Welcome to Langenile

[email protected]
Contact Us

Category Archives: The Microsoft 365 admin center

  1. Home / 
  2. Archive by category "The Microsoft 365 admin center"
Jul 31, 2024
Managing and monitoring Microsoft 365 license allocations– Planning and Managing Azure AD Identities

If identity is the foundation for security in the Microsoft 365 platform, licensing is the entitlement engine that is used to grant identities access to the tools and applications.

Every Microsoft 365 service is tied to a license—whether that’s individual product licenses for Exchange Online or SharePoint Online or bundled offerings such as Microsoft 365 E3, which include multiple services.

In Microsoft terminology, there are a number of key terms to be aware of:

  • Licensing plans: In broad terms, a licensing plan is any purchased licensing item. For example, standalone Exchange Online P2 and Microsoft 365 E3 are both examples of licensing plans.
  • Services: Also known as service plans, these are the individual services that exist inside of a licensing plan. For example, Exchange Online P2 has a single Exchange Online P2 service plan, while Microsoft 365 E3 has an Exchange Online service plan, a Microsoft 365 Apps service plan, a SharePoint Online service plan, and so on.
  • Licenses: This is the actual number of individual license plans of a particular type that you have purchased. For example, If you have 5 subscriptions to Exchange Online P2 and 5 subscriptions to Microsoft 365 E3, you have 10 licenses (or 5 each of Exchange Online P2 and Microsoft 365 E3). Licenses are frequently mapped 1:1 with users or service principals, though some users may have more than one license plan associated with them.
  • SkuPartNumber: When reviewing licensing in PowerShell, the SkuPartNumber is the keyword that maps to a licensing plan. For example, Office 365 E3 is represented by the ENTERPRISEPACK SkuPartNumber.
  • AccountSkuId: The AccountSkuId is the combination of your tenant name (such as Contoso) and the SkuPartNumber or licensing plan. For example, the Office 365 E3 licensing plan belonging to the contoso.onmicrosoft.com tenant has an AccountSkuId of contoso:ENTERPRISEPACK.
  • ConsumedUnits: Consumed units represent the number of items in a licensing plan that you have assigned to users. For example, if you have assigned a Microsoft 365 E3 licensing plan to three users, you have three ConsumedUnits of the Microsoft 365 E3 licensing plan. If reviewing licensing from the Azure AD portal, this field is sometimes displayed as Assigned.
  • ActiveUnits: Number of units that you have purchased for a particular licensing plan. If reviewing licensing from the Azure AD portal, this field is sometimes displayed as Total.
  • WarningUnits: Number of units that you haven’t renewed purchasing for in a particular license plan. These units will be expired after the 30-day grace period. If reviewing licensing in the Azure AD portal, this field is also sometimes displayed as Expiring soon.

You can easily view purchased licensing plan details in the Microsoft 365 admin center under Billing | Licenses:

Figure 5.22 – License details in the Microsoft 365 admin center

You can assign licenses in many ways:

  • Through the Licenses page in the Microsoft 365 admin center (Microsoft 365 admin center | Billing | Licenses)
  • In the properties of a user on the Active users page in the Microsoft 365 admin center (Microsoft 365 admin center | Users | Active Users | User properties)
  • To users through the Licenses page in the Azure AD portal (Azure AD Portal | Azure AD | Licenses | Licensed users)
  • To users through the User properties page in the Azure AD portal (Azure AD Portal | Azure AD | Users | User properties)
  • To groups through group-based licensing (Azure AD Portal | Azure AD | Licenses | Licensed groups)
  • Through PowerShell cmdlets such as Set-MsolUserLicense

Each licensing method provides you with similar options for assigning license plans to users, including assigning multiple license plans or selectively enabling service plans inside an individual license plan.

For example, in the Microsoft 365 admin center, you can view and modify a user’s licenses on the Licenses and apps tab of their profile.

Figure 5.23 – User license management

As you can see in Figure 5.23, the user has the Office 365 E5 licensing plan enabled as well as individual services such as Common Data Service, Common Data Service for Teams, and Customer Lockbox, while the Azure Rights Management service plan for this licensing plan is disabled.

More Details
Feb 17, 2024
Creating and managing synchronized users– Planning and Managing Azure AD Identities

As you saw in Chapter 3 and Chapter 4, the process of identity synchronization replicates your on-premises identity in Azure AD. Whether you are using Azure AD Connect sync, Azure AD Connect Cloud sync, or a third-party product, the process is largely the same: an on-premises agent or service connects to both Active Directory and Azure Active Directory, reads the objects from Active Directory and recreates a corresponding object in Azure AD.

During this provisioning process, the on-premises and cloud objects are linked through a unique, immutable attribute, which stays the same throughout the life cycle of the object.

Exam tip

Originally, an on-premises object was linked to its corresponding cloud object by converting the on-premise object’s objectGUID attribute value into a base64 string, and stored in the cloud object’s ImmutableID attribute. Modern versions of Azure AD Connect use the ms-DS-ConsistencyGuid attribute instead. The ms-DS-ConsistencyGuid value is blank by default; after Azure AD Connect is configured to use ms-DS-ConsistencyGuid as the source anchor during setup, an object’s objectGUID value is copied to the ms-DS-ConsistencyGuid attribute. Since a new objectGUID attribute is generated every time an object is created, a static value such as ms-DS-ConsistencyGuid helps organizations maintain the relationship between identities through the Active Directory domain migrations that happen as part of business mergers, acquisitions, and divestitures.

After Azure AD Connect has been deployed, you can create a new synchronized identity by creating a new user in the on-premises Active Directory. See Figure 5.5.

Figure 5.5 – Creating a new user through Active Directory Users and Computers

After synchronization completes, the new user account is ready to sign into the service. From the Microsoft 365 admin center, it’s simple to visually distinguish between cloud and synchronized accounts. Figure 5.6 shows both a cloud user and a synchronized user.

Figure 5.6 – Displaying cloud and synchronized users

Under the Sync status column, a cloud user is represented by a cloud icon, while a synchronized user is represented by a notebook icon.

Creating and managing guest users

Guest users are special accounts that have limited rights in the Azure AD environment. In most contexts, guest users are synonymous with Azure Business-to-Business (B2B) identities, so that’s the reference point that we’ll use to discuss them.

Azure B2B guest accounts are generally created through an invitation process, such as inviting someone from an external organization to participate in a Microsoft SharePoint site, collaborate on a document in OneDrive, or access files in a Teams channel. When an invitation is sent, an Azure identity object is created in the inviting organization’s tenant and an invitation email is sent to the external recipient. After the recipient clicks on the link in the invitation email, the recipient is directed to an Azure sign-in flow, which prompts them to enter credentials corresponding to their own identity source (whether that’s another Azure AD or Microsoft 365 tenant, a consumer account (such as Microsoft, Google, or Facebook), or another third-party issuer that uses a SAML/WS-Fed-based identity provider. The process of the recipient accepting the invitation is called redemption.

More Details
Oct 8, 2023
Configuring the provisioning service– Implementing and Managing Identity Synchronization with Azure AD

In order to complete the Azure AD Connect cloud sync deployment, you’ll need to set up a new configuration in the Azure portal:

  1. Navigate to the Azure portal (https://portal.azure.com) and select Active Directory | Azure AD Connect.
  2. Select Cloud sync from the navigation menu and then, on the Configurations tab, select New configuration.
  3. On the New cloud sync configuration page, select which domains you would like to synchronize to Azure AD. If desired, select the Enable password hash sync checkbox. The password hash sync checkbox on this page only enables the feature; it does not configure password hash sync as a sign-in method (see Figure 4.30).
    EXAM TIP
    Azure AD Connect cloud sync does not support using password hash sync for InetOrgPerson objects.

Figure 4.30 – Creating a new Azure AD Connect cloud sync configuration

  1. Scroll to the bottom of the page and click Create to complete the basic configuration.
    The Azure AD Connect cloud sync configuration has been completed, but it is not yet enabled and ready to start provisioning users. In the next series of steps, you can customize the service before fully enabling it.
    Customizing the provisioning service
    Like the on-premises Azure AD Connect service, Azure AD Connect cloud sync features the ability to perform scoping (including or excluding objects from synchronization) as well as attribute mapping.
    After creating a new configuration, you should be redirected to the properties of the configuration, as shown in Figure 4.31:

Figure 4.31 – The provisioning agent overview page
From this page, you can set up the scoping filters and attribute mappings to customize your environment. By default, Azure AD Connect cloud sync will include all objects in the connected forest and domains for synchronization.
Scoping filters
By selecting Scoping filters under Manage, you can configure what objects should be included for synchronization to Azure AD. You can specify a list of security groups or select organizational units, but not both (see Figure 4.32).

Figure 4.32 – Azure AD Connect cloud sync scoping filters
There are a few important caveats when using scoping filters with Azure AD Connect cloud sync:
• When using group-based scoping, nested objects beyond the first level will not be included in scope
• You can only include 59 separate OUs or security groups as scoping filters
It’s also important to note that using security groups to perform scoping is only recommended for piloting scenarios.

More Details
Jul 24, 2023
Password hash synchronization– Planning Identity Synchronization

Password hash synchronization (commonly referred to as PHS) is the Microsoft-recommended identity solution. In addition to synchronizing the core identity object data, PHS also synchronizes password hash values to the account objects in Azure AD. This ensures that users can use the same password to access local Active Directory resources, as well as Azure AD services.

Further reading

The security behind Azure AD Password Hash Synchronization is complex, involving multiple hashing algorithms. For a deeper understanding of how Password Hash Synchronization protects user data, see https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization.

When a user logs in to a tenant that has PHS configured, every part of the authentication takes place in Azure AD. This is advantageous because the organization has no reliance on the availability of any on-premises infrastructure for ongoing authentication. Once an identity and its password hash have been synchronized, the on-premises directory isn’t needed until the on-premises object is updated again (such as an additional email address, a change in the display name, or a new password).

In addition, PHS enables an advanced Azure AD Premium P2 security feature: leaked credential detection. With this feature, Microsoft continuously checks various dark websites for organizational identity data that may have been compromised.

As mentioned in the Accounts and security section, password hash synchronization requires the service account to have the Replicating Directory Changes and Replicating Directory Changes All rights in the on-premises directory.

Password hash synchronization is a cloud authentication solution.

Pass-through authentication

Similar to password hash synchronization, pass-through authentication (PTA) relies on synchronizing objects to Azure AD. Unlike PHS, however, the actual password validation happens on-premises. PTA relies upon an agent installed on-premises, which periodically checks Azure for an authentication request.

When Azure AD Connect is configured with PTA, a secure channel is established between the Azure Service Bus and the lightweight PTA agent. For redundancy, you can deploy multiple PTA agents in your environment.

Note

From a networking perspective, Azure AD Connect’s communication is outbound only to the Azure Service Bus. Unlike federation, PTA does not require inbound connectivity.

When a user requests access to an Azure AD resource, the logon request is stored on the Azure Service Bus. This request is encrypted with the public key of each of the PTA agents. The agents check the Service Bus for a request, bring the request back on-premises, decrypt it with the agent’s private key, and then process the request against an on-premises domain controller. The result of the validation (either success or failure) is then sent back to the Azure Service Bus, where Azure AD retrieves the response and then either grants or denies the logon request.

PTA is a potential solution for organizations that want as much benefit from cloud authentication as possible but may have organizational requirements for on-premises credential validation or the enforcement of Active Directory logon hours.

Due to its on-premises password validation component, if none of the on-premises authentication agents can connect to both the Azure Service Bus and local Active Directory, users will be unable to log in.

Microsoft categorized PTA as a cloud authentication solution.

More Details
Jun 4, 2023
Federation– Planning Identity Synchronization

With federated identity solutions, Azure AD is configured to refer authentication requests to an on-premises service to validate login data. When a federated user attempts to log on to an Azure AD resource, Azure AD redirects the login session to an organization-managed web service. Users then enter their credentials in this organization-managed application, which, in turn, validates the logon details against the on-premises directory.

Some organizations may require federated identity due to specific regulations, the need to use smartcard-based login, or third-party multi-factor authentication products. Due to its on-premises password validation component, if on-premises services (such as federation farm servers, load balancers, web application proxy servers, or domain controllers) are unavailable, users will be unable to log in to Azure AD.

You can use the following flowchart to understand which solution is appropriate for you:

`

Figure 3.6 – Authentication selection decision flowchart

Once you have selected an identity and authentication mechanism for your tenant, you can begin preparing your environment for hybrid authentication. Regardless of the method selected for authenticating hybrid identity, Azure AD Connect can be used to configure it.

Summary

In this chapter, you learned how to plan for a hybrid identity deployment, including choosing an authentication method (such as password hash sync, pass-through authentication, or federation) and understanding the various requirements and capabilities of identity synchronization tools. You also learned the basic terminology associated with the Azure AD Connect synchronization engine.

In the next chapter, we will begin configuring Azure AD Connect.

Knowledge check

In this section, we’ll test your knowledge of some key elements from this chapter.

Questions

Answer the following questions:

  1. Which two authentication or sign-in methods validate user passwords on-premises?
    • Password hash synchronization
    • Pass-through authentication
    • Federation
    • Hybrid identity
  1. Which two rights are necessary for password hash synchronization?
    • Replicating Directory Changes
    • Replicating Directory Changes Password
    • Replicating Directory Changes All
    • Replicating Directory Changes Advanced
  2. Which feature, service, or component is a consolidated view of all objects from the connected systems?
    • Connector space
    • sourceAnchor
    • Connected system
    • Metaverse
  3. You have 75,000 objects in your Active Directory environment and need to recommend a solution for Azure AD Connect. You should recommend the simplest option that supports your environment.
    • An Azure AD Connect server with local SQL Server Express
    • An Azure AD Connect server with local or remote SQL Server Analysis Services
    • Azure AD Connect with database stored in a local or remote standalone SQL server
    • Azure AD Connect configured with WID database
  4. Azure AD Connect setup can configure which two federation services?
    • Azure Active Directory Federation Services
    • Active Directory Federation Services
    • OKTA Federation Services
    • PingFederate

Answers

The following are the answers to this chapter’s questions:

  1. B: Pass-through authentication; C: Federation
  2. A: Replicating Directory Changes; C: Replicating Directory Changes All
  3. D: Metaverse
  4. A: Azure AD Connect with local SQL Server Express
  5. B: Active Directory Federation Services; D: PingFederate
More Details
May 22, 2023
Preparing for identity synchronization by using IdFix– Implementing and Managing Identity Synchronization with Azure AD

IdFix is Microsoft’s tool for detecting common issues with on-premises AD identity data. While it doesn’t fix all errors, it is able to identify and remediate data formatting errors so that objects have valid data to synchronize.
IdFix supports the following features:
• Transaction rollback
• Verbose logging
• Exporting data to the CSV and LDF formats for offline review and editing
To get started with the tool, follow these steps:

  1. Navigate to https://aka.ms/idfix.
  2. Scroll to the bottom of the page and click Next.
  3. Review the prerequisites for the tool. Scroll to the bottom of the page and click Next.
  4. Click setup.exe to download the file and start the installation.
  5. After the installation wizard starts, click Install.
  6. Acknowledge the IdFix privacy statement by clicking OK.
  7. IdFix, by default, targets the entire directory. You can select Settings (the gear icon) to change the options for IdFix. You can edit the filter to scope to certain object types. You can also select the search base to specify a starting point for IdFix to begin its query. After modifying any settings, click OK.

Figure 4.1 – The IdFix settings

  1. Click Query to connect to AD and begin the analysis.
    SCHEMA WARNING
    If you receive a schema warning, such as the one in Figure 4.2, you can click Yes to proceed or click No to return to the IdFix tool. The schema warning is generally presented when attributes are present in the AD schema but have not been marked for replication (usually because Exchange Server has not been installed or replication hasn’t completed successfully in your organization for an extended period of time). If you receive this error, you should check to ensure that you have at least run the Exchange Server setup with the /PrepareSchema and /PrepareAD switches and have validated that AD replication is working correctly.

Figure 4.2 – The IdFix schema warning
After IdFix has analyzed the environment, results are returned to the data grid, shown in Figure 4.3. The DISTINGUISHEDNAME column shows the full path to the object in question, while the ATTRIBUTE column shows the attribute or property impacted. The ERROR column shows what type of error was encountered (such as an invalid character or duplicate object value). The VALUE column shows the existing value and the UPDATE column shows any suggested value.

Figure 4.3 – The IdFix data grid
After you have investigated an object, you can choose to accept the suggested value in the UPDATE column (if one exists). You can also choose to either enter or edit a new value in the UPDATE column.
Once you’re done investigating or updating an object, you can use the dropdown in the ACTION column to mark an object:
• Selecting EDIT indicates that you want to configure the object attribute with the value in the UPDATE column
• Selecting COMPLETE indicates that you want to leave the object as is
• Selecting REMOVE instructs IdFix to clear the offending attribute
In addition, you can select Accept to accept any suggested values in the UPDATE column. Choosing this option will configure all objects with a value in the UPDATE column to EDIT, indicating that the changes are ready to be processed.
Once you have configured an action for each object, select Apply to instruct IdFix to make the changes.

  1. IdFix will process the changes. Transactions are written to a log that can be imported and used to roll back any mistakes.
  2. Once you have ensured that your on-premises directory data is ready to synchronize to Azure AD, you can deploy and configure one of the Azure AD Connect synchronization products.
More Details
Apr 9, 2023
Configuring and managing directory synchronization by using Azure AD Connect– Implementing and Managing Identity Synchronization with Azure AD

Azure AD Connect has a long history, originally starting as DirSync to support the deployment of Microsoft Business Productivity Online Suite (BPOS) in 2007.
If you are familiar with Microsoft Identity Manager (MIM), you’ll notice a lot of similarities between that and the current Azure AD Connect platform. As you learned in Chapter 3, Azure AD Connect allows you to connect to multiple directory sources and provision those objects to Azure AD.


Installing the synchronization service
The first step to deploying Azure AD Connect is gathering the requirements of your environment, as outlined in Chapter 3. These requirements can impact the prerequisites for deployment (such as additional memory or a standalone SQL Server environment). As part of the planning process, you’ll also want to identify which sign-in method will be employed (password hash synchronization, pass-through authentication, or federation).


EXAM TIP
To perform the express installation, you’ll need an Enterprise Administrator credential to the on-premises Active Directory forest so that the installer can create a service account and delegate the correct permissions. By default, the on-premises service account is created in the CN=Users container and named MSOL_.
You’ll also need an account that has either the Global Administrator or Hybrid Identity Administrator role in Azure AD, which Azure AD Connect will use to create a cloud synchronization service account. By default, the cloud service account is named Sync_.
With that information in hand, it’s time to start deploying Azure AD Connect:

  1. On the server where Azure AD Connect will be deployed, download the latest version of the Azure AD Connect setup files (https://aka.ms/aad-connect) and launch the installer.
  2. Agree to the installation terms and select Continue.

Figure 4.4 – The Azure AD Connect welcome page

  1. Review the Express Settings page. You can choose Customize if you want to configure Azure AD Connect to use the pass-through or federated authentication methods, group-based filtering, or a custom SQL Server installation. While the sign-in methods and other features can be changed after installation, it is not possible to enable group-based filtering or change the SQL Server location after setup.

Figure 4.5 – The Azure AD Connect Express Settings page
INSTALLATION NOTES
If you have other domains in your AD forest, they must all be reachable from the Azure AD Connect server or installation will fail. You can perform a custom installation to specify which domains to include in synchronization.

  1. On the Connect to Azure AD page, enter a credential that has either the Global Administrator or Hybrid Identity Administrator role in Azure AD. Click Next.
  2. On the Connect to AD DS page, enter an Enterprise Administrator credential and click Next.
  3. Verify the configuration settings. By default, the Exchange hybrid scenario is not enabled. If you have an on-premises Exchange environment that you will migrate to Microsoft 365, select the Exchange hybrid deployment option to include the Exchange-specific attributes. If you want to perform additional configuration tasks before synchronizing users, clear the Start the synchronization process when configuration completes. checkbox.

Figure 4.6 – The Azure AD Connect Ready to configure page

  1. Click Install.
  2. Review the Configuration complete page and click Exit.

Figure 4.7 – The Azure AD Connect Configuration complete page
If you selected the Start the synchronization process when configuration completes. checkbox, you can review the Azure AD portal to verify that users have been synchronized.

More Details
Mar 15, 2023
Configuring Azure AD Connect filters– Implementing and Managing Identity Synchronization with Azure AD

If you need to exclude objects from Azure AD Connect’s synchronization scope, you can do so through a number of different methods:
• Domain and organizational unit-based filtering
• Group-based filtering
• Attribute-based filtering
Let’s quickly examine these.


Domain and organizational unit-based filtering
With this method, you can deselect large portions of your directory by modifying the list of domains or organizational units that are selected for synchronization. While there are several ways to do this, the easiest way is through the Azure AD Connect setup and configuration tool:

  1. To launch the Azure AD Connect configuration tool, double-click the Azure AD Connect icon on the desktop of the server where Azure AD Connect is installed. After it launches, click Configure.
  2. On the Additional tasks page, select Customize synchronization options and then click Next.

Figure 4.8 – The Additional tasks page

  1. On the Connect to Azure AD page, enter a credential with either the Global Administrator or Hybrid Identity Administrator role and click Next.
  2. On the Connect your directories page, click Next.
  3. On the Domain and OU filtering page, select the Sync selected domains and OUs radio button, and then select or clear objects to include or exclude from synchronization.

Figure 4.9 – The Azure AD Connect Domain and OU filtering page

  1. Click Next.
  2. On the Optional features page, click Next.
  3. On the Ready to configure page, click Configure.
    After synchronization completes, verify that only objects from in-scope organizational units or domains are present in Azure AD.
    Group-based filtering
    Azure AD Connect only supports the configuration of group-based filtering if you choose to customize the Azure AD Connect setup. It is not available if you perform an express installation.
    That being said, if you’ve chosen a custom installation, you can choose to limit the synchronization scope to a single group. On the Filter users and devices page of the configuration wizard, select the Synchronize selected radio button and then enter the name or distinguished name (DN) of a group that contains the users and devices to be synchronized.

Figure 4.10 – The Filter users and devices page
With group-based filtering, only direct members of the group are synchronized. Users, groups, contacts, or devices nested inside other groups are not resolved or synchronized.
Microsoft recommends group-based filtering for piloting purposes only.

More Details
Jan 4, 2023
Azure AD Connect Health– Implementing and Managing Identity Synchronization with Azure AD

You can see the Azure AD Connect Health portal at https://aka.ms/aadconnecthealth. From there, you will be able to view basic details about your environment as well as obtain agent installation packages. See Figure 4.16.

Figure 4.16 – Azure AD Connect Health
While the Azure AD Connect Health agent for sync is included in the Azure AD Connect installation, the health agents for DS and AD FS are separate installations and must be downloaded separately:
• Azure AD Connect Health Agent for DS: https://go.microsoft.com/fwlink/?LinkID=820540
• Azure AD Connect Health Agent for AD FS: https://go.microsoft.com/fwlink/?LinkID=518973
If you do not have AD FS deployed in your environment, you do not need to deploy the AD FS agents.
Azure AD Connect Health for sync
The core health product, Azure AD Connect Health for sync, shows the current health of your synchronization environment, including object synchronization problems and data-related errors.
You can view the health status and identified errors by selecting Sync errors under Azure Active Directory Connect (Sync) on the Azure AD Connect Health portal (https://aka.ms/aadconnecthealth).

Figure 4.17 – Azure AD Connect Health sync errors
Selecting an error type will allow you to drill down into individual errors. In the example in Figure 4.18, Azure AD Connect Health has detected two objects with the same address:

Figure 4.18 – Azure AD Connect Health error details
You can use this information to identify and troubleshoot on-premises objects.
Azure AD Connect Health for Directory Services
Microsoft recommends deploying Azure AD Connect Health for Directory Services agents on all domain controllers you want to monitor, or at least one for each domain.
The Azure AD Connect Health agent deployment is relatively straightforward, asking only for a credential to complete the installation. Once the installation has completed, you can review details about your domain controller health in the Azure AD Connect Health portal at https://aka.ms/aadconnecthealth.
On the Azure AD Connect Health page, under Active Directory Domain Services, select AD DS services, as shown in Figure 4.19, and then select a domain to view the details.

Figure 4.19 – Azure AD Connect Health AD DS services
The health services agents display a variety of details about the environment, including replication errors, LDAP bind operations, NTLM authentication operations, and Kerberos authentication operations.

Figure 4.20 – The Azure AD Connect Health for AD Directory Services details page
Errors that are detected here should be resolved in your on-premises Active Directory environment.

More Details
Nov 16, 2022
Choosing between Azure AD Connect and Azure AD Connect Cloud Sync– Planning Identity Synchronization

Azure AD Cloud Sync is the next evolution of the directory synchronization product. While it does not yet have full parity with Azure AD Connect features, Azure AD Connect Cloud Sync (sometimes referred to as Cloud Sync) can provide additional features and benefits that Azure AD Connect cannot:

  • While Azure AD Connect requires on-premises connectivity between the Azure AD Connect server and all connected forests, Azure AD Connect Cloud Sync can import identities from forests that do not have site-to-site connectivity. This makes Cloud Sync advantageous when dealing with mergers and acquisitions as well as organizations that have multiple, disconnected business units.
  • Lightweight on-premises provisioning agents with cloud-managed sync configuration. Multiple sync agents can be installed to provide fault tolerance and redundancy for password hash synchronization customers.

However, Cloud Sync provides fewer overall features. The following list identifies the core feature gaps:

  • Cloud Sync does not support on-premises LDAP directories.
  • Cloud Sync does not support device objects.
  • Pass-through authentication is unavailable with Cloud Sync.
  • Advanced filtering and scoping (such as by using object attributes) are not supported with Cloud Sync, nor are advanced configurations of custom synchronization rules.
  • Azure AD Connect Cloud Sync does not support more than 150,000 objects per AD domain, nor does it support Azure AD Domain Services (Azure AD DS). Since Cloud Sync is limited to 150,000 objects, it does not support large groups (up to 250,000 members).
  • Cloud Sync does not support Exchange hybrid writeback or group writeback.
  • Cloud Sync cannot merge object attributes from multiple source domains.

A full comparison of features is available at https://learn.microsoft.com/en-us/azure/active-directory/cloud-sync/what-is-cloud-sync. As you can see from the previous lists, Azure AD Connect Cloud Sync is potentially a good option for organizations that don’t have more than 150,000 objects in any single domain, don’t require object or property writeback, and don’t need to heavily customize synchronization rules.

Planning user sign-in

The final step in planning your hybrid identity solution is around what type of sign-in experience you want to deploy for your users. As discussed briefly in the Designing synchronization solutions section, there are three core methods for managing user sign-in:

  • Password hash synchronization
  • Pass-through authentication
  • Federation

While all three of these solutions utilize some sort of identity synchronization technology, knowing the features and capabilities of each will help you choose the option that’s right for your organization.

Let’s explore each of these options in a little more detail.

More Details