Oleksiy Mark - Fotolia


What's new in Azure Active Directory Connect?

Azure Active Directory Connect offers a raft of new features, including synchronization and single sign-on between an on-premises environment and Azure AD.

Azure Active Directory Connect gives organizations with hybrid environments a single tool for connecting on-premise directories to Azure Active Directory.

Directory Synchronization (DirSync) was released in 2008 and has been used by customers in single forest deployments. To meet the needs of larger organizations looking to sync multiple AD forests to the cloud, Microsoft released the Azure Active Directory (AAD) sync tool. This tool integrates the feature set of both DirSync and ADD and can be used to:

  • Sync single or multiple AD forests to Azure AD
  • Sync LDAP directories to Azure AD
  • Sync other identity stores to Azure AD

Azure Active Directory Connect installation

There are two ways to install and configure Azure Active Directory Connect: express settings and custom installation. The express setting is the most common way to deploy the sync tools. This mode is for organizations that want to sync a single AD forest into Azure AD; it works in just a few clicks. If you want to sync multiple forests, the custom installation option is a better choice.

The express settings mode installs all the prerequisites on the server, sets the correct access control limits, user rights assignment for password sync and AD connectors to and from the cloud (Figure 1). Instead of using the global admin account that you specify as the Azure credentials for the sync, express settings creates a new sync user with the right permissions.

Figure 1. Azure Active Directory Connect express settings.

In the new tool, piloting now features an option to sync users who are members of a particular group. In previous versions of the tool, filtering was based on organizational units (OUs) and admins had to move users to the correct OU to sync to Azure AD. Therefore, more work was needed to ensure pilot users still had all the correct on-premises group policies set.

In Azure AD Connect, an administrator has to create a new group and add pilot users as members of that group. Only the objects that are direct members of the group will be present in Azure AD (Figure 2).

Figure 2. Azure AD Connect lets admins filter users.

If you have an existing deployment of DirSync or Azure AD Sync, it is easy to upgrade to Azure AD Connect. The installation will detect any existing tools and you can choose to upgrade or migrate the configuration to a new Azure AD Connect server. It's best to upgrade to the new tool if you have fewer than 50,000 objects while using DirSync. For larger organizations with more than 50,000 objects, it is best to stand up a new Azure AD Connect server and import the configuration from DirSync (Figure 3).

Figure 3. Import configurations from Directory Sync.

Control access and permissions with Azure AD Connect

Azure AD Connect contains several features to enable identity and access management, self-service capabilities and conditional access control across on-premises and Azure cloud. The custom installation option provides a rich set of sync and write-back capabilities. Those features include the following:

Azure AD app and attribute filtering is an optional feature that can be included in the custom installation. Azure AD app and attribute filtering allows admins to filter object attributes that are in sync with Azure AD based on the applications enterprises with very strict security policies will use in the cloud. Admins can unselect apps they won't use, such as Dynamics CRM, as well as those that aren't available in Azure AD (Figure 4).

Figure 4. Azure Active Directory Connect security settings.

Password write back enables users to change passwords in Azure AD; the new password will be checked with AD to ensure it meets on-premises password policies.

User write back allows admins to create end users in Azure AD using the portal or an HR application; objects are written back to the on-premises AD.

Group write back currently is an option for Office 365 Groups. Newly created Office 365 Groups in Exchange Online can be written back to the on-premises AD so they are available to the on-premises users. These groups are mastered in Azure AD though; Microsoft is working to extend this feature set for security groups.

Directory Extension Attribute Sync allows the Azure AD schema to be extended based on what attributes are available on premises. In other words, you can synchronize the directory extension attributes from on premises to Azure AD so that cloud-based applications can use it (Figure 5).

Figure 5. Synchroninze directory extension attributes to Azure AD.

Companies can only bring single-valued user and group attributes to the cloud. There are some limits in place currently -- a limit of 100 extension values written to a single object, 256 characters per string extension value and 256 bytes per binary extension value.

Custom settings give admins the option to specify the single sign-on that you want to go with --password sync or an Active Directory Federation Services infrastructure.

Next Steps

Using PowerShell to manage Azure

Microsoft Azure management tools 

The Azure AD Connect vulnerability proves cloud security requires a hands-on approach

Dig Deeper on Windows systems and network management