Introduction to Microsoft Azure Active Directory Sync Services
Last week (September 15th, 2014) Microsoft released Azure Active Directory Sync Services which is the new synchronization service that – in short – will allows you to do:
- Synchronize multi-forest Active Directory environments without needing the full blow features of Forefront Identity Manager 2010 R2.
- Advanced provisioning, mapping and filtering rules for objects and attributes, including support for syncing a very minimal set of user attributes (only 7!)
- Configuring multiple on-premises Exchange organizations to map to a single AAD tenant
Azure AD Sync Services is notable for being Microsoft’s intended replacement tool for the Directory Synchronization (DirSync) tool. Both tools are used to synchronize (or copy) user identities managed through Active Directory in organizations to onboard an on-prem environments to Azure Active Directory,Office 365 and Windows Intune and continue to synchronize changes. It is used for more advanced scenarios where DirSync does not provide support, for example multiple on-prem AD forests. At the moment Azure AD Sync Services does not support multiple Azure subscriptions.
Azure AD Sync Services can do some things that DirSync can’t. It can synchronize multiforest AD environments. It can sync a small set of user attributes. It can also map multiple Exchange deployments to a single Azure AD tenant. However, Azure AD Sync Services currently lacks a few of DirSync’s capabilities. For instance, password hash synchronization is currently not supported in Azure AD Sync Services, although Microsoft plans to add support for it in a future release, according to a Microsoft FAQ.
Azure AD Sync Services consist of several components including:
- Synchronization Rules Editor – Launching the Synchronization Rules Editor (SRE)you see the different type of rules set for inbound and outbound directory connections. Rule may be added, deleted, and customized to align with an organizations requirements.
- Synchronization Service Key Management – This utility allows you to export and backup the keys used to encrypt data in Azure AD Sync to a file. The file should be stored in a secure location.
- Synchronization Service – If you are familiar with Forefront Identity Manager or DirSync you you are afamiliar with the Syncroization Service. This utility provides you an interface to initiate synchronizations, perform operations and configure the connectors.
- DirectorySyncTool – This utility allows you – wizard driven – to reconfigure and change your Azure AD Sync configuration.
- PowerShell – Ofcourse Azure AD Sync Services is shipped with PowerShell support. The ADSync module leverages 60 command to configure it to your needs (if you’re not confortable with the GUI).
One of the improved enhancements of Azure AD Sync Services is the extensive support of filtering, existing rules can easily beeing added or new filter rules can be added, over which I’ll blog in a later post. With DirSync filtering was possible but the options were limited especially if you want your configuration stays in a supported by Microsoft.
Extensive filtering capabilities are particularly relevant for organizations which are subject to strict security requirements, which gives you the option to limit synchronize users- or group objects including the level of atributes replicated to Azure Active Directory.
But here doesn’t stop the range of filtering options shipped with Azure AD Sync Services – it also allows you to prevent users of using Azure AD apps.
Microsoft has published a table comparing the current and future capabilities of DirSync, Azure AD Sync and Forefront Identity Manager 2010 R2 at this page.
Azure AD Sync Services, which will succeed DirSync as the next-generation sync tool, also features “a simplified deployment experience,” according to Sizemore. It’s also considered by Microsoft to be a “next generation synchronization server (to supersede FIM [Forefront Identity Manager])”. The Azure AD Sync Service can be downloaded here.
On short term I’ll go into more details how to configure filtering to your custom(er) needs. Stay tuned!
NOTE: At this time, password synchronization is not currently available with AADSync. However, AADSync does work with ADFS to provide a single sign-on (SSO) experience. If you need password synchronization, please continue to use DirSync.