Oleksiy Mark - Fotolia
Azure Active Directory Connect gives organizations with hybrid environments a single tool for connecting on-premise directories to Azure Active Directory.
Directory Synchronization (DirSync) was released in 2008 and has been used by customers in single forest deployments. To meet the needs of larger organizations looking to sync multiple AD forests to the cloud, Microsoft released the Azure Active Directory (AAD) sync tool. This tool integrates the feature set of both DirSync and ADD and can be used to:
- Sync single or multiple AD forests to Azure AD
- Sync LDAP directories to Azure AD
- Sync other identity stores to Azure AD
Azure Active Directory Connect installation
There are two ways to install and configure Azure Active Directory Connect: express settings and custom installation. The express setting is the most common way to deploy the sync tools. This mode is for organizations that want to sync a single AD forest into Azure AD; it works in just a few clicks. If you want to sync multiple forests, the custom installation option is a better choice.
The express settings mode installs all the prerequisites on the server, sets the correct access control limits, user rights assignment for password sync and AD connectors to and from the cloud (Figure 1). Instead of using the global admin account that you specify as the Azure credentials for the sync, express settings creates a new sync user with the right permissions.
In the new tool, piloting now features an option to sync users who are members of a particular group. In previous versions of the tool, filtering was based on organizational units (OUs) and admins had to move users to the correct OU to sync to Azure AD. Therefore, more work was needed to ensure pilot users still had all the correct on-premises group policies set.
In Azure AD Connect, an administrator has to create a new group and add pilot users as members of that group. Only the objects that are direct members of the group will be present in Azure AD (Figure 2).
If you have an existing deployment of DirSync or Azure AD Sync, it is easy to upgrade to Azure AD Connect. The installation will detect any existing tools and you can choose to upgrade or migrate the configuration to a new Azure AD Connect server. It's best to upgrade to the new tool if you have fewer than 50,000 objects while using DirSync. For larger organizations with more than 50,000 objects, it is best to stand up a new Azure AD Connect server and import the configuration from DirSync (Figure 3).
Control access and permissions with Azure AD Connect
Azure AD Connect contains several features to enable identity and access management, self-service capabilities and conditional access control across on-premises and Azure cloud. The custom installation option provides a rich set of sync and write-back capabilities. Those features include the following:
Azure AD app and attribute filtering is an optional feature that can be included in the custom installation. Azure AD app and attribute filtering allows admins to filter object attributes that are in sync with Azure AD based on the applications enterprises with very strict security policies will use in the cloud. Admins can unselect apps they won't use, such as Dynamics CRM, as well as those that aren't available in Azure AD (Figure 4).
Password write back enables users to change passwords in Azure AD; the new password will be checked with AD to ensure it meets on-premises password policies.
User write back allows admins to create end users in Azure AD using the portal or an HR application; objects are written back to the on-premises AD.
Group write back currently is an option for Office 365 Groups. Newly created Office 365 Groups in Exchange Online can be written back to the on-premises AD so they are available to the on-premises users. These groups are mastered in Azure AD though; Microsoft is working to extend this feature set for security groups.
Directory Extension Attribute Sync allows the Azure AD schema to be extended based on what attributes are available on premises. In other words, you can synchronize the directory extension attributes from on premises to Azure AD so that cloud-based applications can use it (Figure 5).
Companies can only bring single-valued user and group attributes to the cloud. There are some limits in place currently -- a limit of 100 extension values written to a single object, 256 characters per string extension value and 256 bytes per binary extension value.
Custom settings give admins the option to specify the single sign-on that you want to go with --password sync or an Active Directory Federation Services infrastructure.
Using PowerShell to manage Azure
Microsoft Azure management tools
The Azure AD Connect vulnerability proves cloud security requires a hands-on approach