Azure AD Connect is the next-generation identity synchronization tool for Microsoft cloud services, and combines the features of Microsoft’s Directory Synchronization (DirSync) and the Azure AD Sync Services (Azure AD Sync) tools. Azure AD Sync that was released in September 2014 is the replacement for DirSync, but the newly released Azure AD Connect will be the one-stop identity tool, when integrating on-premise identity stores with Azure AD.
Azure AD Connect consist of three main parts; Active Directory Synchronization Service, Active Directory Federation Service (optional) and the Azure AD Connect Health.
- Active Directory Synchronization Service (Azure AD Sync Service)
This is the successor to DirSync, and handles the initial provisioning, matching and subsequent updating of the selected user accounts, contacts and groups from the on-premise Active Directory to the Azure Active Directory.
- Active Directory Federation Service (ADFS)
This is an optional part of Azure AD Connect to provide a Single Sign-On experience and is utilized when configuring a hybrid environment with an existing on-premise service platform. The ADFS service are based on either an on-premises AD FS infrastructure, or and ADFS infrastructure running on virtual servers in Microsoft Azure, or using the Azure Active Directory Control Service (ACS).
- Azure AD Connect Health
Azure AD Connect contains a third component, Azure AD Connect Health, which provides operations and monitoring of all Azure AD Connect components.
Azure AD Connect Health offers the ability to view alerts, performance, usage patterns and configuration settings, using an agent that is installed on each of the targeted servers. It should be noted, that an Azure Active Directory Premium Subscription is required to use Azure AD Connect Health.
Deploying Azure AD Connect
Azure AD Connect both supports a 4-click Express Setting and the more advanced Customize Setting.
The Express option features:
– Most common option for simple deployment
– Single AD forest support only
– Configure a standard Synchronized Identity model for all on-premise objects
– Enable Password synchronization of all users
– Creates default on-premise service account
– Creates default cloud service account with tailored role
– Require Enterprise admin privileges in the on-premise AD
– Require Global Administrator role in Azure AD
– Setup standard sync with an AD Connector for on-premise AD and an Azure Connector for Azure AD
While the Express option is suitable for most Synchronized Identity scenarios, the additional features in the Customize Settings of Azure AD Connect, provides access to additional advanced deployment and security options:
– Supports multi-forest synchronization
– Support for Hybrid scenarios
– Deploy pilot using few users in a group, using filtering
– Assign custom service accounts with lower privileges
– Sync selected users using filtering (OU, domain, group, attribute)
– Postpone initial full sync (‘staging mode’)
– Support of Azure AD premium features – writeback of passwords, users, groups, and devices from the cloud
– Windows 10 Computer sync to Azure AD
– Sync of custom and directory extension attributes
ADFS on Windows Server 2016 supports conditional access control based on a device’s compliance state, which enables the IT Admin to configure a Conditional Access Control Policy in ADFS, and use the device’s compliance state (reported by Intune) to secure access to on-premises applications.
Note that among the writeback capabilities from Azure AD to the on-premises AD, some of the Windows 10-related features (like device compliance information) requires that the on-premise AD is first updated to Windows Server 2016. Also, most of the writeback capabilities require an Azure AD Premium subscription.
During the next weeks Microsoft intent to upgrade the Azure AD and the Office 365 portals, so they by default point to Azure AD Connect instead of Dirsync.
Upgrading to Azure AD Connect
Upgrading your existing Dirsync or Azure AD Sync deployment is done quickly and with little or no impact. Your existing sign-on solution through federation or password sync will continue to work as it already is.
Azure AD Connect Health
Together with the release of Azure AD Connect, the Azure AD Connect Health is also released, which is a a feature of Azure AD premium, to monitor your ADFS servers.
As 32% of all Azure AD logins use ADFS, this feature is interesting for a significant number of IT organizations, as it is aimed for making it easier to run their ADFS systems reliably and gain insight into health, performance and login activity. While this first release is focused on supporting monitoring for ADFS, later versions will most certainly enable monitoring for other identity infrastructure components such as the sync service in Azure AD Connect.
What’s coming ?
Microsoft has already announced their plans for the next release of Azure AD Connect, which will support additional scenarios for Azure AD Connect and Azure AD Connect Health, including:
- Deployment integration of Azure AD Connect Health & Azure AD Application proxy
- Additional sync and sign on options
- Azure AD Connect Health for Sync
References:
Azure AD Connect & Connect Health is now GA!
Integrating your on-premises identities with Azure Active Directory
Monitor your on-premises identity infrastructure in the cloud