With Azure AD Connect Provisioning you have the capability to implement a hybrid identity synchronization to Azure AD. The different between Azure AD Connect and Azure AD Connect Provisioning is the way of sync and the place of your configuration.
Key benefits of Azure AD Connect Provisioning:
- Multiple active agents for high availability
- Lightweight agent installation model
- Connect to multiple disconnected on-premises AD forests
Overview
The idea of Azure AD Connect Provisioning is to use a small agent in your onPremise environment. The agent will connect to Azure AD with an outbound connection and get the configuration from Azure AD Portal. All configurations are stored and managed direct in Azure AD Portal. By default, the agent will be update automatically. You can’t change the automatic update. The Advantages are:
- low system requirements for onPremise server
- now configuration backup is needed
- multiple agents get a central configuration
- low effort if you need high available
- very low maintenance effort
Topologies you can implement Azure AD Connect Provisioning
Single forest, single Azure AD tenant
The easiest topologies to implement Azure AD Connect Provisioning ist with a single Domain. You can sync all your users, groups and contacts in a direct way to Azure AD.
To start with this topology you need the following prerequisites:
- cloud-only global administrator account on your Azure AD tenant
- your domain must bee added in your Azure AD environment
Multi-forest, single Azure AD tenant
With Azure AD Connect you have no way to add multiple Azure AD Connect instances to one Azure AD (except the stating instance). In default you need a single installation for all of your onPremise Active Directory forests.
With Azure AD Connect Provisioning there is the capability to multiple onPremise Active Directory forests without a single instance. In an easy way, you can install an Azure AD Connect Provisioning Agent in every forest and sync all users, groups and contacts in one Azure AD tenant.
Prerequisites:
- cloud-only global administrator account on your Azure AD tenant
- your domain must bee added in your Azure AD environment
Existing forest with Azure AD Connect, new forest with cloud Provisioning
If there an existing Azure AD Connect and you need to implement another onPremise Active Directory forest in you Azure Tenant you can setup it easily. You can leave the existing environment with Azure AD Connect and use the provisioning to sync all users, groups and contacts in the existing tenant.
Prerequisites:
- cloud-only global administrator account on your Azure AD tenant
- your domain must bee added in your Azure AD environment
Piloting Azure AD Connect cloud provisioning in an existing hybrid AD forest
If you think about to switch your identity sync from Azure AD Connect to Azure AD Connect Provisioning you can test it with a single OU for example. While your Pilot phase you use both ways at the same time for synchronization
Prerequisites:
- Azure AD Connect sync version 1.4.32.0
- a pilot OU
- objects in pilot group shell have ms-ds-consistencyGUID
Network Configuration
From my point of view, the small network configuration is a big benefit. With Azure AD Connect you need inbound and outbound firewall configuration. Specifically inbound rules have a high risk and can be use for an attak.
With Azure AD Connect Provisioning you only need a small set of outbound rules:
Port number | How it’s used |
---|---|
80 | Downloads the certificate revocation lists (CRLs) while validating the TLS/SSL certificate. |
443 | Handles all outbound communication with the service. |
8080 (optional) | Agents report their status every 10 minutes over port 8080, if port 443 is unavailable. This status is displayed in the Azure AD portal. |
Limitations
Today Azure AD Connect Provisioning has some limitation compared with Azure AD Connect.
List of functions which are out of scope:
- Synchronize customer defined AD attributes (directory extensions)
- Support for Pass-Through Authentication
- Filter on objects’ attribute values
- Allow advanced customization for attribute flows
- Support for writeback (passwords, devices, groups)
- Azure AD Domain Services support
- Exchange hybrid writeback
- Support for more than 50,000 objects per AD domain
A compare list you find on Microsoft Docs.
One thought on “New way to sync identities in Azure – Azure AD Connect Connect Provisioning”