Microsoft recently announced that Azure AD Connect Cloud Sync had reached GA (general availability), adding another option for directory synchronization with Microsoft 365. This article provides a background on directory synchronization and why it is fundamental for your journey to the cloud. Then we will discuss the solutions and give you the information you need to pick the right solution. Let’s begin with some basics.
What is Azure AD Sync, and Why Do I Need It?
Most organizations run Active Directory on-premises. This directory is usually the source of authority for all users, groups, and computers in a Windows domain. The domain provides a way to centrally manage accounts, passwords, policies, and permissions on-premises.
When an on-premises organization decides to use Microsoft 365, it needs a way to bring those on-premises accounts into Azure AD to use the new cloud services like Exchange Online, Teams, SharePoint Online, etc. Most organizations want to use their existing on-premises accounts rather than create new accounts and manage different passwords. That is where Azure AD Connect comes in. Both Azure AD Connect and Azure AD Connect Cloud Sync synchronize and link objects from AD to Azure AD and synchronize password hashes (not passwords) to maintain a single sign-on experience.
Azure AD Connect
Azure AD Connect has a long and storied past. It is based on Microsoft Identity Manager (MIM), which is used to bridge multiple on-premises authoritative systems and authentication stores. MIM is the sixth generation of Microsoft identity management solutions since they bought two similar technologies in 1997 and 1999.
While MIM can be expensive and bridges multiple authoritative directories, Azure AD Connect is free and purpose-built to bridge Active Directory with Azure Active Directory. This is known as hybrid identity.
Azure AD Connect is installed on an on-premises domain-joined server and is even supported to be installed on a domain controller. It only requires an outbound HTTPS connection to Microsoft 365 servers.
Since its humble beginnings of syncing a single AD to a single Azure AD tenant, Azure AD Connect’s capabilities have expanded significantly. Currently, this includes:
- Synchronization between
- Single forest, single Azure AD tenant.
- Multiple forests, single Azure AD tenant.
- Single or multiple forests, multiple Azure AD tenants (requires that each object is only represented once in all tenants).
- LDAPv3-compatible identity stores.
- Password Hash Synchronization (PHS) – use Azure AD as your organization’s identity provider by synchronizing password hashes to Azure AD.
- Pass-Through Authentication (PTA) – use your organization’s Domain Controllers as your identity provider without having to deploy a full-blown AD FS configuration.
- Federation integration with Active Directory Federation Services (AD FS).
- Health monitoring of both Active Directory and the synchronization process.
- Accommodating up to 10GB of database space (up to 100,000 objects) using LocalDB. If your organization exceeds this limit, use a full SQL Server.
- Organizational Unit, group, or attribute filtering.
- Exchange hybrid writeback capabilities for organizations with Exchange Server.
- Exchange Public Folder address synchronization for directory-based edge blocking.
- Password writeback capabilities to support self-service password reset (SSPR).
- Office 365 Group writeback to prevent email address overlaps.
- Directory extension attribute synchronization to extend the schema in Azure AD to include specific attributes consumed by LOB apps and Microsoft Graph Explorer.
- Robust synchronization rule editing capabilities.
- Seamless single sign-on (SSSO) capabilities that allow domain-joined users and computers to access Microsoft 365 workloads without being prompted to sign-in every time.
- Hybrid Azure AD Join capabilities.
- Device writeback capabilities that allow organizations to use on-premises conditional access and Windows Hello.
- Synchronizing directory changes every 30 minutes and password changes almost immediately when using password hash sync.
Azure AD Connect Cloud Sync
Microsoft realizes that it is unfortunate that your organization’s journey to the cloud-first requires installing more software on-premises. Azure AD Connect Cloud Sync is a cloud service alternative to Azure AD Connect software. The organization deploys one or more lightweight agents in their on-premises environment to bridge AD and Azure AD. The configuration is done in the cloud.
The service provides some of the features and capabilities that Azure AD Connect provides, making it useful for some merger and acquisition scenarios. It is important to note that Azure AD Connect Cloud Sync does not support Exchange hybrid, which reduces the number of useful scenarios.
Azure AD Connect Cloud Sync has many of the same features and capabilities as Azure AD Connect with the following differences:
- Lightweight agent installation model.
- Adds high availability using multiple agents.
- Allows connectivity to multiple disconnected on-premises AD forests
- Synchronizes directory changes more frequently than Azure AD Connect.
- Can be used in addition to Azure AD Connect.
- Does not support Exchange hybrid writeback.
- Does not support LDAPv3-compatible identity stores.
- Does not support device objects.
- No hybrid Azure AD join.
- No support for Windows Hello.
- Does not support directory attribute synchronization.
- Does not support Pass-Through Authentication (PTA).
- Does not support synchronization rule editing capabilities.
- Does not support writeback for passwords, devices, or groups.
- Does not support cross-domain references.
As you can see, there are several gaps in functionality that limit the use of Azure AD Connect Cloud Sync. It is expected that Microsoft may close these gaps with future updates. The fact that this is a cloud-based service means that they can iterate rather quickly. I would not expect Exchange hybrid support anytime soon, though.
Appropriate Use Cases for Each
Choosing which directory synchronization solution to use requires a full understanding of what your organization’s needs are.
Azure AD Connect has the most features and compatibility. Almost all customers I encounter use Exchange Server or Exchange Online. The lack of Exchange hybrid support with Azure AD Connect Cloud Sync limits the use of that solution.
If you don’t need Exchange hybrid support or any of the other unsupported features, Azure AD Connect Cloud Sync can be a quick and easy way to configure AD directory synchronization with Azure AD. Examples include mergers and acquisitions where the organization being acquired has limited IT experience. By installing a simple, lightweight agent on a domain server, the acquiring organization can configure and manage directory synchronization from their tenant.
The marketing slides and videos introducing Azure AD Connect Cloud Sync often talk about the “heavy infrastructure investment” required for Azure AD Connect. A LocalDB database is installed with Azure AD Connect and has a 10GB limit (about 100,000 objects). Unless your organization’s Active Directory exceeds this, there is no requirement for additional infrastructure at all. Azure AD Connect can be installed on any existing domain-joined server running Windows Server 2012 or later or directly on a domain controller. It only requires an outbound HTTPS connection to the Internet.
Organizations with over 100,000 objects would likely save money with Azure AD Connect Cloud Sync since it does not require a full SQL server deployment. Still, organizations this size are usually running Exchange.
A scenario where Azure AD Connect Cloud Sync might be useful is one where an organization has AD on-premises but uses Google Workspace for email. This organization can sync their directory to Azure AD and then begin migrating Google mail to Exchange Online.
Azure AD Connect Cloud Sync is also the appropriate choice when connecting to multiple disconnected on-premises AD forests. Azure AD Connect requires line-of-site connectivity between multiple on-premises AD forests. This can be useful in some merger and acquisition scenarios.
Ultimately, you should deploy Azure AD Connect Cloud Sync if it provides the features and compatibility your organization needs. Otherwise, you will need to use the more fully-featured Azure AD Connect.
Security Considerations for Protecting Access to Azure AD Connect and Azure AD Connect Cloud Sync
Organizations should treat any server running Azure AD Connect or the Azure AD Connect Cloud Sync agent as a tier-0 asset – the same as a domain controller – since it is responsible for directory synchronization with Azure AD. Organizations should restrict administrative access to the Azure AD Connect server to only domain administrators or other tightly controlled security groups.
Azure AD Connect installation and configuration must be run with an Enterprise Admin account in AD and requires a Global Administrator account in the tenant.
Azure AD Connect Cloud Sync must be installed with an AD account with local admin permission on the server or Domain Admin permissions on a domain controller and requires a tenant account with Hybrid Identity Administrator or Global Administrator roles in the tenant.
For Azure AD Connect, the user account used to install it is automatically added to the local ADSyncAdmins security group. The best practice is to add Domain Admins to this group so more than one account can manage directory synchronization. Remove the individual user account that was used to install Azure AD Connect from this group.
The account used for configuration requires specific rights and is only used for installation or configuration. Directory synchronization will not be impacted if the account is disabled or deleted.
Both synchronization solutions use the highest TLS available in Windows Server. To ensure that Azure AD Connect and Azure AD Connect Cloud Sync use TLS 1.2 set the following registry keys, then restart the server:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001
Both Azure AD Connect and Azure AD Connect Cloud Sync provide ways for organizations to synchronize AD with Azure AD. Both solutions are easy to deploy and provide the features that organizations need to provide a unified sign-in experience to Microsoft 365.
Understand your organization’s requirements. Azure AD Connect Cloud Sync is the preferred way to synchronize on-premises AD to Azure AD, assuming you can get by with its limitations. Azure AD Connect provides the most feature-rich synchronization capabilities, including Exchange hybrid support.
From a security perspective, treat your organization’s Azure AD Connect server or agent the same as a domain controller and other Tier 0 resources.