Dmitriy Shpilko - Fotolia
Azure AD Connect allows you to auto-configure Active Directory Federation Services for access to apps and services...
across organizational boundaries. Before Azure AD Connect, if you wanted to deploy ADFS you would need to physically install it, and then perform the complex configuration to tie it to Office 365.
Azure Active Directory (AD) Connect replaces the legacy Windows Azure AD Sync tool, DirSync, and Azure AD Sync Services.
User write-back to on-premises
Accounts that are synchronized from Active Directory to Azure AD flow primarily in one direction. Most Azure AD user attributes are a read-only copy, and the on-premises AD remains the master copy of the user objects.
As a preview feature, user write-back to on-premises allows you to define an organizational unit in the on-premises AD to write-back new user objects that have been mastered in Azure AD.
This feature doesn't write-back all attributes, and it doesn't write-back the equivalent Exchange attributes. For example, you have a cloud-only mailbox in Exchange Online. If you create a basic AD account to represent the mailbox, it will not enable the mailbox as a Remote Mailbox, nor will it write-back Exchange attributes like the Email Addresses (proxyAddresses). You will also be unable to edit synced AD objects and write-back those changes to the local AD.
Mailboxes that are already mastered on-premises will not have editable email addresses in the cloud; these must still be managed on-premises.
Group write-back to on-premises
The big new concept across Office 365 as a service is unified groups. Always mastered in Azure AD, unified groups differ from the traditional security or distribution group used with Exchange or AD on-premises. Unified groups are not just a group defined in Active Directory with enabled mail flow, they are a basic concept that Office 365 services use for better collaboration. For example, Office 365 Groups provides a group mailbox which stores mail. A traditional group doesn't contain data apart from basic info, such as its membership and permissions lists.
A unified group in the cloud not only contains the list of group members, but also those associated with data, such as email from a group mailbox or files from OneDrive Group site. In Exchange, a group has a mailbox associated with it in the cloud and allows for threaded topics and buttons to express whether a reader likes the post.
Exchange supports the unified group object in on-premises versions of Exchange 2013 CU8 and above, including Exchange 2016; however, these do not show up in on-premises Global Address List or Exchange Admin Center. Access to the unified group is also unavailable in the Outlook clients; the group itself shows as a universal distribution group (see figure 2).
Azure AD is becoming as important to an organization's identity as Active Directory, rather than just a mirror of AD in the cloud. So, although we are seeing the beginning of write-back from Azure AD to on-premises AD, start paying attention now -- it enables access from on-premises hosted mailboxes on an on-premises Exchange Server to cloud-only features.
If you use DirSync, Azure AD Sync or Azure AD Connect and Exchange Online, then you need to implement an Exchange hybrid server to remain supported. The biggest ask from Microsoft customers is for the vendor to remove the requirement to implement an Exchange hybrid server on premises.
Allowing admins to edit Exchange Online attributes for synced mailboxes and write-back to on-premises AD would help remove the requirement to maintain any hybrid server. For now, if you want to remove Exchange from on-premises but still be supported by Microsoft, place the hybrid management server in Azure.
Plan for Active Directory in the cloud
Test your knowledge on AD
Use Windows Azure Active Directory to manage user identity