Azure AD Connect Custom Settings vs Express Settings

Azure AD Connect

Azure AD Connect is Microsoft’s free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments and LDAPv3-based identity platforms to Azure Active Directory.

During installation, Azure AD Connect offers a choice. This is the first choice and also the most fundamental choice for Azure AD Connect:

Microsoft Azure Active Directory Connect - Express Settings (click for original screenshot)

  • You can Use express settings
  • You may Customize the installation

Many customers have opted to install Azure AD Connect with Express Settings. This four-click setup has a couple of advantages to the more elaborate Custom Settings installation options.

The below table offers an overview of the differences between using express settings and customizing Azure AD Connect, based on Azure AD Connect version 1.1.654.0, released on December 12, 2017:

Azure AD Connect Express Settings vs. Custom Settings in terms of Sign-in methods (Password Hash Sync, Active Directory Federation Services, Pass-through Authentication and Seamless Single Sign-On), installation options (like choosing a SQL Server, service account and alternative groups), Multi-Factor Authentication, Privileged Identity Management, Filtering options (like Domain-, OU- and group-based filtering and Minsync), but also optional features like Hybrid Exchange, Public Folders, Self-Service Password Reset, Write-back for Office Groups and devices and Synchronization of your own Active Directory Schema Extensions.

The fourth column depicts whether you can change the setting after initial installation and subsequent configuration runs. Your mileage may vary on the outcome, though.

By default, Azure AD Connect configures Password Hash Sync (PHS) as the sign-in method. This option synchronizes hashes of on-premises hashes in Active Directory Domain Services (AD DS) to Azure AD for all user and inetorgperson objects in scope. When you migrate off this Same Sign-on (SSO) method to one of the Single Sign-On (SSO) options, like Active Directory Federation Services (AD FS) and Pass-through Authentication (PTA), these synchronized values won’t magically disappear.

As you can see, the Custom Settings installation option allows you to optionally (re)use a (group) managed service account (gMSA). This option was added to Azure AD Connect version 1.1.443.0, back in March 2017. It’s described here.

As shown, when you Use express settings,

  • You can’t later on change the installation path.
  • You can’t switch to using Microsoft SQL Server instead of the default SQL Server Express installation to host the database for Azure AD Connect.
  • You can’t switch the service account running the Azure AD Connect service and connecting to the SQL Server back-end through the Azure AD Connect Wizard. However, you can change the credentials used to communicate with Active Directory Domain Services (AD DS) and Azure AD in the Synchronization Manager.
  • You can’t change the names of the four local groups that will be created on the Windows Server installation running Azure AD Connect.

If you want to make these changes, you will need to uninstall Azure AD Connect and reinstall Azure AD Connect, or create a new Azure AD Connect installation in Staging Mode, and switch the active Azure AD Connect installation.

 

Concluding

Haste trips over its own heels.

Getting Office 365 and Azure Active Directory to work in a mere four clicks sounds fantastic, but when you want to change things later on, you might find yourself doing work twice.

Posted on March 23, 2018 by Sander Berkouwer in Active Directory, Azure Active Directory, Best Practices, Office 365

One Response to Azure AD Connect Custom Settings vs Express Settings

  1.  

    I thought Express settings can only handle 1 forest, while custom settings can handle multiple forests.

    from Meliss May 26, 2018 at 7:05 PM

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.