It’s 2023. Let’s Talk About Azure AD Connect Cloud Sync

The first post for 2023 and I thought I want to focus on something that will take over the main stage soon (probably). Azure AD Connect Cloud Sync. This has been there for a while and its capabilities (some capabilities) are proven to minimize that admin overhead and if you have dealt with the Azure AD Connect Sync tool, you know what I’m talking about. Yes, we have all been there. My approach in this article is to introduce you to the Azure AD Connect Cloud Sync tool and its capabilities and how to migrate and my thoughts about it.

What I will be Covering 👇🏽

Why It’s Important To Talk about this?

Since its 1st release on public preview until now there have been a lot of developments and feature additions to the AAD Connect Cloud Sync tool. It’s capable of looking after your identity provisioning tasks and maintaining that sync between On-prem and Azure AD. Minimizing the On-premises footprint is a highly trending topic and now more than ever a lot of new tools are emerging to make things easier best of all, there is a migration process has been introduced as well.

Challenges of Managing the Azure AD Connect Sync

While Azure AD Connect Sync is the very heart and soul of the hybrid setup and the main tool that is responsible for synching objects to Azure AD from the on-premises AD environment, managing an instance can be easy for a herculean task depending on the size of the environment, and especially when it comes to the below tasks, proper planning and skills are essential.

  • Version Upgrades
  • Setting sync rules
  • Resolving sync issues
  • Challenges in connecting another AD domain while making sure proper connectivity is present

Why not go full cloud? “That Depends”

One can argue why hybrid? Why not in-cloud users? Well, the straightforward answer is “it depends”. Simply put a lot of organizations still are maintaining AD Domains and it is connected to a wide array of applications. Migrating a user from synced to in-cloud is not an overnight procedure. There can be dependencies that need to consider, which is why Microsoft keeps on implementing new and easy ways to take out that admin overhead of managing the hybrid sync.

Why Azure AD Connect Cloud Sync is Important?

With Azure AD Connect cloud sync, provisioning from AD to Azure AD is orchestrated in Microsoft Online Services. An organization only needs to deploy, in their on-premises or IaaS-hosted environment, a light-weight agent that acts as a bridge between Azure AD and AD. The provisioning configuration is stored in Azure AD and managed as part of the service. (Microsoft Learn)

The above explanation answers a lot of questions.

  • Mergers and Acquisition type scenarios where you need to provide quick access to the parent Azure AD Portal without having to configure Network to make sure AAD Connect Sync can see the other DC and ports are opened
  • The trouble of upgrading the software every now and then
  • Trouble managing a Staging instance

Check the below comparison. You will see a few features that are not available in the AAD Cloud Sync. My idea is this tool is becoming something big soon. So the features will be matched soon.

🔗Comparison

No Device Sync, No problem

On the other hand, No Device Sync? Why do you need device sync? I mean you don’t need device sync to make the device Hybrid AAD Joined. Few things you need to make available for Device Sync

Autopilot Devices – Make sure the device has line-of-sight access to the AD. You may have to set up an always-ON VPN to setup this if you are planning to give the users the OOBE (Out Of the Box Experience)

Hybrid AD Join issues – I have seen plenty of Hybrid AAD Join issues that happen for many different reasons and it is definitely wasted time to troubleshoot them.

Intune provides the same and even more features than GPOs – Use Intune’s Group Policy analytics, and Administrative Templates to create the same policies and you need to worry about GPOs again.

Multiple active provisioning agents for high availability

This is great news indeed. Because in an environment where you need seamless sync and can’t afford sync delays, install the agent in more than one server and it will cover your HA requirements. As AAD Connect Sync, no staging instances are required and that is definitely offloading heavy admin work.

Nitty Gritty of Azure AD Connect Cloud Sync

Because you just have to install an agent in On-premises, the configuration part will be managed by the Azure AD

  1. Installing the Provisioning Agent and authenticating with the tenant details

Go to Entra Portal > Azure AD > Hybrid Management > Azure AD Connect > Manage Azure AD cloud sync > Download Agent

🔗Installation steps

  1. Go to Entra Portal > Azure AD > Hybrid Management > Azure AD Connect
  1. Click on New Configuration to create the Sync config

Click Create

Config as below. Easy to setup and manage.

  1. You will see the On-premises Domain details
  1. Click on the Review All provisioning agents to see the agent instance details
  1. Provisioning Logs to understand the sync activities

Where to Start?

Now you might be wondering where to start the Azure AD Connect Cloud Sync journey.

🔗Supported Topologies and Scenarios

Migrate from AAD Connect Sync to AAD Connect Cloud Sync

If you understand the comparison between the two, If you know you are not using the current features that are not available in the Cloud Sync tool, you can start migrating from AAD Connect Sync to AAD Connect Cloud Sync. However, it is advisable you 1st perform a pilot so you know can get familiar with the steps as this can be a big change in your environment.

Approach – Removing the synced OU from AAD Connect Sync before making sure the new link is created from AAD Connect Cloud Sync so the previously removed OU will not get deleted and the sync of the OU will be managed by AAD Connect Cloud Sync.

Prerequisites

  • A test environment with Azure AD Connect sync version 1.4.32.0 or later
  • An OU or group that is in scope of sync and can be used the pilot. We recommend starting with a small set of objects.
  • A server running Windows Server 2012 R2 or later that will host the provisioning agent.
  • Source anchor for Azure AD Connect sync should be either objectGuid or ms-ds-consistencyGUID

🔗Check the Microsoft Learn Link to see the step by step guide to get to know the process

Closing Notes – If this needs to be appreciated by everyone

It is truly great to see this functionality is managed by the cloud and you just need to install the provisioning agent and take care of the configuration. However, at this stage, there can be features that you are currently using in AAD Connect sync which are not available in the AAD Connect Cloud Sync. Password Hash Sync was introduced recently. Likewise more features can be on the way if this tool needs to be appreciated by everyone and to be the sync tool of choice. I believe this article gave you some sort of an understanding of what this tool is capable of and help you to be up to date with what’s new.

Discover more from EMS Route

Subscribe to get the latest posts to your email.

4 thoughts on “It’s 2023. Let’s Talk About Azure AD Connect Cloud Sync

  1. Pingback: Intune Newsletter - 13th January 2023 - Andrew Taylor

  2. Hello, thanks for this article. I am very curious on your comment “I mean you don’t need device sync to make the device Hybrid AAD Joined. ” I do not see a way to do this documented anywhere. Do you have a reference? We are trying to test Hybrid AAD Join and I only have Azure Cloud Sync, so no devices sync. I have created the necessary client-side registry setting for SCP for test machines, but they still do not join due to error “error_missing_device”. I have been looking everywhere for a workaround so that I do not have to install AAD Connect Sync and can just stick with Cloud Sync.

    Like

    Reply

    1. Hi Doug, What I’ve mentioned by that was you don’t necessarily have to do HAADJ as there is the option to make them AADJ. However, to make them AADJ, you have to make sure you don’t need on-prem file servers and GPOs as the device will not be joined to the on-prem AD.

      For your issue, since you are planning to go with HAADJ, you have to configure AAD Connect Sync accordingly or set the SCP as you’ve done and make sure that device OU is syncing with Azure AD. Use https://learn.microsoft.com/en-us/samples/azure-samples/testdeviceregconnectivity/testdeviceregconnectivity/ and https://learn.microsoft.com/en-us/samples/azure-samples/dsregtool/dsregtool/ tools to troubleshoot if needed. Hope this helps.

      Like

      Reply

      1. gotcha, thanks for the clarification. I was hoping there was an alternative so I could stick with just Cloud sync. Hopefully sometime soon that will be a feature.

        Liked by 1 person

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.