The Azure AD Connect works wonders for hybrid IT environments. It’s a free Microsoft tool with your Azure subscription and has impressive features like synchronization, federation integration, and health monitoring.
With this tool, organizations automatically synchronize identity data between Azure AD and their on-premises Active Directory environment.
That way, every user can use the same details for accessing cloud services and on-premises applications.
In this article, we discuss Azure AD Connect in detail, so let’s dive in.
Table of Contents
What is Azure AD Connect, and What is it Used for?
Identity management becomes complex when your team has cloud and on-premises data and applications.
People with different authentication for each service should log in to both, but using cloud and local software together can be hard.
That’s where Microsoft steps in and solves this issue with Azure AD Connect. Employees can have one Azure Active Directory identity for cloud services like Microsoft Office 365 and on-premises.
Simply put, users can use and link their cloud and local applications with ease. Also, Azure AD Connect replaces older tools, such as Azure AD Sync and DirSync.
The best part? This tool has more capabilities than previous similar tools and comes at no extra cost.
Five Vital Features of Azure AD Connect
You can implement a hybrid identity with any of the following options provided by Azure AD Connect:
- Federation integration
- Synchronization services
- Password hash synchronization
- Pass-through authentication
- Healthy monitoring (premium)
Let’s discuss each feature in detail so you can learn more about Azure AD Connect and the capabilities of this versatile tool.
Federation integration uses a separate trusted authentication system on the Internet and on-premises. It’s one of the most useful options for a hybrid identity.
Generally, federated integration can support any authentication, including dongles, multi-factor authentication, and smart cards.
Furthermore, authenticated services can treat certain devices as trusted, not asking their users for credentials or other identity proof.
The level of complexity depends entirely on the authentication system. You can use third-party services as long as they’re compatible with Azure AD Connect.
A federated system uses a server farm instead of a single server; hence a malfunction or one fault won’t lock users out. The server farm works with SSL authentication, so it asks for a certificate that will be renewed periodically.
Most organizations with a reliable on-premises authentication service appreciate the active directory federation services because it’s useful and time-saving.
The sync engine of AD Connect manages the synchronization between Azure AD Connect and on-premises systems by creating different Azure AD objects.
This useful synchronization tool creates users and groups objects and ensures their on-premises identity data matches their cloud identity information.
Moreover, the synchronization services consist of two main parts:
- Azure AD Connect Sync Engine (on-premises side).
- Azure AD Connect Sync Service (the server side).
The sync engine can yield identity information from different sources, including the SQL database or Active Directory.
Moreover, there’s a staging area for processing the identity data, even if the source (SQL database or Active Directory) isn’t currently available for whatever reason.
The synchronization services enable password hash synchronization (discussed below) and other important services.
Password Hash Synchronization
The password hash synchronization makes work and life easier for users.
Having one password for all user accounts means remembering passwords and practicing that same one repeatedly. So, most users will be less likely to forget their passwords.
With Azure AD Connect, users have the same password for Microsoft online services, such as Microsoft 365 and on-premises Active Directory services.
However, don’t worry about privacy. Azure AD Connect hash synchronization sends only hashes of passwords for sharing access securely across services. Also, they’re synchronized every two minutes.
The password isn’t stored or sent as cleartext, which strengthens privacy.
Moreover, hash synchronization is the easiest of three manners Azure AD Connect can deliver one-time sign-in options and hybrid identity.
Additionally, you can use multi-factor authentication with Conditional Access custom controls or AD Multi-Factor Authentication.
Note that there’s a short lag after account status changes, but it’s easy to fix—administrators can start a synchronization cycle for re-syncing Azure and on-premises accounts.
Lastly, you can use the express settings if you have a single-forest topology and password hash synchronization and save time.
You can also implement a hybrid identity with another great feature of Azure AD Connect: Pass-through authentication.
This feature uses on-premises software agents for authentication. In simpler words, the cloud service holds no data about the passwords, including hashes.
The service gets the passwords but doesn’t store anything.
Pass-through authentication makes a great choice if you’re a part of a firm with strict password-dissemination rules.
The on-premises software agents for authentication does everything and send the right response to Azure AD Connect. Then, the Azure AD Connect performs a multi-factor authentication if configured that way.
Benefits of Pass-Through Authentication
Another benefit of pass-through authentication is applying the user-level Activity Directory security policies, which can implement account and password expiration, sing-in hours, and account lock-out for extra privacy.
As you can see, the on-premises software agents handle everything. However, you should install one or multiple lightweight software agents on on-premises servers for redundancy support.
Having agents on multiple servers will maximize the availability of the login service and eliminate the need for a federated environment with extra infrastructure.
Azure AD Connect Health
No matter which identity authentication feature is in question, you should get a safe, reliable, and highly available service.
Otherwise, any failure at updating identity data could lock workers out or enable the work of disabled accounts, which isn’t good news.
Moreover, administrators should know how the authentication system works to recognize and handle intrusion attempts and issues quickly.
That’s where Azure AD Connect Health kicks in and offers health monitoring of your on-premises identity infrastructure.
What Does Azure AD Connect Health Offer?
The Azure Ad Connect Health is a premium feature of Azure AD Connect with a portal where administrators can see alerts and analytics.
Every identity server requires the installation of agents to enable the work of Azure AD Connect Health, but don’t worry, as installing the agents isn’t hard. Additionally, you can allow auto-upgrade for the agents, which saves time.
Overall, the health monitoring data helps administrators keep a high-security level, control physical access, and handle issues promptly.
What’s Azure AD Connect Cloud Sync?
The Azure AD Connect Cloud Sync is a new option Microsoft offers for meeting the different hybrid needs of companies.
This service allows the synchronization of users, groups, and contacts to Azure AD by replacing the Azure AD Connect application with the Azure AD cloud provisioning agent.
The best part? You can use Azure AD Connect Cloud Sync with Azure AD Connect and enjoy many benefits.
Although the Azure AD Connect Cloud Sync shares crucial features with Azure AD Connect, it’s still different in many ways.
Azure AD Connect Cloud Sync default sync is every 2 minutes versus 30 minutes for Azure AD Connect.
Let’s learn more about the differences between Azure AD Connect Cloud Sync and Azure AD Connect.
How’s Azure AD Connect Cloud Sync Different From Azure AD Connect?
Please note that you can have both at the same time, great for the high availability of password hash sync to the cloud. Cloud sync is also great for merger and acquisition situations where some identities are required in the cloud but not connected to the domain that hosts your primary DirSync instance (and you don’t want to use Azure AD Guest Accounts).
When using Azure AD Connect Cloud Sync, the Microsoft Online Services make the provisioning from AD to Azure AD happen.
You only deploy a lightweight agent in your company’s on-premises or IaaS-hosted environment. The agent acts as a bridge between Azure AD and AD.
However, as mentioned, it’s not the same as Azure AD Connect. Here’s a list of the lackings of Azure AD Connect Cloud Sync:
- It doesn’t support device objects.
- It doesn’t support Exchange hybrid writeback.
- It doesn’t support LDAPv3-compatible identity stores.
- Lacks support for Pass-Through Authentication (PTA).
- There’s no support for directory attribute synchronization.
- Lacks support for synchronization rule editing capabilities.
- It doesn’t support writeback for groups, devices, or passwords.
- Lacks support for cross-domain references.
- There’s no support for Windows Hello.
- There’s no hybrid Azure AD join.
As you can notice, Azure AD Connect Cloud Sync lacks vital features, but Microsoft says they plan on fixing these limitations in future updates.
So, What is Azure AD Connect and Why Use it?
In a nutshell, using Azure Ad Connect makes work and life easier for organizations.
With this useful tool, you can quickly link your cloud environment and on-premises apps and services in different ways and ensure a smooth working environment, but most importantly, a much safer one.
> Learn how to Monitor Azure AD emergency accounts with Microsoft Sentinel.
> Learn more about advanced Azure AD hunting with Microsoft Sentinel.
> Learn how to Monitor Azure AD Guest Users with Microsoft Sentinel.
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.