EMS Partner Community: Azure Active Directory Connect
Azure Active Directory Connect (Azure AD Connect) is the best way to connect your on-premises directory with Azure AD and Office 365. It goes beyond just synchronizing users from Active Directory to Azure Active Directory, it helps simplify hybrid identity management. It integrates on-premises directories with Azure Active Directory to provide a common identity for users for Office 365, Microsoft Azure, and SaaS applications integrated with Azure AD. Using the express setting, most environments can be connected and configured in a matter of minutes and with just a few mouse clicks.
With both Windows Azure Active Directory Sync (DirSync) and Azure AD Sync reaching end of support on April 13, 2017, now is the time to learn about Azure AD Connect and identify your customers that will need to upgrade. There are several thousand tenants still using DirSync and Azure AD Sync.
On the next Enterprise Mobility + Security Partners call, we’ll discuss Azure AD Connect and migrations from DirSync and Azure AD Sync.
Azure Active Directory Connect overview
Azure AD Connect increases productivity by providing a common identity for use with both cloud and on-premises resources.
There are three components to Azure AD Connect:
Azure AD Connect sync is responsible for creating users, groups, and other objects, and it makes sure identity information for your on-premises users and groups matches the cloud.
Active Directory Federation Services (AD FS)
Federation is an optional part of Azure AD Connect that can be used to configure a hybrid environment using an on-premises AD FS infrastructure. This can be used by organizations to address complex deployments, such as domain join single sign-on (SSO), enforcement of AD sign-in policy, and smart card or third-party multifactor authentication.
Azure AD Connect Health can provide robust monitoring and a central location in the Azure portal to view this activity.
Azure AD Connect deployments
Deploying Azure AD Connect is quite simple. A new deployment can be done in three steps.
- Download Microsoft Azure AD Connect from the Microsoft Download Center
- Install Azure AD Connect, using express settings or custom settings
- Configure and assign licenses
Azure AD Connect upgrades
If you’re upgrading from DirSync or Azure AD Sync you have a couple of options:
Upgrade from DirSync
- In-place migration of all supported custom configurations
- Side by side for > 50K objects
- Will not migrate unsupported configurations (such as removed attribute flows)
Upgrade from Azure AD Sync
- In-place upgrade or swing-migration if needed
Once you’re up and running, you’ll need to consider operational tasks such as disaster recovery, a staging server, and troubleshooting.
Azure AD Connect features
- Automatic upgrade is a default feature when using express settings and ensures Azure AD Connect is always at latest version.
- Device writeback will allow a device registered in Azure AD to be written back to on-premises Active Directory so it can be used for conditional access.
- Password synchronization synchronizes the password hash in Active Directory to Azure AD. The end user can use the same password on-premises and in the cloud, and manage it in one location. Since it uses the on-premises Active Directory as the authority, customers can use their your own password policy.
- Password writeback allows users to change and reset their passwords in the cloud and have on-premises password policy applied.
- Filtering can be used to limit the objects synchronized to Azure AD. Using filtering, you can control which objects appear in Azure Active Directory (Azure AD) from the on-premises directory. The default configuration takes all objects in all domains in the configured forests. This is useful in scenarios such as pilots where you don’t want all accounts to be synchronized, or if there is a large number of service accounts.
- Prevent accidental deletes is a default feature in Azure AD Connect that helps avert accidental configuration changes that would affect a large number of users.
After you’ve deployed Azure AD Connect and verified functionality, you’ll need to keep an eye on the health of your deployment. Azure AD Connect Health helps you monitor and gain insights into the on-premises identity infrastructure and the synchronization services. We’ll cover Azure AD Connect Health in an upcoming blog post.
Resources and documentation
- Azure AD Connect sync: Understand and customize synchronization
- Azure AD Connect sync: Technical concepts
- Azure AD Connect sync: Understanding the default configuration
- Azure AD Connect sync: Understanding Users and Contacts
- Azure AD Connect Sync: Understanding Declarative Provisioning Expressions
- Best practices for changing the default configuration
Microsoft Ignite 2016: Connect your on-premises directories to Azure AD and use one identity for all your apps
Community call about Azure AD Connect on March 23
Sign up for the March 23 EMS Partner community call, where we’ll take a closer look at Azure AD Connect and resources to help customers upgrade.