What Is Azure AD Connect and How Does It Work

Azure AD Connect is a synchronization tool that helps bridge the gap between your on-premises Active Directory and Azure Active Directory. It allows you to synchronize user identities, groups, and other directory objects between the two environments.

Azure AD Connect uses a process called synchronization to update user accounts and group membership in Azure AD. This process runs on a regular schedule, typically every 30 minutes.

The tool also includes a feature called password hash synchronization, which allows users to use the same password for both on-premises and cloud-based accounts. This feature helps to simplify password management and reduces the need for users to remember multiple passwords.

Azure AD Connect has several key features that make it a powerful tool for managing identities.

Password Writeback is one of these features, which allows passwords changed in the Azure/Microsoft 365 cloud to apply to corresponding on-premise users when the next synchronization takes place.

Bidirectional Synchronization allows for certain object changes in the cloud to apply to the corresponding on-premise object, simplifying identity management for administrators.

This feature is particularly useful for object changes such as Full Name and proxyAddresses, which can be made directly in the cloud without requiring changes to be made on-premise first.

Here are some of the key features of Azure AD Connect:

Azure AD Connect offers several key features that make identity management a breeze.

One of the standout features is Password Writeback, which allows passwords changed in the Azure/Microsoft 365 cloud to apply to corresponding on-premise users during the next synchronization.

Bidirectional Synchronization is another powerful feature that enables certain object changes in the cloud to apply to the corresponding on-premise object.

This means that administrators can make changes to user accounts and groups in the cloud, and those changes will automatically be reflected on-premise.

With Azure AD Connect, user accounts and groups located on-premise will be synchronized with those in the Azure AD/Microsoft 365 cloud, allowing administrators to maintain fewer separate user identities.

By using Azure AD Connect in combination with SSO, such as with Azure Enterprise Applications, user identities can be centralized further, making it easier to manage identities across different systems.

Here are the key features of Azure AD Connect in a concise format:

Password Hash Synchronization is a key feature of Azure AD Connect, allowing users to have the same password for both on-premises Active Directory services and Azure services like Microsoft 365.

With Password Hash Synchronization, a user has the same password for all services, making their life simpler and reducing the likelihood of forgotten passwords. This is achieved by sending only a hash of the password, which is never stored or sent as cleartext.

The password hash is synchronized every two minutes, ensuring that users have access to all services with their single password.

AD Connect handles the synchronization between on-premises systems and Azure AD using its sync engine, which creates users and groups and keeps their on-premises identity information in sync with the cloud.

The sync engine uses a staging area to process identity information even if the source is temporarily unavailable, ensuring continuous synchronization.

Here are the benefits of Password Hash Synchronization:

You can configure Azure AD Connect to connect your on-premises Active Directory domains to Azure AD. There are three main options: Express Settings, Custom Settings, and Microsoft Entra ID.

Express Settings deploy sync with the password hash sync option for a single-domain, single-forest on-premise Active Directory domain. This allows for authentication and authorization to resources in Azure/Microsoft 365 based on Active Directory passwords.

Custom Settings provide more flexibility, allowing administrators to connect one or multiple Active Directory domains and forests and choose between password hash sync, pass-through authentication, and Active Directory Federation Services (AD FS) for authentication.

The following options are available in Custom Settings:

If you're currently using Dirsync, you can upgrade in place if your directory has less than 50,000 objects. This can be done without a significant impact on your system.

Organizations with a Dirsync deployment can also migrate their settings to Azure AD Connect, which is a more modern and flexible solution. This is a great option if you're looking to future-proof your identity management setup.

If you do choose to upgrade or migrate, you'll need to follow the specific instructions for your situation. This may involve some additional configuration and testing to ensure a smooth transition.

Express Settings is the default option for Azure AD Connect configuration. It deploys sync with the password hash sync option for a single-domain, single-forest on-premise Active Directory domain.

This option allows for authentication and authorization to resources in Azure/Microsoft 365 based on Active Directory passwords.

Express Settings is a straightforward choice for many organizations, especially those with a simple on-premise Active Directory setup.

Custom settings in Azure AD Connect Configuration offer a high degree of flexibility.

With custom settings, administrators can connect one or multiple Active Directory domains and forests for authentication. This allows for a more tailored approach to identity and access management.

You can choose between password hash sync, pass-through authentication, and Active Directory Federation Services (AD FS) for authentication options. Each has its own strengths and use cases, so it's essential to select the one that best fits your organization's needs.

Password reset write back and Exchange hybrid deployments are also sync options available with custom settings. These features enable administrators to streamline password management and integrate with Exchange for a more seamless user experience.

To work with the Azure AD PowerShell module, you'll first need to import it. This is done manually by running a command.

The Azure AD PowerShell module allows for granular control over synchronization behaviors. This means you can customize how it works to suit your organization's needs.

To manually run a synchronization with current configurations, you'll need to use a specific command. This command will run the sync as it's currently set up.

To retrieve current synchronization schedule settings, you can use another command. This will give you a snapshot of how the sync is currently configured.

To change the current synchronization schedule settings, you'll need to use a different command. This will allow you to update the sync settings to suit your needs.

Azure AD Connect enables the connection between on-premises Active Directory and Azure Active Directory, effectively bridging the two platforms.

You can deploy AD Domain Services (AD DS) servers to Azure and create a domain in Azure that joins to your on-premises AD forest. This allows for access to the same identity information that is available on-premises.

This option is suitable if you need to use AD DS features that are not currently implemented by Microsoft Entra ID.

You can authenticate user, service, and computer accounts on-premises and in Azure, and apply group policy defined by on-premises Group Policy Objects to the domain in Azure.

However, you must deploy and manage your own AD DS servers and domain in the cloud, which may introduce some synchronization latency between the domain servers in the cloud and the servers running on-premises.

Here are some key considerations for deploying AD DS in Azure:

But, you must also consider the potential drawbacks, including: