Identity management can be a complex and time-consuming task for organizations, especially those with large and diverse user bases. Traditionally, identities have been maintained on-premises with Active Directory Domain Services (AD DS). As we add cloud services such as Microsoft 365 (M365), organizations needed a way to synchronize identities from on-premises AD DS to the cloud. The “Big Daddy” for synchronizing your identities from on-premises to the cloud has traditionally been Azure Active Directory Connect (AADC).
However, with the advent of cloud-based solutions, managing identities has become much simpler and more efficient. One such solution is Azure Active Directory Cloud Sync (Cloud Sync), which offers a range of benefits for organizations looking to simplify their identity management processes.
In this article, we will explore what Cloud Sync is, compare features with AADC, how to set it up, and how to manage it effectively.
What is Cloud Sync?
Cloud Sync is a cloud-based identity management solution that allows organizations to synchronize their on-premises Active Directory (AD) with Azure Active Directory (Azure AD). This synchronization process ensures that user identities, groups, and other directory objects are consistent across both environments – enabling seamless access to cloud-based resources.
Advantages
Benefits of implementing Cloud Sync include reduced administrative overhead, improved security, and simplified user access management. Cloud Sync uses a lightweight agent instead of the AADC application. This agent communicates with both AD and Azure AD, ensuring that changes made in one environment are reflected in the other. The synchronization process is performed roughly every 20 minutes, ensuring that any changes made to user accounts or group memberships are reflected immediately.
The following table provides a comparison between AADC and Cloud Sync:
| Feature | AADC sync | Azure AD Cloud Sync |
| Connect to single on-premises AD forest | ● | ● |
| Connect to multiple on-premises AD forests | ● | ● |
| Connect to multiple disconnected on-premises AD forests | ● | |
| Lightweight agent installation model | ● | |
| Multiple active agents for high availability | ● | |
| Connect to LDAP directories | ● | |
| Support for user objects | ● | ● |
| Support for group objects | ● | ● |
| Support for contact objects | ● | ● |
| Support for device objects | ● | |
| Allow basic customization for attribute flows | ● | ● |
| Synchronize Exchange online attributes | ● | ● |
| Synchronize extension attributes 1-15 | ● | ● |
| Synchronize customer defined AD attributes (directory extensions) | ● | ● |
| Support for Password Hash Sync | ● | ● |
| Support for Pass-Through Authentication | ● | |
| Support for federation | ● | ● |
| Seamless Single Sign-on | ● | ● |
| Supports installation on a Domain Controller | ● | ● |
| Support for Windows Server 2016 | ● | ● |
| Filter on Domains / OUs / groups | ● | ● |
| Filter on objects’ attribute values | ● | |
| Allow minimal set of attributes to be synchronized (MinSync) | ● | ● |
| Allow removing attributes from flowing from AD to Azure AD | ● | ● |
| Allow advanced customization for attribute flows | ● | |
| Support for password writeback | ● | ● |
| Support for device writeback | ● | Customers should use Cloud Kerberos trust for this. |
| Support for group writeback | ● | |
| Support for merging user attributes from multiple domains | ● | |
| Azure AD DS support | ● | |
| Exchange hybrid writeback | ● | |
| Unlimited number of objects per AD domain | ● | |
| Support for up to 150,000 objects per AD domain | ● | ● |
| Groups with up to 50,000 members | ● | ● |
| Large groups with up to 250,000 members | ● | |
| Cross domain references | ● | ● |
| On-demand provisioning | ● | |
| Support for US Government | ● | ● |
One of the biggest benefits of using Cloud Sync is the ability to have more than one agent installed and active at the same time. This gives organizations a high level of resiliency should one agent or server go offline. This differs from AADC Sync which only has a standby server that must be activated when issues arise. Microsoft recommends having three active agents installed for high availability. Ideally, an organization would have one agent in each AD site that is also home to a domain controller and has direct egress to the internet from that site.
Disadvantages
There are two major drawbacks of using Cloud Sync. One is the lack of support for Exchange hybrid writeback of attributes necessary for proper management of mailboxes. The other is a lack of support for Hybrid Joined devices.
There are a few important considerations that need to be understood:
- Users and groups must be uniquely identified across all forests.
- Matching across forests doesn’t occur with Cloud Sync.
- The source anchor for objects is chosen automatically (ms-DS-ConsistencyGuid if present, otherwise ObjectGUID is used).
- The attribute that is used for source anchor cannot be changed.
Real Life Applications
Here are examples of use cases (and the corresponding tool) that would be appropriate for syncing identities to the cloud:
Scenario #1
Let’s consider an organization that has 1,200 user identities in an on-premises AD consisting of a single forest and one domain. Currently Gmail for Business is the email solution. The organization is considering moving to M365. What tool can be used to synchronize identities to the cloud? In this case, both AADC and Cloud Sync are well-suited for the job. Since the organization will not be using a Hybrid Exchange solution, Cloud Sync might be the simpler choice.
Scenario #2
A different scenario would be an organization with 900 user identities in an on-premises AD consisting of a single forest and one domain. Currently the email solution is Exchange, and they intend to do Hybrid Exchange after migration. Additionally, the organization has 300 users in another non-Microsoft LDAP directory that will need to be synchronized to Azure. In this case, there is only one synchronization solution that can be used and that is the AADC. Cloud Sync cannot be used because both the Hybrid Exchange requirement and the non-Microsoft LDAP source are not supported.
Usage and Installation
Cloud Sync supports three types of identity provisioning (see below). Provisioning is the process of creating an object based on certain conditions, keeping the object up to date, and deleting the object when conditions that created the object are no longer met. The three provisioning types are:
- HR-driven provision – Provisioning from HR to the cloud involves the creation of objects (users, roles, groups, etc.) based on the information that is in your HR system. Examples include creating users when hired (onboarding) and removing users when they leave the organization (offboarding).
- App provisioning – In Azure AD, the term “app provisioning” refers to automatically creating user identities and roles in the cloud applications that users need access to.
- Directory provisioning – Directory provisioning involves provisioning from on-premises sources like AD to Azure AD. An example would be when a user is added to the on-premises directory then they are provisioned into Azure AD.
Installing and configuring Azure AD Could Sync is an easy process and can be completed in under an hour. Before setting up Cloud Sync, there are several prerequisites that must be met. These include having an Azure AD subscription, an on-premises AD environment, and a viable Windows server to run the synchronization agent. Once these prerequisites are met, the next step is to configure synchronization by following these high-level steps:
- Create or identify a group managed service account (“gMSA”) to be used by the agent. NOTE: Following the wizard will create a gMSA for you.
- In the Azure Portal, download the agent found at AADC > Cloud Sync > Agents.
- On a Windows server running 2016 or later, install the agent. NOTE: Installing on a domain controller is supported.
- After installation, the agent configuration wizard will be started. Follow the prompts and provided the required information.
- Verify the installation; you should see the agent running as a service on the local computer, and in the Azure AD portal you should see the agent is now registered.
- At this point you need to configure Cloud Sync in the Azure portal. This guide will walk you through the configuration.
- Finally, enable password writeback in the Azure portal and on the agent installed on the local server. This tutorial will walk you through enabling password writeback.
Best practices for optimizing synchronization performance and reliability include ensuring that the synchronization agent is running on multiple servers, configuring appropriate network settings, and monitoring synchronization status regularly. Cloud Sync’s agents don’t have a database. This means there are no special considerations regarding backup of the servers running the agent. A simple crash-consistent backup will do.
Once Cloud Sync is set up, it is important to monitor synchronization status and troubleshoot any errors that may arise. Microsoft provides a range of tools and resources for monitoring synchronization status, including the Azure portal, PowerShell commands, and log files. In the event of an error, troubleshooting steps may include checking network connectivity, verifying synchronization settings, and restarting the synchronization service.
Customizing synchronization rules and filters is another important aspect of managing Cloud Sync. This allows organizations to control which directory objects are synchronized between on-premises AD and Azure AD, as well as how they are synchronized. Upgrading and maintaining Cloud Sync is also important to ensure that the solution remains up-to-date and secure.
Choose a Tool That Benefits You
In conclusion, there are choices for which identity synchronization tool to use. The decision of which tool will depend on your organization’s requirements and what tool can fulfil those requirements. Cloud Sync is a powerful tool for simplifying identity management in organizations of all sizes. Selecting, setting up and managing Cloud Sync requires careful planning and attention to best practices, but the benefits of doing so are significant. By synchronizing on-premises AD with Azure AD, organizations can reduce administrative overhead, improve security, and simplify user access management.
All identity engineers should start working with and learning Cloud Sync in the lab to become familiar with it because “Cloud Sync is replacing AADC Sync, which will be retired after Cloud Sync has full functional parity with Connect Sync” referenced here.
To learn more about how Cloud Sync can benefit your organization, contact our team at Core BTS today.
