Azure AD Connect is a Microsoft tool designed to help organizations with hybrid IT environments. It is included for free with your Azure subscription. It offers multiple features, including federation integration and health monitoring. However, today we’ll focus on its best-known capability synchronization.
Organizations use Azure AD Connect to automatically synchronize identity data between their on-premises Active Directory environment and Azure AD. That way, users can use the same credentials to access both on-premises applications and cloud services.
Azure AD Connect supports five main features:
- Password hash synchronization – Password hash synchronization is a sign-in method that synchronizes a hash of a users on-premises AD password with Azure AD.
- Pass-through authentication – Azure Active Directory Pass-through Authentication allows users to use the same password on-premises and in the cloud, but doesn’t require the additional infrastructure of a federated environment.
- Federation integration – Federation is optional in Azure AD Connect and can be used to configure a hybrid environment using an on-premises AD FS infrastructure. It also provides AD FS management capabilities such as certificate renewal and additional AD FS server deployments.
- Synchronization – Synchronization is responsible for creating users, groups, and other objects. As well as, making sure identity information for your on-premises users and groups is matching the cloud. This synchronization also includes password hashes.
- Health Monitoring – Azure AD Connect Health provides monitoring and a central location in the Azure portal to view this activity.
How does it work?
You install the application on a domain-joined server in your on-premises data center. The default installation option is Express Settings, which is used for the most common scenario: synchronizing data between a single on-premises forest that has one or more domains and a single Azure AD tenant. If you have multiple forests or multiple Azure AD tenants, check out the other topologies that Microsoft supports.
By default, the sync is one way: from on-premises AD to Azure AD. However, you can configure the writeback function to sync changes from Azure AD back to your on-premises AD. That way, for instance, if a user changes their password using the Azure AD self-service password management function, the password will be updated in the on-premises AD.
Why use Azure AD Connect?
Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. Users and organizations have some advantages:
- Users can use a single identity to access on-premises applications and cloud services.
- Single tool to provide an easy deployment experience for synchronization and sign-in.
- Provides the newest capabilities for your scenarios. Azure AD Connect replaces older versions of identity integration tools such as DirSync and Azure AD Sync.