Even though a lot of the functionality of domain controllers can be moved to the cloud, most organizations that use Active Directory need a hybrid infrastructure that gives users access to cloud resources (like OneDrive and Microsoft 365) through Azure Active Directory as well as on-premises file shares, printers and applications that still need local credentials.
Over the years, Microsoft has had multiple tools for managing hybrid identity and syncing cloud and on-premises users and groups.
SEE: Explore TechRepublicās hybrid cloud cheat sheet.
Microsoft Identity Manager, which replaced Forefront Identity Manager, is supported until January 9, 2029, but its Azure AD Connector is deprecated. Azure AD Multi-Factor Authentication Server is also deprecated and will stop handling MFA requests after September 30, 2024. If youāre still using these tools, you will need to move to a newer option.
Jump to:
Azure AD Connect and its limitations
Azure AD Connect replaced the older DirSync and Azure AD Sync options for syncing users, groups and other directory objects to Azure AD. It supports:
- Password hash synchronization: Syncing a hash of each userās AD password into Azure AD.
- Pass-through authentication: Sending users to Azure AD to sign in and then validating against AD, so they can use the same password in the cloud and for local resources without needing to set up federation.
- Active Directory Federation Services use.
But, Azure AD Connect requires setting up and maintaining a server on your network, and some of the requirements for running it donāt work for every organization, especially if you have multiple AD āforests,ā which makes working with Azure AD complicated.
āTo use it, you need to be in a connected forest; you need to have installed a database,ā said Joseph Dadzie, a director in the Microsoft identity team. āThatās expensive to manage and deploy.
āWe started getting feedback from a lot of customers around the cost of a deploying AD Connect sync and of maintaining it, and some feature gaps around if you are in a disconnected forest or you are in an organization where you are trying to do an M&A. So, we set out to look at ways to simplify it.ā
Cloud sync aims to replace Azure AD Connect for cloud
The result is Azure AD Connect cloud sync, which started out as a tool for bringing identities from multiple disconnected AD forests into a single Azure AD tenant.
It still does that, but itās now a lightweight alternative to AD Connect that doesnāt have quite as many features but is much faster to set up and requires fewer resources. This is because cloud sync moves much of the configuration into the cloud, needing only provisioning agents.
āWhen you look at AD Connect, almost all the configuration is done in the on-prem world, and itās stored in that local server,ā said Dadzie. āFor cloud sync, the idea is to switch the configuration to be cloud based and have a very lightweight agent in the customerās environment so that itās easy to deploy.
āIt takes about 10 megabytes, so you can have multiple of these working together for high availability solutions; something thatās more difficult to do if you have a full Connect sync capability.ā
That high availability is particularly useful if youāre using Microsoftās recommended password hash synchronization.
The future of cloud sync
Cloud sync can handle groups with up to 50,000 members, but it doesnāt cover everything you can do with AD Connect sync yet, Dadzie told us.
āIf youāve done a lot of customizations on attributes in your AD and you still use Exchange on-prem, thereās still some delta in the capabilities,ā said Dadzie. āIn the longer term, we will want to have it be the full replacement; we are not there yet.ā
Currently, it canāt connect to LDAP directories and doesnāt yet have support for device objects, just users, groups and contacts. There are advanced customization and filtering options that arenāt available, and cloud sync canāt handle Exchange hybrid writeback, so you canāt use it for Exchange hybrid migrations.
Federation is supported but not Azure AD Domain Services or Pass Through Authentication, at least for disconnected forests. Thatās something the AD Connect team is working on, Dadzie said, and writeback for security groups is also in development.
āOver the past year, we added the self-service password writeback scenarios,ā said Dadzie.
Device writeback is also under development, because āalmost any deployment starts with getting some of the users from on-prem to the cloud,ā Dadzie notes. Itās slightly confusing because both Azure AS and Windows Hello For Business have services named Cloud Kerberos trust, which do different things, but Microsoft tells us the naming and documentation should become clearer in future.
The cloud sync team is also looking at alternatives to writeback.
āIf you have an on-prem app and you have a cloud user who needs access to it, how do you give that user access without having an account in the on-prem AD,ā said Dadzie. āWeāre looking at what we might do in that space: Is there a way to have some of the secrets go down so that you can have the user credentials, where the user gets access to on-prem without having to have the user object in there?ā
Thatās still in the early stages, but there are regular updates to cloud sync functionality.
āEvery quarter to six months, we update and add new capabilities,ā said Dadzie. āWeāre on a mission to chip away at the reasons why someone might still want to use the full AD Connect sync. Weāre on a mission to keep adding to cloud sync to the point that we eventually replace AD Connect sync, but we are not there yet.ā
Choosing between Azure AD Connect and cloud sync
Thereās no urgency about moving to cloud sync if you need an AD Connect sync feature, but there are some scenarios where cloud sync is already the better choice, as well as less demanding.
āIt works well for organizations that are not as complicated or donāt have a lot of objects; if they have less than 150K objects in their directory, then itās easier to start off using cloud sync,ā said Dadzie.
Thereās a wizard in the Microsoft 365 admin center that walks you through choosing the right identity sync option as well as a step-by-step migration guide if you want to move from Azure AD Connect sync to cloud sync.
How complex that migration will be depends on how complex your AD environment is: āThe more complex the environment is, then a more phased approach works,ā Dazie said. But if your needs are less complex and youāre starting out with hybrid identity, he suggests starting with cloud sync for simplicity (Figure A).
Figure A
In fact, a big part of the appeal of cloud sync is that itās designed to be much easier to get started with.
āIn Connect sync, you have to do all the Schema Mapping yourself, whereas in cloud sync we try to autodiscover them for you, so you donāt have to hunt around and to make it easy for you to configure those,ā said Dadzie. āThe main philosophy we are trying to get with cloud sync is to make it super, super easy, so customers donāt have to think through these things.ā