Roughly a year ago, I wrote a blogpost on the ten things you need to know about Azure AD Connect Cloud Provisioning. At that time, the agent was in public preview. Today, I want to talk about the renamed product: Azure AD Connect Cloud Sync, because I feel there’s a couple of things you should know, now that Microsoft announced the feature at Microsoft Ignite 2021 Spring Edition.

About Azure AD Connect Cloud Sync

Azure AD Connect Cloud Sync, previously known as Azure AD Connect Cloud Provisioning is a new Microsoft service for synchronization of users, groups and contacts to Azure AD.

In contrast to Azure AD Connect, the database, rules and engine are not placed on a Windows Server installation on-premises, but within the Azure Active Directory infrastructure. An on-premises agent setup offers a lightweight, fast to deploy and easy to manage solution to connect Active Directory to Azure AD.

Ten things you need to know

Azure AD Connect Cloud Sync sounds like a nice solution, but in reality, there are a couple of things you’ll want to know before deploying it to address your organizations’ needs:

Azure AD Connect Cloud Sync is generally available

Azure AD Connect Cloud Sync is generally available. You can deploy it in production and Microsoft supports issues you might have with this new service.

There shouldn’t be anything in your organization’s way to pursue the adoption to the Azure AD Connect Cloud Sync model.

Azure AD Connect Cloud Sync offers Domain Controller priority

Azure AD Connect, the on-premises synchronization engine, integrates with Active Directory sites and services and uses DCLocator to decide on Domain Controllers to use.

Azure AD Cloud Sync, on the other hand, offers domain controller priority. From the Azure AD Connect Cloud Sync interface, that is part of the Azure (AD) Portal, you can pick and prioritize Domain Controllers to use.

Azure AD Connect Cloud Sync offers true group filtering

Azure AD Connect, the on-premises synchronization engine, offers a feature to pilot the use of Azure AD through its Group Filtering feature. Objects that have a direct membership to the single group specified on the Group Filtering page of the Azure AD Connect configuration wizard are the only objects in scope for synchronization.

Azure AD Connect Cloud Sync offers true Group Filtering. From the Azure AD Connect Cloud Sync interface, that is part of the Azure (AD) Portal, you can specify the groups whose members you want to be in scope for synchronization.

Granted, by customizing synchronization rules in Azure AD Connect, you can achieve filtering based on other attributes, like the userPrincipalName suffix. Both methods leave for flexibility in deciding the object scope.

Azure AD Connect Cloud Sync doesn’t support on-premises LDAP directories

Azure AD Connect, the on-premises synchronization engine, offers support for LDAPv3-compatible directories. Azure AD Cloud Sync does not.

Azure AD Connect Cloud Sync doesn’t support device objects

You cannot synchronize device objects using Azure AD Connect Cloud Sync. This also means that you cannot use the Hybrid Azure AD Join feature with Azure AD Connect Cloud Sync.

If you want to configure devices for Hybrid Azure AD Join, deploy Azure AD Connect as an on-premises synchronization solution.

Azure AD Connect Cloud Sync doesn’t support password, device or group writeback and doesn’t support Exchange Hybrid

Azure AD Connect, the on-premises synchronization engine, offers many writeback features. It supports writeback of passwords, devices and groups from Azure AD to Active Directory.

Azure AD Connect Cloud Sync does not. It also doesn’t support the mS-DS-ConsistencyGUID as the source anchor. Instead, it currently defaults to the objectGUID attribute to relate objects end-to-end.

Without any of the writeback features from Azure AD Connect, you might also suspect that Azure AD Connect Cloud Sync doesn’t support Exchange Hybrid scenarios. You’d be right.

Azure AD Connect Cloud Sync doesn’t support directory extensions

Azure AD Connect offers synchronizations of contents for attributes that originate in 3rd-party schema extensions. You can configure this feature by enabling the Directory extension attribute sync feature on the Optional Features page of Azure AD Connect’s configuration wizard.

Azure AD Connect Cloud Sync doesn’t support directory extensions.

Azure AD Connect Cloud Sync doesn’t support Azure AD Connect Health

Azure AD Connect Health is a service that reports on the availability and configuration  of Azure AD Connect installations, AD FS servers, Web Application Proxies and Domain Controllers.

Alas, just like pass-through authentication (PTA) agents, Azure AD Connect Cloud Sync agents lack integration with Azure AD Connect Health. The Azure AD Portal will show you perfect green checks when the agent is able to communicate with the Azure AD infrastructure. However, the green check you see doesn’t mean the agent is able to communicate with Domain Controllers…

Azure AD Connect Cloud Sync’s agent model offers high availability

Azure AD Connect, the on-premises synchronization engine, acts as a single point of failure for synchronization of objects. Staging Mode servers can alleviate some of the pain points, but ultimately, the Azure AD Connect model relies on a single synchronization engine for object and attribute integrity.

With Azure AD Connect Cloud sync, the cloud-based engine takes care of all the object and attribute integrity issues, regardless of the number of Azure AD Connect Cloud Sync agents running or the number of locations where you run these agents from.

You can enjoy high availability without deploying load balancers or any other fancy technology.

Azure AD Connect Cloud Sync agents don;t have a database

Azure AD Connect, the on-premises synchronization engine, uses a Microsoft SQL Server database to store its metaverse and connector spaces in.

Azure AD Connect Cloud Sync’s agents don’t have a database. This means you don’t need to take hosts with these agents in special considerations from a backup point of view. A simple crash-consistent backup will do.

Concluding

For all organizations that have deployed Azure AD Connect using the Use express settings button in Azure AD Connect’s configuration wizard, Azure AD Connect Cloud Sync is a model that they might enjoy additional benefits from.

For organizations further on the Hybrid Identity path, who may or may not have embraced Exchange Hybrid, Hybrid Azure AD Join or are collapsing Active Directory forests using the mS-DS-ConsistencyGUID as their source anchor, this might not be the best time to convert to the Cloud Sync model, yet.