Azure AD Connect

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Azure AD Connect is a tool for connecting on-premises identity infrastructure to Microsoft Azure AD. The wizard deploys and configures prerequisites and components required for the connection, including synchronization scheduling and authentication methods.[1] Azure AD Connect encompasses functionality that was previously released as Dirsync and AAD Sync. These tools are no longer being released individually, and all future improvements will be included in updates to Azure AD Connect.[2][3]

Azure AD Connect synchronizes on-premises objects present in Active Directory to a corresponding Azure AD service within a Microsoft 365 tenant.[4] Supported on-premise objects include user accounts, group memberships, and credential hashes.[5] Synchronization can be configured to operate in two directional flow configurations. In a one-way configuration changes to an object on-premise updates the corresponding object in Azure AD. Two-way or bidirectional synchronization configurations allow for object changes to be made either on-premise or within Azure AD/Microsoft 365 and update the corresponding object on the opposite end.[6]

Azure AD Connect GA was released to the public on 24 June 2015[7] and is currently on Version 2.1.16.0.[8] On 31 August 2022 all 1.x versions of Azure AD Connect were retired. On 15 March 2023 Versions 2.0.3.0 through 2.0.91.0 will be retired.

The current release offers the following high level options:[9]

Dirsync Upgrade[edit]

Organizations with an existing Dirsync deployment can upgrade in place (for directories with less than 50,000 objects) or otherwise migrate their Dirsync settings to Azure AD Connect.

Express Settings[edit]

Express Settings is the default option and deploys sync with the password hash sync option for a single-domain, single-forest on-premise Active Directory domain. This allows for authentication and authorization to resources in Azure/Microsoft 365 based on Active Directory passwords.

Custom Settings[edit]

With custom settings, the administrator can connect one or multiple Active Directory domains and forests and choose between password hash sync, pass-through authentication, and Active Directory Federation Services (AD FS) for authentication. Custom settings also allows the administrator to choose sync options such as password reset write back and Exchange hybrid deployments.

Key Features[edit]

Feature Description
Password Writeback In bidirectional synchronization configurations passwords changed in the Azure/Microsoft 365 cloud will apply to corresponding on-premise users when the next synchronization takes place[10]
Bidirectional Synchronization Bidirectional synchronization configurations allow for certain object changes in the cloud to apply to the corresponding on-premise object. With one-way synchronizations object changes in Azure AD/Microsoft 365 such as Full Name and proxyAddresses can not take place and instead require the changes to be made on-premise first.
Simplifying Identity Management Without Azure AD Connect the user accounts and groups located on-premise will be separate objects from ones in the Azure AD/Microsoft 365 cloud even if the cloud objects were configured similarly. By synchronizing objects between on-premise and the cloud, Azure AD Connect allows administrators to maintain less separate user identities. When used in combination with SSO, such as with Azure Enterprise Applications, user identities can be centralized further.[11]

What it does[edit]

When an administrator installs and runs the Azure AD connect wizard, it performs the following steps:

  1. Installs pre-requisites like the .NET Framework, Azure Active Directory Powershell Module and Microsoft Online Services Sign-In Assistant
  2. Installs and configures the sync component (formerly named AAD Sync), for one or multiple Active Directory forests, and enables synchronization in the Azure AD tenant
  3. Configures either password hash sync or AD FS with Web Application proxy, depending on which authentication option the administrator has chosen, and including any required configuration in Azure

Use with PowerShell[edit]

The Azure AD PowerShell module allows administrators granular control over synchronization behaviors.[12] To begin working with the Azure AD PowerShell module it must be imported:

Import-Module AzureAD

To manually run a synchronization with current configurations:

#Specify Delta to only synchronize objects that have been updated since the most recent synchronization
Start-AADSyncSyncCycle -PolicyType Delta

#Specify Initial to synchronize all objects
Start-AADSyncSyncCycle -PolicyType Initial

To retrieve current synchronization schedule settings:

#Display synchronization schedule configuration settings
Get-ADSyncScheduler
<#
AllowedSyncCycleInterval                : hh:mm:ss
CurrentlyEffectiveSyncCycleInterval     : hh:mm:ss
CustomizedSyncCycleInterval             : hh:mm:ss
NextSyncCyclePolicyType                 : Delta/Initial
NextSyncCycleStartTimeInUTC             : MM/DD/YYY hh:mm:ss AM/PM
PurgeRunHistoryInterval                 : DD:hh:mm:ss
SyncCycleEnabled                        : True/False
MaintenanceEnabled                      : True/False
StagingModeEnabled:                     : True/False
SchedulerSuspended:                     : True/False
#>

To change the current synchronization schedule settings:

Set-ADSyncScheduler -$Setting $Value

References[edit]

  1. ^ Mary Jo Foley article on Azure AD Connect, ZDNet, 15 December 2014
  2. ^ Active Directory Team Blog article on Azure AD Connect Preview, Microsoft, 15 December 2014
  3. ^ Windows IT Pro article on Azure AD Connect Preview, Microsoft, 15 December 2014
  4. ^ "What is Azure Active Directory?". Microsoft Ignite. 14 September 2022. Retrieved 2022-09-28.
  5. ^ "How synchronization works in Azure AD Domain Services". Microsoft Ignite. 23 August 2022. Retrieved 2022-09-28.
  6. ^ "Azure AD Connect sync: Understand and customize synchronization". Microsoft Ignite. 21 September 2022. Retrieved 2022-09-28.
  7. ^ Active Directory Team Blog article on Azure AD Connect GA, Microsoft, 24 June 2015
  8. ^ "Azure AD Connect: Version release history". Microsoft Ignite. 19 September 2022. Retrieved 2022-09-28.
  9. ^ Microsoft Azure Documentation on Azure AD Connect, Microsoft, 6 August 2015
  10. ^ "Enable Azure Active Directory password writeback". Microsoft Ignite. 9 September 2022. Retrieved 2022-09-28.
  11. ^ "What is application management?". Microsoft Ignite. 20 September 2022. Retrieved 2022-09-28.
  12. ^ "AzureAD Module". Microsoft Ignite. Retrieved 2022-09-28.