.
I meant, AAD cloud sync does not support any form of *backward* sync with on prem.
I don’t think this is true anymore:
https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/what-is-cloud-sync
It shows that AD Cloud Sync supports password writeback.
Azure AD cloud sync is constantly under development. You should always expect things to change in Microsoft 365.
AD cloud sync is not compatible with Exchange hybrid. You can still manage Exchange Online attributes for cloud-only accounts.
Disbanding on-premise exchange server has been the request for 2 or 3 years although Microsoft does not provide a proper answer for clients willing to shift from a hybrid to pure cloud exchange model. And they did not “suggest” clients doing so.
But the workaround of using tools to update attributes (such as ADSIEdit) has been very well known.
If you are in a hybrid configuration Azure AD will block editing attributes in the cloud that are sourced from AD on-premises.
If you are a hybrid customer, AD on-premises is your source of authority for directory services. You make most changes on-premises and it syncs to the cloud using AAD Connect. You CANNOT user AAD Connect Cloud Sync, since it doesn’t support Exchange hybrid.
Hybrid customers must maintain at least one Exchange server on-premises to manage attributes for remote mailboxes, like the ones you listed. I call this a hybrid management server. Even though it’s running Exchange Server, it’s only purpose is to update mail attributes on-premises so they can sync to the cloud. This hybrid management server can also function as your internal relay server.
Why do you need an exchange server, why can’t you just use modify attributes in AD?
Microsoft does not support updating Exchange attributes using any other method, like ADSIEdit. See https://docs.microsoft.com/en-us/exchange/decommission-on-premises-exchange#can-third-party-management-tools-be-used
Hi,
Actually they support other methods. Was able to get a confirmation from MS support that attributes change via ADUC is supported by them 🙂
I think since you need to edit mail attributes from onpremise, you need an Exchange Server.
Interesting article.
My understanding of AAD Connect is that you can only use this and be support by Microsoft if you have an Exchange server on premise. You mention that the AD Connect Cloud is suitable when you dont have hybrid requirements, that seems to contradict Microsoft’s message about identity sync requiring an Exchange server.
Does AD Connect Cloud mean that if i have no exchange on prem but exchange online mailboxes, that i can use identity sync from AD and be supported by MS (which wouldnt be the case with AD Connect)?
You can use AAD Connect without Exchange OnPrem for ie Azure SSO
AAD Connect can be used whether or not you have Exchange Server on premises. AAD Connect Cloud Sync can also be used, but not if you plan to implement an Exchange hybrid configuration.
How would you manage mail-related attributes in Exchange Online: mail aliases (proxy addresses), “Hidden from address list”, “Enable Archive”, etc. without Exchange Server On-Prem and with “AAD Connect Cloud Sync”?
Isn’t M365 Identity in “Synced” status and where you can manage mail-related attributes from on-prem only?
Jeff, I’d like to understand why that is.
I thought I was clear in the article, but AAD Connect Cloud Sync doesn’t synchronize Exchange-related attributes required for hybrid.
If you use AAD Connect Cloud Sync, can you then manage Exchange related attributes in cloud?
That is a good question. Is there an answer to this?