Azure AD Connect Gets Better Performance and Cloud Provisioning Attribute Mapping in Preview
Azure AD Connect is Microsoft’s tool for synchronizing on-premises Windows Server Active Directory (AD) objects, like groups and user accounts, to Azure AD. Azure AD Connect can also synchronize users’ password hashes to the cloud, which is Microsoft’s recommended option, or alternatively use pass-through authentication (PTA).
What is cloud provisioning?
Last year, Microsoft added cloud provisioning to Azure AD Connect. Cloud provisioning simplifies synchronizing on-premises identities from disconnected AD forests to Azure AD during mergers and acquisitions. Using lightweight on-premises agents to move the workload from Windows Server to the cloud, all management and processing is handled by Azure. Cloud provisioning is in preview at the time of writing and it shouldn’t be used in production environments.
Performance improvements, attribute mapping, and more
In October, Microsoft announced some changes to cloud provisioning that bring improved performance and attribute mapping. The changes are based on user feedback and include:
- Map attributes between on-premises AD and Azure AD
- Perform on-demand user provisioning to Azure AD as well as SaaS apps, including 8×8, SAP Analytics Cloud, and Apple Business Manager
- Improved sync performance in Azure AD Connect
- Manage provisioning logs and receive alerts in Azure monitor
The public preview now supports attribute mapping, including data transformation, for user and group objects synchronized between Windows Server AD and Azure AD. The new feature lets you change the default mappings or create your own. You can find a complete list of the attributes that are synced to Azure AD here.
In addition to making direct attribute mappings from linked objects in Windows Server AD, you can use specific strings or expressions to populate attributes in Azure AD.
On-demand user provisioning
When you set up cloud provisioning, you create a new provisioning configuration that determines which Windows Server AD domain you will sync to Azure AD. As part of the configuration process, you can create a ‘scope’ that limits synchronization to specific Windows Server AD users and groups using security groups or organizational units (OUs). On-demand user provisioning lets you test changes you make to the cloud provisioning configuration by applying them to a single user or group. You can then validate the configuration changes in Azure AD.
The new version of Azure AD Connect has significantly better delta sync performance and Microsoft says that is up to 10 times quicker in some scenarios. It’s also now possible to import and export Azure AD Connect settings to make provisioning easier.
Custom alerts and dashboards
Lastly, it’s possible to push the provisioning logs to Azure Monitor so that you can analyze trends and use data query features. Azure Monitor lets you build visualizations of data quickly and easily.
Cloud provisioning still has some important limitations in preview
In preview, cloud provisioning has some important limitations. For example, in Exchange Server hybrid configurations, the cloud provisioning agent doesn’t synchronize some attributes back to Windows Server AD. This limitation means that cloud provisioning can’t be used as a replacement for Azure AD Connect in Exchange Server hybrid scenarios. Additionally, device objects cannot be synchronized.
Assumedly, Microsoft will address these shortcomings before cloud provisioning hits general availability.