Microsoft recently announced that Azure AD Connect Cloud Sync had reached GA (general availability), adding another option for directory synchronization with Microsoft 365. This article provides a background on directory synchronization and why it is fundamental for your journey to the cloud. Then we will discuss the solutions and give you the information you need to pick the right solution. Let’s begin with some basics.

Rather watch or listen to a video? Jeff joins Steve Goodman to discuss the important info you need to know before you consider implementation in this new featured video.

What is Azure AD Sync, and Why Do I Need It?

Most organizations run Active Directory on-premises. This directory is usually the source of authority for all users, groups, and computers in a Windows domain. The domain provides a way to centrally manage accounts, passwords, policies, and permissions on-premises.

When an on-premises organization decides to use Microsoft 365, it needs a way to bring those on-premises accounts into Azure AD to use the new cloud services like Exchange Online, Teams, SharePoint Online, etc. Most organizations want to use their existing on-premises accounts rather than create new accounts and manage different passwords. That is where Azure AD Connect comes in. Both Azure AD Connect and Azure AD Connect Cloud Sync synchronize and link objects from AD to Azure AD and synchronize password hashes (not passwords) to maintain a single sign-on experience.

Azure AD Connect

Azure AD Connect has a long and storied past. It is based on Microsoft Identity Manager (MIM), which is used to bridge multiple on-premises authoritative systems and authentication stores. MIM is the sixth generation of Microsoft identity management solutions since they bought two similar technologies in 1997 and 1999.

While MIM can be expensive and bridges multiple authoritative directories, Azure AD Connect is free and purpose-built to bridge Active Directory with Azure Active Directory. This is known as hybrid identity.

Azure AD Connect is installed on an on-premises domain-joined server and is even supported to be installed on a domain controller. It only requires an outbound HTTPS connection to Microsoft 365 servers.

Capabilities

Since its humble beginnings of syncing a single AD to a single Azure AD tenant, Azure AD Connect’s capabilities have expanded significantly. Currently, this includes:

  • Synchronization between
    • Single forest, single Azure AD tenant.
    • Multiple forests, single Azure AD tenant.
    • Single or multiple forests, multiple Azure AD tenants (requires that each object is only represented once in all tenants).
    • LDAPv3-compatible identity stores.
  • Password Hash Synchronization (PHS) – use Azure AD as your organization’s identity provider by synchronizing password hashes to Azure AD.
  • Pass-Through Authentication (PTA) – use your organization’s Domain Controllers as your identity provider without having to deploy a full-blown AD FS configuration.
  • Federation integration with Active Directory Federation Services (AD FS).
  • Health monitoring of both Active Directory and the synchronization process.
  • Accommodating up to 10GB of database space (up to 100,000 objects) using LocalDB. If your organization exceeds this limit, use a full SQL Server.
  • Organizational Unit, group, or attribute filtering.
  • Exchange hybrid writeback capabilities for organizations with Exchange Server.
  • Exchange Public Folder address synchronization for directory-based edge blocking.
  • Password writeback capabilities to support self-service password reset (SSPR).
  • Office 365 Group writeback to prevent email address overlaps.
  • Directory extension attribute synchronization to extend the schema in Azure AD to include specific attributes consumed by LOB apps and Microsoft Graph Explorer.
  • Robust synchronization rule editing capabilities.
  • Seamless single sign-on (SSSO) capabilities that allow domain-joined users and computers to access Microsoft 365 workloads without being prompted to sign-in every time.
  • Hybrid Azure AD Join capabilities.
  • Device writeback capabilities that allow organizations to use on-premises conditional access and Windows Hello.
  • Synchronizing directory changes every 30 minutes and password changes almost immediately when using password hash sync.

Read more about Azure AD Connect: How it works and best practices for synchronizing your data

Azure AD Connect Cloud Sync

Microsoft realizes that it is unfortunate that your organization’s journey to the cloud-first requires installing more software on-premises. Azure AD Connect Cloud Sync is a cloud service alternative to Azure AD Connect software. The organization deploys one or more lightweight agents in their on-premises environment to bridge AD and Azure AD. The configuration is done in the cloud.

The service provides some of the features and capabilities that Azure AD Connect provides, making it useful for some merger and acquisition scenarios. It is important to note that Azure AD Connect Cloud Sync does not support Exchange hybrid, which reduces the number of useful scenarios.

Capabilities

Azure AD Connect Cloud Sync has many of the same features and capabilities as Azure AD Connect with the following differences:

  • Lightweight agent installation model.
  • Adds high availability using multiple agents.
  • Allows connectivity to multiple disconnected on-premises AD forests
  • Synchronizes directory changes more frequently than Azure AD Connect.
  • Can be used in addition to Azure AD Connect.
  • Does not support Exchange hybrid writeback.
  • Does not support LDAPv3-compatible identity stores.
  • Does not support device objects.
    • No hybrid Azure AD join.
    • No support for Windows Hello.
  • Does not support directory attribute synchronization.
  • Does not support Pass-Through Authentication (PTA).
  • Does not support synchronization rule editing capabilities.
  • Does not support writeback for passwords, devices, or groups.
  • Does not support cross-domain references.

As you can see, there are several gaps in functionality that limit the use of Azure AD Connect Cloud Sync. It is expected that Microsoft may close these gaps with future updates. The fact that this is a cloud-based service means that they can iterate rather quickly. I would not expect Exchange hybrid support anytime soon, though.

Appropriate Use Cases for Each

Choosing which directory synchronization solution to use requires a full understanding of what your organization’s needs are.

Azure AD Connect has the most features and compatibility. Almost all customers I encounter use Exchange Server or Exchange Online. The lack of Exchange hybrid support with Azure AD Connect Cloud Sync limits the use of that solution.

If you don’t need Exchange hybrid support or any of the other unsupported features, Azure AD Connect Cloud Sync can be a quick and easy way to configure AD directory synchronization with Azure AD. Examples include mergers and acquisitions where the organization being acquired has limited IT experience. By installing a simple, lightweight agent on a domain server, the acquiring organization can configure and manage directory synchronization from their tenant.

The marketing slides and videos introducing Azure AD Connect Cloud Sync often talk about the “heavy infrastructure investment” required for Azure AD Connect. A LocalDB database is installed with Azure AD Connect and has a 10GB limit (about 100,000 objects). Unless your organization’s Active Directory exceeds this, there is no requirement for additional infrastructure at all. Azure AD Connect can be installed on any existing domain-joined server running Windows Server 2012 or later or directly on a domain controller. It only requires an outbound HTTPS connection to the Internet.

Organizations with over 100,000 objects would likely save money with Azure AD Connect Cloud Sync since it does not require a full SQL server deployment. Still, organizations this size are usually running Exchange.

A scenario where Azure AD Connect Cloud Sync might be useful is one where an organization has AD on-premises but uses Google Workspace for email. This organization can sync their directory to Azure AD and then begin migrating Google mail to Exchange Online.

Azure AD Connect Cloud Sync is also the appropriate choice when connecting to multiple disconnected on-premises AD forests. Azure AD Connect requires line-of-site connectivity between multiple on-premises AD forests. This can be useful in some merger and acquisition scenarios.

Ultimately, you should deploy Azure AD Connect Cloud Sync if it provides the features and compatibility your organization needs. Otherwise, you will need to use the more fully-featured Azure AD Connect.

Security Considerations for Protecting Access to Azure AD Connect and Azure AD Connect Cloud Sync

Organizations should treat any server running Azure AD Connect or the Azure AD Connect Cloud Sync agent as a tier-0 asset – the same as a domain controller – since it is responsible for directory synchronization with Azure AD. Organizations should restrict administrative access to the Azure AD Connect server to only domain administrators or other tightly controlled security groups.

Azure AD Connect installation and configuration must be run with an Enterprise Admin account in AD and requires a Global Administrator account in the tenant.

Azure AD Connect Cloud Sync must be installed with an AD account with local admin permission on the server or Domain Admin permissions on a domain controller and requires a tenant account with Hybrid Identity Administrator or Global Administrator roles in the tenant.

For Azure AD Connect, the user account used to install it is automatically added to the local ADSyncAdmins security group. The best practice is to add Domain Admins to this group so more than one account can manage directory synchronization. Remove the individual user account that was used to install Azure AD Connect from this group.

The account used for configuration requires specific rights and is only used for installation or configuration. Directory synchronization will not be impacted if the account is disabled or deleted.

Both synchronization solutions use the highest TLS available in Windows Server. To ensure that Azure AD Connect and Azure AD Connect Cloud Sync use TLS 1.2 set the following registry keys, then restart the server:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001

Summary

Both Azure AD Connect and Azure AD Connect Cloud Sync provide ways for organizations to synchronize AD with Azure AD. Both solutions are easy to deploy and provide the features that organizations need to provide a unified sign-in experience to Microsoft 365.

Understand your organization’s requirements. Azure AD Connect Cloud Sync is the preferred way to synchronize on-premises AD to Azure AD, assuming you can get by with its limitations. Azure AD Connect provides the most feature-rich synchronization capabilities, including Exchange hybrid support.

From a security perspective, treat your organization’s Azure AD Connect server or agent the same as a domain controller and other Tier 0 resources.

Need a refresher on Azure AD Connect? Check out this blog on how it works and best practices for synchronizing your data.

About the Author

Jeff Guillet

Jeff Guillet is an Exchange MCM and Office Servers and Services MVP for a number of years, with decades of experience in Windows Server and Exchange deployment and management. He is an author of several books and a regular speaker at high-profile conferences such as TechEd, IT Dev Connections and Microsoft Ignite. He is also an author of the EXPTA blog.

Comments

  1. Alberto

    Does this mean, with AD Connect Cloud Sync I could sync my on-prem AD and can manage all Exchange related attributes online? –> Kind of a hybrid deployment but having Exchange exclusively online?

  2. Jn

    Can you run AADC on premise to sync one forest and AADC Cloud to sync to sync a totally different forest but nothing syncing to the same Tenant?

    1. Jn

      Can you run AADC on premise to sync one forest and AADC Cloud to sync to sync a totally different forest but both syncing to the same Tenant?

  3. Chris

    Can you run both AAD Connect AND Cloud Sync to the same on-prem AD and Azure AD? We currently have AAD Connect running but would like to install an Azure Enterprise Application (SuccessFactors) that requires Cloud Sync to be installed.

        1. Jeff Guillet

          Thanks, Chris. As with all things in the Microsoft cloud, the technologies and feature sets are always evolving. I recommend subscribing to Office 365 for IT Pros to keep up with all the changes. https://gum.co/O365IT/

  4. Jason

    I may be misunderstanding setup, but if it is supposed to be cloud first why can’t you create cloud users that replicate on prem? Also how does Cloud Sync handle self service passwords of users?

    1. Jeff Guillet

      AD cloud sync does not support any form of synchronization with on prem AD. Self service password reset is not supported.

      1. Jeff Guillet

        I meant, AAD cloud sync does not support any form of *backward* sync with on prem.

        1. Jeff Guillet

          Azure AD cloud sync is constantly under development. You should always expect things to change in Microsoft 365.

  5. Jeff Guillet

    AD cloud sync is not compatible with Exchange hybrid. You can still manage Exchange Online attributes for cloud-only accounts.

  6. Joseph

    Disbanding on-premise exchange server has been the request for 2 or 3 years although Microsoft does not provide a proper answer for clients willing to shift from a hybrid to pure cloud exchange model. And they did not “suggest” clients doing so.

    But the workaround of using tools to update attributes (such as ADSIEdit) has been very well known.

  7. Jeff Guillet

    If you are in a hybrid configuration Azure AD will block editing attributes in the cloud that are sourced from AD on-premises.

  8. Jeff Guillet

    If you are a hybrid customer, AD on-premises is your source of authority for directory services. You make most changes on-premises and it syncs to the cloud using AAD Connect. You CANNOT user AAD Connect Cloud Sync, since it doesn’t support Exchange hybrid.

    Hybrid customers must maintain at least one Exchange server on-premises to manage attributes for remote mailboxes, like the ones you listed. I call this a hybrid management server. Even though it’s running Exchange Server, it’s only purpose is to update mail attributes on-premises so they can sync to the cloud. This hybrid management server can also function as your internal relay server.

    1. Steve

      Why do you need an exchange server, why can’t you just use modify attributes in AD?

  9. Stef

    I think since you need to edit mail attributes from onpremise, you need an Exchange Server.

  10. Tristan

    Interesting article.

    My understanding of AAD Connect is that you can only use this and be support by Microsoft if you have an Exchange server on premise. You mention that the AD Connect Cloud is suitable when you dont have hybrid requirements, that seems to contradict Microsoft’s message about identity sync requiring an Exchange server.

    Does AD Connect Cloud mean that if i have no exchange on prem but exchange online mailboxes, that i can use identity sync from AD and be supported by MS (which wouldnt be the case with AD Connect)?

    1. Ustaad ji

      You can use AAD Connect without Exchange OnPrem for ie Azure SSO

    2. Jeff Guillet

      AAD Connect can be used whether or not you have Exchange Server on premises. AAD Connect Cloud Sync can also be used, but not if you plan to implement an Exchange hybrid configuration.

      1. Stanislav Galchonkov

        How would you manage mail-related attributes in Exchange Online: mail aliases (proxy addresses), “Hidden from address list”, “Enable Archive”, etc. without Exchange Server On-Prem and with “AAD Connect Cloud Sync”?
        Isn’t M365 Identity in “Synced” status and where you can manage mail-related attributes from on-prem only?

      2. Nadim

        Jeff, I’d like to understand why that is.

        1. Jeff Guillet

          I thought I was clear in the article, but AAD Connect Cloud Sync doesn’t synchronize Exchange-related attributes required for hybrid.

          1. Steve

            If you use AAD Connect Cloud Sync, can you then manage Exchange related attributes in cloud?

          2. Søren

            That is a good question. Is there an answer to this?

Leave a Reply