As your organization migrates to using the Azure cloud to achieve your digital transformation goals, synchronization of users, groups, and contacts to Azure Active Directory are critical. Enter Azure AD cloud sync: Microsoft's solution to ensure your on-premises directory syncs correctly to your Azure Active Directory (AD).

Let's take a deeper dive into this feature with our Azure Architect, Jeremy Brewer, in the video below.

Video Transcription

My name is Jeremy Brewer, and I am the Azure architect at Emergent Software. Recently, Microsoft released a new product named Azure AD Cloud Sync, which adds features that Azure AD Connect is missing. But there are some differences between them, and I'd like to discuss what they are.

What does Azure AD Connect do?

First, let's discuss what Azure AD Connect does to understand what makes Azure AD Cloud Sync different. When an organization uses Active Directory (AD) either in an on-premise environment or their hosted environment, they will have user identities that need to be synchronized to the Azure AD in their tenant. To do this, we use a tool called Azure AD Connect (originally called Dirsync). It provides a one-way transmission where on-prem, we create a user account, and that user ID gets synchronized over up into our Office 365 AD. We can also choose to do some other things, like having some attributes sent with it, synchronizing password hashes, selecting OU's, etc.  

One additional benefit is Password Writeback. The feature allows the user to change their password on the web such as the Office Portal or in-app like Microsoft Teams.

What is Azure AD Cloud Sync and how does it work?

Microsoft's new tool to help is called Azure AD Cloud Sync. Azure AD Cloud sync is the first step into a bi-directional conversation between your on-premise and your cloud. Allowing the HR application to create a user in Azure AD means you do not have to allow the SaaS software to write directly to your Active Directory and therefore you maintain security. This allows modernization of HR systems (and other systems) without losing the HR and IT team's original processes. In our example a new employee gets hired, the HR system creates that new user, it writes it to Azure Active Directory, and then synchronized it to on-premise.

Azure AD Cloud Sync

[image source]

A few features you may be used to are not supported yet so please look at the documentation. If you want to utilize the new features and still require AD Connect, there is a hybrid deployment option.

What else can Azure AD Cloud Sync do for your team?

AD Cloud Sync has a much smaller footprint for install. With AD Connect you require the engine on the domain controller along with the SQL express instance or similar supported configuration. When it comes to high availability you only get active-standby that requires manual intervention to fail-over.With AD connect there's a 30-minute timer for synchronizations, not very dynamic if you ask me. About password, changes have a two-minute synchronization, which is not adjustable. It was a good tool to start, it's a great tool now, but things are progressing.

Now the install is a lot lighter weight, instead of a Sync Engine, you install an agent on your domain controller which runs as a service. Don’t want to install this on a domain controller? Just have a line of sight to a DC and install it there. Powering this agent is Azure Service Bus, the same tool used in Azure App Proxy so it’s secure, mature, and lightweight. Just like App Proxy communication is TLS over Port 443 to Azure with no inbound ports required to be opened.

Regarding high availability, it is supported to have multiple agents installed without additional configuration or manual efforts. The agent's heartbeat to Microsoft and in the case of failure, the next agent takes over.

Interested in learning more about how Microsoft Azure can support your business in your digital transformation journey? Check out more of our blog posts on this topic and reach out to our team of experts to get started!