The first post for 2023 and I thought I want to focus on something that will take over the main stage soon (probably). Azure AD Connect Cloud Sync. This has been there for a while and its capabilities (some capabilities) are proven to minimize that admin overhead and if you have dealt with the Azure AD Connect Sync tool, you know what I’m talking about. Yes, we have all been there. My approach in this article is to introduce you to the Azure AD Connect Cloud Sync tool and its capabilities and how to migrate and my thoughts about it.
What I will be Covering 👇🏽
- Why It’s Important To Talk about this?
- Challenges of Managing the Azure AD Connect Sync
- Why not go full cloud? “That Depends”
- Why Azure AD Connect Cloud Sync is Important?
- No Device Sync, No problem
- Multiple active provisioning agents for high availability
- Nitty Gritty of Azure AD Connect Cloud Sync
- Where to Start?
- Migrate from AAD Connect Sync to AAD Connect Cloud Sync
- Closing Notes – If this needs to be appreciated by everyone
Why It’s Important To Talk about this?
Since its 1st release on public preview until now there have been a lot of developments and feature additions to the AAD Connect Cloud Sync tool. It’s capable of looking after your identity provisioning tasks and maintaining that sync between On-prem and Azure AD. Minimizing the On-premises footprint is a highly trending topic and now more than ever a lot of new tools are emerging to make things easier best of all, there is a migration process has been introduced as well.
Challenges of Managing the Azure AD Connect Sync
While Azure AD Connect Sync is the very heart and soul of the hybrid setup and the main tool that is responsible for synching objects to Azure AD from the on-premises AD environment, managing an instance can be easy for a herculean task depending on the size of the environment, and especially when it comes to the below tasks, proper planning and skills are essential.
- Version Upgrades
- Setting sync rules
- Resolving sync issues
- Challenges in connecting another AD domain while making sure proper connectivity is present
Why not go full cloud? “That Depends”
One can argue why hybrid? Why not in-cloud users? Well, the straightforward answer is “it depends”. Simply put a lot of organizations still are maintaining AD Domains and it is connected to a wide array of applications. Migrating a user from synced to in-cloud is not an overnight procedure. There can be dependencies that need to consider, which is why Microsoft keeps on implementing new and easy ways to take out that admin overhead of managing the hybrid sync.
Why Azure AD Connect Cloud Sync is Important?
With Azure AD Connect cloud sync, provisioning from AD to Azure AD is orchestrated in Microsoft Online Services. An organization only needs to deploy, in their on-premises or IaaS-hosted environment, a light-weight agent that acts as a bridge between Azure AD and AD. The provisioning configuration is stored in Azure AD and managed as part of the service. (Microsoft Learn)
The above explanation answers a lot of questions.
- Mergers and Acquisition type scenarios where you need to provide quick access to the parent Azure AD Portal without having to configure Network to make sure AAD Connect Sync can see the other DC and ports are opened
- The trouble of upgrading the software every now and then
- Trouble managing a Staging instance
Check the below comparison. You will see a few features that are not available in the AAD Cloud Sync. My idea is this tool is becoming something big soon. So the features will be matched soon.
No Device Sync, No problem
On the other hand, No Device Sync? Why do you need device sync? I mean you don’t need device sync to make the device Hybrid AAD Joined. Few things you need to make available for Device Sync
Autopilot Devices – Make sure the device has line-of-sight access to the AD. You may have to set up an always-ON VPN to setup this if you are planning to give the users the OOBE (Out Of the Box Experience)
Hybrid AD Join issues – I have seen plenty of Hybrid AAD Join issues that happen for many different reasons and it is definitely wasted time to troubleshoot them.
Intune provides the same and even more features than GPOs – Use Intune’s Group Policy analytics, and Administrative Templates to create the same policies and you need to worry about GPOs again.
Multiple active provisioning agents for high availability
This is great news indeed. Because in an environment where you need seamless sync and can’t afford sync delays, install the agent in more than one server and it will cover your HA requirements. As AAD Connect Sync, no staging instances are required and that is definitely offloading heavy admin work.
Nitty Gritty of Azure AD Connect Cloud Sync
Because you just have to install an agent in On-premises, the configuration part will be managed by the Azure AD
- Installing the Provisioning Agent and authenticating with the tenant details
Go to Entra Portal > Azure AD > Hybrid Management > Azure AD Connect > Manage Azure AD cloud sync > Download Agent
- Go to Entra Portal > Azure AD > Hybrid Management > Azure AD Connect
- Click on New Configuration to create the Sync config
Config as below. Easy to setup and manage.
- You will see the On-premises Domain details
- Click on the Review All provisioning agents to see the agent instance details
- Provisioning Logs to understand the sync activities
Where to Start?
Now you might be wondering where to start the Azure AD Connect Cloud Sync journey.
Migrate from AAD Connect Sync to AAD Connect Cloud Sync
If you understand the comparison between the two, If you know you are not using the current features that are not available in the Cloud Sync tool, you can start migrating from AAD Connect Sync to AAD Connect Cloud Sync. However, it is advisable you 1st perform a pilot so you know can get familiar with the steps as this can be a big change in your environment.
Approach – Removing the synced OU from AAD Connect Sync before making sure the new link is created from AAD Connect Cloud Sync so the previously removed OU will not get deleted and the sync of the OU will be managed by AAD Connect Cloud Sync.
- A test environment with Azure AD Connect sync version 126.96.36.199 or later
- An OU or group that is in scope of sync and can be used the pilot. We recommend starting with a small set of objects.
- A server running Windows Server 2012 R2 or later that will host the provisioning agent.
- Source anchor for Azure AD Connect sync should be either objectGuid or ms-ds-consistencyGUID
Closing Notes – If this needs to be appreciated by everyone
It is truly great to see this functionality is managed by the cloud and you just need to install the provisioning agent and take care of the configuration. However, at this stage, there can be features that you are currently using in AAD Connect sync which are not available in the AAD Connect Cloud Sync. Password Hash Sync was introduced recently. Likewise more features can be on the way if this tool needs to be appreciated by everyone and to be the sync tool of choice. I believe this article gave you some sort of an understanding of what this tool is capable of and help you to be up to date with what’s new.