Azure AD Cloud Sync

If you are an MSP in the SMB market, you are likely are running a hybrid environment with most of your customers. We have used AD Connect for years now (previously known as DirSync) to sync local active directory into our cloud environments. I’ve personally performed over 100 email migrations and it was something I set up in almost every environment. AD Connect has improved significantly over the years but there have still been some limitations in the supported topologies. The biggest that I saw of these was multiple forest to a single Azure AD tenant. Azure AD Connect Supported Topology ex:

Microsoft has recently gone GA with a new tool called Azure AD Connect Cloud Sync. It is a lightweight agent that can be installed from the Azure Active Directory Admin Center. It can replace or work along side AD Connect. Here are some of the top benefits I see for MSPs

  • Lightweight agent instead of a heavy application
  • Support for synchronizing to an Azure AD tenant from a multi-forest Active Directory environment not on same network
  • Support for Co-existence of AD Connect and AD Cloud Sync
  • Can manage configuration in Azure AD
  • No more 30 min sync window
  • Hybrid Identity Admin Role in Azure AD

The agent is very easy to install and can be installed on many servers for high availability. It does now support the synchronization of multi-forest environments that are not on the same network. Personally, I think this is the biggest benefit. With all of the M&A activity going on it is a huge win to be able to sync to separate environments into a single tenant vs having to think about migration paths. You can have environments set up where one forest is using AD Connect and another is using AD Cloud Sync. Additionally, you can move from AD Connect to AD Cloud Sync. That process is a little more complicated but is outlined here with Microsoft.

The configuration settings (i.e. OU selection, attribute mapping) can be done in the Azure AD admin center. I think this is another win so that you don’t have to remote into the DC every time you need to make a change. Additionally, Microsoft created a new role called Hybrid Identity Admin so that someone can manage the connection without actually having to be a Global Admin.  The final piece is that you no longer have a 30 min default syncing window. In my testing, any changes I made or new users I created were replicated up to the cloud in about 5 minutes. 

Detractors

With all the great things coming from this new tool, it still carries some flaws in my opinion. I did a full POC and found the following:

  • Writeback capabilities not supported
  • No advanced customization for attribute flows
  • No Azure AD Domain Services support

Password Hash synchronization is supported but all writeback capabilities including passwords and devices is not supported at this time. I have a feeling Microsoft may make this change soon but it does not exist today. Click here for the full comparison of AD Connect to Azure AD Cloud Sync.

Another big detractor was the lack of flexibility in the customization of attribute flows and controlling the source anchor. If you have performed an AD Connect set up with a tenant that already has existing users then you know the pains of getting duplicate users created unless you configure the attributes correctly in the sync. Ex.

A common method to avoid duplicate users was to use the mail attribute as the source anchor. In my testing, I found no way to create this customization in the setup. This means in order for you to perform a sync with a tenant that has existing users, you would have to run powershell to grab all the ObjectGUIDs in AD and update the existing users in Azure AD. This doesn’t make using this tool for a tenant that has existing users very attractive. 

Another common error I wanted to test for is something you may have seen as well:

This error is the absolute worst when you are trying to perform a migration. You can solve for this by modifying the msExchMailboxGuid in the synchronization settings. You can still modify this attribute in Cloud Sync so that one is not actually a concern. 

Conclusion

Here is a tutorial of setup from Microsoft that is easy to follow.

Personally, I love the Azure AD Cloud Sync supports multi-forest configurations but there are still some major updates I would want to see before it would support most customer environments. Hope you found this article helpful, please share with the community!