kantver - Fotolia
The latest tool to offer directory synchronization ability is Azure AD Connect; however, that's not the only feature to be found in AAD Connect.
Throughout the history of Office 365, there have been numerous tools to synchronize on-premises identities to, such as DirSync and AAD Sync. These tools are responsible for taking Azure Active Directory on-premises identity information -- such as users and groups -- and synchronizing it into Azure Active Directory so that Office 365 services like Exchange Online can use them.
Another feature of AAD Connect involves Active Directory Federation Services (ADFS). Different sign-in methods to Office 365 are available to organizations, such as ADFS or password hash synchronization. Some organizations prefer the simplicity of the password hash synchronization method, whereas others may choose to deploy an ADFS infrastructure, for example if security policy prohibits synchronizing password hashes.
The ability to set up an ADFS environment as the user sign-in method for Office 365 is another feature -- which is optional. If deployed, the ADFS infrastructure becomes a key component of implementing Office 365 since, without it, users will be unable to access Office 365 services. Consequently, monitoring the ADFS health is a critical task -- and this is where Azure AD Connect Health comes in.
Considering whether to upgrade
Administrators currently running DirSync or AAD Sync can upgrade to Azure AD Connect.
Upgrading depends largely on the number of objects currently synchronized into Azure Active Directory. If this number is larger than 50,000, Microsoft Azure Active Directory recommends a parallel deployment where AAD Connect is deployed onto a separate server.
Although the original DirSync or AAD Sync configuration can be upgraded when synchronizing more than 50,000 objects, this may take longer than desirable, resulting in a delay in synchronizing on-premises changes into Azure Active Directory.
To upgrade, administrators should review the Microsoft documentation on this process.
Organizations that only deploy a subset of specific Office 365 workloads, such as Exchange Online, Lync Online, SharePoint Online or Office 365 ProPlus, should consider the AD app and attribute filtering.
In this scenario, the administrator can configure AD Connect to only synchronize specific attributes based on the selected Office 365 workload. Therefore, it is likely to be of interest in scenarios where restriction of attribute flow is desired.
AAD Connect deployment
Azure AD Connect supports Express and Custom deployments. The Express deployment configuration is designed to address a single on-premises Active Directory forest, required password synchronization and synchronization of all attributes from the objects selected. The Express installation deploys Microsoft SQL Server 2012 Express LocalDB. As with previous directory synchronization tools, Azure AD Connect uses a database to control the synchronized objects.
The Express installation can be instigated in just a few clicks of the Azure AD Connect wizard, since the only custom input required from the administrator is the credentials to connect to AAD and the on-premises AD environments.
The Microsoft SQL Server 2012 Express LocalDB option has a database size limit of 10 GB -- Microsoft states that this database size is appropriate for organizations wishing to manage up to approximately 100,000 objects. Consider this limitation and the associated number of objects it can handle when determining whether the Express installation is suitable.
The Custom deployment option offers more flexibility in the overall configuration of AAD Connect. As a result, this area warrants careful planning before deployment. Although there are arguably more minor configuration options, such as the target installation folder for Azure AD Connect, there are key questions to ask when running the Custom deployment:
- Are there any requirements to keep all databases within an existing SQL Server infrastructure, or will the AD Connect database likely exceed 10 GB in size? If so, the Custom deployment option allows you to specify an existing SQL Server installation to house the database.
- Will the sign-in method to access Office 365 resources require something other than password hash synchronization? You must select the Custom deployment option if ADFS or a third-party tool is required.
- Is the capability to synchronize multiple forests required? If so, use the Custom deployment option. This also requires additional in-depth configuration, such as whether users appear across multiple on-premises directories and how these can be matched across these directories.
- Will all users and devices be synchronized, or is a subset of these required for a pilot deployment? In this scenario, it is possible to specify a group of users and devices to synchronize.
- Are any optional features required, such as Exchange hybrid deployment, Azure AD app and attribute filtering, password write-back, or any preview features such as group write-back, device write-back or directory extension attribute sync? Each of these options can be configured with the Custom deployment option.
New features in AAD Connect
How to manage user identity with AD
Single sign-on with cloud apps