New way to sync identities in Azure – Azure AD Connect Connect Provisioning

Azure, Azure Active Directory, Office365, Uncategorized 3 Minutes

With Azure AD Connect Provisioning you have the capability to implement a hybrid identity synchronization to Azure AD. The different between Azure AD Connect and Azure AD Connect Provisioning is the way of sync and the place of your configuration.

Key benefits of Azure AD Connect Provisioning:

  • Multiple active agents for high availability
  • Lightweight agent installation model
  • Connect to multiple disconnected on-premises AD forests

Overview

The idea of Azure AD Connect Provisioning is to use a small agent in your onPremise environment. The agent will connect to Azure AD with an outbound connection and get the configuration from Azure AD Portal. All configurations are stored and managed direct in Azure AD Portal. By default, the agent will be update automatically. You can’t change the automatic update. The Advantages are:

  • low system requirements for onPremise server
  • now configuration backup is needed
  • multiple agents get a central configuration
  • low effort if you need high available
  • very low maintenance effort

Topologies you can implement Azure AD Connect Provisioning

Single forest, single Azure AD tenant

Single forest, single Azure AD tenant
https://docs.microsoft.com/en-us/azure/active-directory/cloud-provisioning/plan-cloud-provisioning-topologies

The easiest topologies to implement Azure AD Connect Provisioning ist with a single Domain. You can sync all your users, groups and contacts in a direct way to Azure AD.

To start with this topology you need the following prerequisites:

  • cloud-only global administrator account on your Azure AD tenant
  • your domain must bee added in your Azure AD environment

Multi-forest, single Azure AD tenant

Multi-forest, single Azure AD tenant
https://docs.microsoft.com/en-us/azure/active-directory/cloud-provisioning/plan-cloud-provisioning-topologies

With Azure AD Connect you have no way to add multiple Azure AD Connect instances to one Azure AD (except the stating instance). In default you need a single installation for all of your onPremise Active Directory forests.

With Azure AD Connect Provisioning there is the capability to multiple onPremise Active Directory forests without a single instance. In an easy way, you can install an Azure AD Connect Provisioning Agent in every forest and sync all users, groups and contacts in one Azure AD tenant.

Prerequisites:

  • cloud-only global administrator account on your Azure AD tenant
  • your domain must bee added in your Azure AD environment

Existing forest with Azure AD Connect, new forest with cloud Provisioning

Existing forest with Azure AD Connect, new forest with cloud Provisioning
https://docs.microsoft.com/en-us/azure/active-directory/cloud-provisioning/plan-cloud-provisioning-topologies

If there an existing Azure AD Connect and you need to implement another onPremise Active Directory forest in you Azure Tenant you can setup it easily. You can leave the existing environment with Azure AD Connect and use the provisioning to sync all users, groups and contacts in the existing tenant.

Prerequisites:

  • cloud-only global administrator account on your Azure AD tenant
  • your domain must bee added in your Azure AD environment

Piloting Azure AD Connect cloud provisioning in an existing hybrid AD forest

Piloting Azure AD Connect cloud provisioning in an existing hybrid AD forest
https://docs.microsoft.com/en-us/azure/active-directory/cloud-provisioning/plan-cloud-provisioning-topologies

If you think about to switch your identity sync from Azure AD Connect to Azure AD Connect Provisioning you can test it with a single OU for example. While your Pilot phase you use both ways at the same time for synchronization

Prerequisites:

  • Azure AD Connect sync version 1.4.32.0
  • a pilot OU
  • objects in pilot group shell have ms-ds-consistencyGUID

Network Configuration

From my point of view, the small network configuration is a big benefit. With Azure AD Connect you need inbound and outbound firewall configuration. Specifically inbound rules have a high risk and can be use for an attak.

With Azure AD Connect Provisioning you only need a small set of outbound rules:

Port numberHow it’s used
80Downloads the certificate revocation lists (CRLs) while validating the TLS/SSL certificate.
443Handles all outbound communication with the service.
8080 (optional)Agents report their status every 10 minutes over port 8080, if port 443 is unavailable. This status is displayed in the Azure AD portal.

Limitations

Today Azure AD Connect Provisioning has some limitation compared with Azure AD Connect.

List of functions which are out of scope:

  • Synchronize customer defined AD attributes (directory extensions)
  • Support for Pass-Through Authentication
  • Filter on objects’ attribute values
  • Allow advanced customization for attribute flows
  • Support for writeback (passwords, devices, groups)
  • Azure AD Domain Services support
  • Exchange hybrid writeback
  • Support for more than 50,000 objects per AD domain

A compare list you find on Microsoft Docs.

Published by Martin Alter

Published

One thought on “New way to sync identities in Azure – Azure AD Connect Connect Provisioning

  1. Pingback: Install Azure AD Connect Provisioning with Windows Server Core (Non-GUI) – Martin Alter

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s