Azure Active Directory Synchronization: An Introduction, Part 1
This post is a first in a series about Azure Active Directory Synchronization, covering part 1 of the introduction. Follow up posts will cover:
Why you want have synchronization
For those who don’t work regularly with Office 365 or other Microsoft cloud services (like Azure, Exchange Online Protection), it can be a complex myriad of information to work through in order to find out what you exactly need. In all cases you want or are required to synchronize your on-premises Active Directory objects (users, contacts and groups) to Microsoft cloud services; Azure Active Directory to be precise which all of those services use. For instance, for Same Sign On (also requires Password Sync) or Single-Sign On (requires Active Directory Federation Services, ADFS) scenarios in Office 365 and specific filtering options in Exchange Online Protection, synchronization is required.
Sync vs. AD FS
To be clear, the mentioned synchronization products (DirSync, AADSync and FIM) are different than Active Directory Federation Services (AD FS).
If you require synchronization, it does not require AD FS. However, if your organization requires AD FS for Single Sign On, or additional features like Azure Multi-Factor Authentication (MFA), you always require a synchronization tool; in these scenarios AD FS is used for authentication, so within the context of Office 365 the services knows which user has access to specific services. If that user connects to that online service, it will redirect the client or browser to your on-premises AD FS infrastructure and you will have to authenticate on your own servers. The browser or client will receive an authentication token that (if valid) will be accepted by Office 365.
How to Sync
There are multiple tools to achieve a synced directory. This post is an introduction to several solutions. There are several tools:
- DirSync or Azure Active Directory Sync Tool
- AADSync or Azure Active Directory Synchronization Services
- AAD Connect or Azure Active Directory Connect Tool
- FIM or ForeFront Identity Manager 2012 R2
Note that the names have a great similarity, a source of much confusion in my experience. Under the hood, of course, they are completely different.
The first tool, DirSync, is the current standard and a download location for this tool can be found in the Office 365 portal, when you walk through the wizard to setup Directory Synchronization. It’s a slimmed down version of ForeFront Identity Manager (FIM), specifically designed for use with Microsoft cloud services. It’s currently deprecated, which means no new features are to be expected. However, for a lot of scenarios this is the tool to go with. The successor to DirSync is or will be AADSync. For more information, click here.
If you require more advanced features, like synchronization from multiple Active Directory Forests, Password Write-back etc. you will have to use AADSync. Although this tool is already General Available (GA) for a while, not all scenario’s are currently supported, such as the scenario with multiple Active Directory forests, each with Microsoft Exchange (note: multiple AD forests with just one Exchange environment in one forest is supported). This is why for now you should use DirSync unless you require additional features that are currently explicitly supported. An in-place upgrade from DirSync to AADSync is (currently) not supported. You will require to fully uninstall DirSync, install AADSync and configure all settings again. However, that will change in the future. For more information, see AAD Connect.
AAD Connect is not a synchronization tool in itself, it’s a installation and configuration tool that helps you install prerequisites, DirSync/AADSync (installation files will be downloaded), configure AD FS (if necessary) and additional features and checks. It’s currently in Public Preview, so it’s not yet supported for production environments. It will be possible to in-place upgrade from DirSync to AADSync, with the help of this tool. In time this will be the only tool available.
ForeFront Identity Manager 2012 R2 is the big brother of DirSync/AADSync. Much of the logic is the same, some interfaces are very reminiscent of FIM. It is used to synchronize objects between different Active Directory Forests and other sources like SQL Servers. For instance, if you have a merger and require specific resources from other forests, it might be necessary to synchronize certain objects. But it can also be used to synchronize objects to Office 365. If you already have a FIM installation, you could use this instead of DirSync/AADSync in specific scenarios.
There are currently several tools available to synchronize objects from your on-premises Active Directory to Office 365/Azure Active Directory. DirSync is the first choice, in certain supported scenarios AADSync, and if already present FIM can be used in certain situations instead of either sync tools. DirSync and AADsync will be incorporated in (and in effect replaced by) the not yet Generally Available AAD Connect tool, which can install, help with configuration and test your implementation including AD FS.