Microsoft have finally answered the prayers of the IT admins! Long story short, gone of the days where the IT admins had to make sure 2 AD forests can see each other and the ports are opened, before it adds to the Azure AD Sync tool as another directory, so the users from that directory will be synced to the portal.
Once I saw this in Microsoft’s roadmap, I thought I’d read more and play with it and see how it can be helpful for anyone who is curious about it.
This is still in the Public Preview mode and set to be released in Q4 2020 according to Microsoft Roadmap. By looking at the tool, it looks like it needs more improvements. Hopefully it will be feature-full when its generally available.
This lightweight tool is specially designed for the purpose of syncing objects of disconnected AD forests.
Usually this happens after a merger or an acquisition where the management is required to add the new set of users to the cloud and authenticate to resources. Ideally, this will happen after the networks between the 2 AD forests can see each other and with some DNS config changes.
Because this is in the Preview mode and also this being a lightweight tool compared to the Azure AD Connect Sync tool, some capabilities have not been added. This is according to this Microsoft Article
|Feature||Azure Active Directory Connect sync||Azure Active Directory Connect cloud provisioning|
|Connect to single on-premises AD forest||●||●|
|Connect to multiple on-premises AD forests||●||●|
|Connect to multiple disconnected on-premises AD forests||●|
|Lightweight agent installation model||●|
|Multiple active agents for high availability||●|
|Connect to LDAP directories||●|
|Support for user objects||●||●|
|Support for group objects||●||●|
|Support for contact objects||●||●|
|Support for device objects||●|
|Allow basic customization for attribute flows||●||●|
|Synchronize Exchange online attributes||●||●|
|Synchronize extension attributes 1-15||●||●|
|Synchronize customer defined AD attributes (directory extensions)||●|
|Support for Password Hash Sync||●||●|
|Support for Pass-Through Authentication||●|
|Support for federation||●||●|
|Seamless Single Sign-on||●||●|
|Supports installation on a Domain Controller||●||●|
|Support for Windows Server 2012 and Windows Server 2012 R2||●||●|
|Filter on Domains/OUs/groups||●||●|
|Filter on objects’ attribute values||●|
|Allow minimal set of attributes to be synchronized (MinSync)||●||●|
|Allow removing attributes from flowing from AD to Azure AD||●||●|
|Allow advanced customization for attribute flows||●|
|Support for writeback (passwords, devices, groups)||●|
|Azure AD Domain Services support||●|
|Exchange hybrid writeback||●|
|Support for more than 50,000 objects per AD domain||●|
Few notable features that could have been added to the Public Preview
No PowerShell features
The on-demand sync command Start-ADSyncSyncCycle is not available unfortunately and have to rely on the standard sync cycles.
No Password Writeback – Imagine your newly added AD forest need to be setup with PWB option. This will not support that feature.
No Pass-Through Authentication enabled – Only Password Hash Sync is enabled at the moment. If you looking not to bring the password hashes to the cloud, well either go with the AAD Sync Connect tool or probably wait for a more mature version of this tool.
Azure AD Domain Services support – If you planning to configure the newly added users to access Azure Files for an example, you’ll not be able to grant permissions as this the AAD Cloud Provisioning tool is not compatible with the AAD Domain Services feature.
In-Cloud Identity Administrator Account
This is a user that is not synced, but created in the cloud with Global Admin access. Why in-cloud? It’s because if you lose the access to the on-premises servers, you still can manage the account because its created in cloud.
Server to run the agent
Windows Server 2012R2 or later
TLS 1.2 must be activated in the server that the agent is getting installed
How to configure and use the AAD Cloud Provisioning Tool?
Scenario – My test AAD Tenant name is – eclipsetest.onmicrosoft.com
On premises AD Forest Name: eclipse.local
My on-premises domain is a non-routable domain. Meaning I have to change the UPN after synced to the cloud.
- Open Azure AD Portal and navigate to Azure Active Directory > Azure AD Connect
- Navigate to Manage Provisioning link under “Provision From Active Directory”
- Download the agent on to the desired server in the AD forest
- Provide the in-cloud administrator credentials to connect the tool to the tenant
- Enter the On-Premises Domain name > select Add Directory > Provide On-prem admin credentials and complete the installation.
Once you go back the AAD portal, you will see below
Status of the added domain will be shown as below
Configure the domain for the syncThis will create the config profile for the installed agent for that on-premises AD domain. And finally the config needs to be enabled and it will start provisioning the objects.
- Select New Config
- Set the sync scope. This is the same as AAD Sync Connect tool where you specify what OUs to be synced.
However this has the option to select the security groups as well
- Provide the notification email address to alert regarding sync errors under Settings.
Enable the config and Save once you done.
Event Viewer logs on that on-premises server to verify the agent is now running
Make sure the below 2 services are running
* Microsoft Azure AD Connect Agent Updater
* Microsoft Azure AD Connect Provisioning Agent
Provisioning logs from Azure AD Portal to check the status
Because this needs more improvements, you still need to have the standard Azure AD Sync Connect tool installed so the other domains can get the full benefit of the Azure AD features in a hybrid environment.
However, in a generally available/ more mature AAD Cloud Provisioning Tool will be more feature rich and maybe will be able to replace the Azure AD Sync Connect tool that can give admins more portability and manageability with less hassle.