Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET
Azure Active Directory

Azure AD Connect Gets Better Performance and Cloud Provisioning Attribute Mapping in Preview

Azure AD Connect is Microsoft’s tool for synchronizing on-premises Windows Server Active Directory (AD) objects, like groups and user accounts, to Azure AD. Azure AD Connect can also synchronize users’ password hashes to the cloud, which is Microsoft’s recommended option, or alternatively use pass-through authentication (PTA).

What is cloud provisioning?

Last year, Microsoft added cloud provisioning to Azure AD Connect. Cloud provisioning simplifies synchronizing on-premises identities from disconnected AD forests to Azure AD during mergers and acquisitions. Using lightweight on-premises agents to move the workload from Windows Server to the cloud, all management and processing is handled by Azure. Cloud provisioning is in preview at the time of writing and it shouldn’t be used in production environments.

Performance improvements, attribute mapping, and more

In October, Microsoft announced some changes to cloud provisioning that bring improved performance and attribute mapping. The changes are based on user feedback and include:

  • Map attributes between on-premises AD and Azure AD
  • Perform on-demand user provisioning to Azure AD as well as SaaS apps, including 8×8, SAP Analytics Cloud, and Apple Business Manager
  • Improved sync performance in Azure AD Connect
  • Manage provisioning logs and receive alerts in Azure monitor

Attribute mapping

The public preview now supports attribute mapping, including data transformation, for user and group objects synchronized between Windows Server AD and Azure AD. The new feature lets you change the default mappings or create your own. You can find a complete list of the attributes that are synced to Azure AD here.

Sponsored Content

Say Goodbye to Traditional PC Lifecycle Management

Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

Image # Expand
Azure AD Connect Gets Better Performance and Cloud Provisioning Attribute Mapping in Preview (Image Credit: Microsoft)


In addition to making direct attribute mappings from linked objects in Windows Server AD, you can use specific strings or expressions to populate attributes in Azure AD.

On-demand user provisioning

When you set up cloud provisioning, you create a new provisioning configuration that determines which Windows Server AD domain you will sync to Azure AD. As part of the configuration process, you can create a ‘scope’ that limits synchronization to specific Windows Server AD users and groups using security groups or organizational units (OUs). On-demand user provisioning lets you test changes you make to the cloud provisioning configuration by applying them to a single user or group. You can then validate the configuration changes in Azure AD.

Image # Expand
Azure AD Connect Gets Better Performance and Cloud Provisioning Attribute Mapping in Preview (Image Credit: Microsoft)

Improved performance

The new version of Azure AD Connect has significantly better delta sync performance and Microsoft says that is up to 10 times quicker in some scenarios. It’s also now possible to import and export Azure AD Connect settings to make provisioning easier.

Custom alerts and dashboards

Lastly, it’s possible to push the provisioning logs to Azure Monitor so that you can analyze trends and use data query features. Azure Monitor lets you build visualizations of data quickly and easily.

Cloud provisioning still has some important limitations in preview

In preview, cloud provisioning has some important limitations. For example, in Exchange Server hybrid configurations, the cloud provisioning agent doesn’t synchronize some attributes back to Windows Server AD. This limitation means that cloud provisioning can’t be used as a replacement for Azure AD Connect in Exchange Server hybrid scenarios. Additionally, device objects cannot be synchronized.

Assumedly, Microsoft will address these shortcomings before cloud provisioning hits general availability.




Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: