top of page
Search

(90) Hybrid Identity using Azure AD Connect Cloud Sync

  • Writer: Mr B SOE way
    Mr B SOE way
  • Sep 13, 2023
  • 3 min read

With Microsoft Azure renaming to Microsoft Entra, I have been playing around with the features with Entra.


From previous posts I have talked about using Azure AD Connect Sync which can be found here:




Just a quick recap on what is "Azure AD Connect Sync"


Azure AD Connect sync is an on-premises Microsoft application that’s designed to meet and accomplish your hybrid identity goals. It’s typically installed on an on-premises domain-joined server, although it can be installed on a domain controller. Its only requirement is an outbound HTTPS connection to Microsoft 365 servers.


Azure AD Connect sync (formerly known as Dirsync and AD sync) was the first solution built for provisioning from on-premises AD to Azure AD. It currently has support for the most Azure AD hybrid scenarios, and it can support organizations with large directories. While Azure AD Connect sync is robust in its capabilities, it can also:

  • Require a heavy investment in infrastructure resources.

  • Be complicated to configure.

  • Result in higher maintenance costs.

Azure AD Connect comes with several features you can optionally turn on or are enabled by default. Some features may require more configuration in certain scenarios and topologies.


What is Azure AD Connect Cloud Sync?

Azure AD Connect cloud sync is a new offering from Microsoft designed to meet and accomplish your hybrid identity goals for synchronization of users, groups, and contacts to Azure AD. It accomplishes this by using the Azure AD cloud provisioning agent instead of the Azure AD Connect application.

With Azure AD Connect Cloud Sync, provisioning from on-premises Active Directory to Azure AD is orchestrated in Microsoft Online Services. An organization only needs to deploy, in their on-premises or IaaS-hosted environment, a light-weight agent that acts as a bridge between on-premises Active Directory and Azure AD. The provisioning configuration is stored in Azure AD and managed as part of the service.


Azure AD Connect Cloud Sync supports most of the common Azure AD hybrid scenarios, with one major exception - Exchange hybrid deployments.


Note: An Exchange hybrid deployment allows for the co-existence of Exchange mailboxes both on-premises and in Microsoft 365. In an Exchange hybrid deployment, Azure AD Connect synchronizes a specific set of attributes from Azure AD back into the organization’s on-premises directory. However, the cloud provisioning agent for Azure AD Connect Cloud Sync doesn’t currently synchronize these attributes back into the on-premises directory. Therefore, organizations that plan to implement an Exchange hybrid deployment must use Azure AD Connect sync.


What are the differences?

  • Azure AD Connect sync. The provisioning configuration is stored on the on-premises sync server. Provisioning also runs on the on-premises sync server.

  • Azure AD Connect Cloud Sync. The provisioning configuration is stored in the cloud. Provisioning also runs in the cloud as part of the Azure AD provisioning service.

Configuration


1. Navigate to https://entra.microsoft.com then expand Identity then select Hybrid Management then select Azure AD Connect.

2. Select Cloud Sync.















3. Select Agents.

4. Select Download on-premises agent, then selec Accept terms and download.



5. Run the installer on the Domain Controller and click on the agree conditions.










6. Run through the wizard, select Next.











7. Select HR-driven provisioning / Azure AD Connect Cloud Sync











8. Select Authenticate, login with a Global Administrator account.











9. If you have an existing account, use that, if not create a new account.

In this case, I used the same Administrator account to setup this server.











10. Select Next.











11. Select Confirm.











12. It will confirmed it has been installed. Select Exit.











Then select Close.










13. Select Configurations, then select New configuration.






14. From the dropdown, select the domain then select Create.














15. Navigate to on-prem AD, then select View then Advanced options.










16. Select the specific OU you wish to sync up. By right clicking on an OU, select Attribute editor and copy the Value.











17. Under Scoping filters, by default it will be all users. As we want to select specific OUs to be sync. Copy the values from Step 16 into "Distinguished name of object" then select Add.

18. Once all the required changes have been added, go back to Overview and select "Review and update"

19. You may encounter an error, make sure to add the Service account to the breakglass account group to be excluded from any CA policies you may have.

20. Once it has synced successfully, you can see it may those changes.


21. To enable "Write back passwords with Azure AD Connect cloud sync". In entra, expand Protection then Password reset, tick the check box and click Save.

By clicking the provisioning logs, you can see the "Success" rates.


As well as the Audit logs to see what has failed.



 
 
 

Comments

bottom of page