Last Update: Sep 04, 2024 | Published: Jan 16, 2021
Azure AD Connect is Microsoft’s tool for synchronizing on-premises Windows Server Active Directory (AD) objects, like groups and user accounts, to Azure AD. Azure AD Connect can also synchronize users’ password hashes to the cloud, which is Microsoft’s recommended option, or alternatively use pass-through authentication (PTA).
Last year, Microsoft added cloud provisioning to Azure AD Connect. Cloud provisioning simplifies synchronizing on-premises identities from disconnected AD forests to Azure AD during mergers and acquisitions. Using lightweight on-premises agents to move the workload from Windows Server to the cloud, all management and processing is handled by Azure. Cloud provisioning is in preview at the time of writing and it shouldn’t be used in production environments.
In October, Microsoft announced some changes to cloud provisioning that bring improved performance and attribute mapping. The changes are based on user feedback and include:
The public preview now supports attribute mapping, including data transformation, for user and group objects synchronized between Windows Server AD and Azure AD. The new feature lets you change the default mappings or create your own. You can find a complete list of the attributes that are synced to Azure AD here.
In addition to making direct attribute mappings from linked objects in Windows Server AD, you can use specific strings or expressions to populate attributes in Azure AD.
When you set up cloud provisioning, you create a new provisioning configuration that determines which Windows Server AD domain you will sync to Azure AD. As part of the configuration process, you can create a ‘scope’ that limits synchronization to specific Windows Server AD users and groups using security groups or organizational units (OUs). On-demand user provisioning lets you test changes you make to the cloud provisioning configuration by applying them to a single user or group. You can then validate the configuration changes in Azure AD.
The new version of Azure AD Connect has significantly better delta sync performance and Microsoft says that is up to 10 times quicker in some scenarios. It’s also now possible to import and export Azure AD Connect settings to make provisioning easier.
Lastly, it’s possible to push the provisioning logs to Azure Monitor so that you can analyze trends and use data query features. Azure Monitor lets you build visualizations of data quickly and easily.
In preview, cloud provisioning has some important limitations. For example, in Exchange Server hybrid configurations, the cloud provisioning agent doesn’t synchronize some attributes back to Windows Server AD. This limitation means that cloud provisioning can’t be used as a replacement for Azure AD Connect in Exchange Server hybrid scenarios. Additionally, device objects cannot be synchronized.
Assumedly, Microsoft will address these shortcomings before cloud provisioning hits general availability.