{"id":92345,"date":"2023-06-02T18:59:28","date_gmt":"2023-06-02T18:59:28","guid":{"rendered":"https:\/\/www.techrepublic.com\/?p=4105578"},"modified":"2023-06-02T18:59:28","modified_gmt":"2023-06-02T18:59:28","slug":"should-you-migrate-from-azure-ad-connect-to-cloud-sync","status":"publish","type":"post","link":"https:\/\/cloudnewshub.com\/?p=92345","title":{"rendered":"Should you migrate from Azure AD Connect to Cloud Sync?"},"content":{"rendered":"<figure id=\"attachment_4011885\" aria-describedby=\"caption-attachment-4011885\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"size-article wp-image-4011885\" src=\"http:\/\/cloudnewshub.com\/wp-content\/uploads\/2023\/06\/should-you-migrate-from-azure-ad-connect-to-cloud-sync.jpg\" alt=\"Uploading and downloading data on the cloud through a phone.\" width=\"770\" height=\"578\"><figcaption id=\"caption-attachment-4011885\" class=\"wp-caption-text\">Image: Dilok\/Adobe Stock<\/figcaption><\/figure>\n<p>Even though a lot of the <a href=\"https:\/\/azure.microsoft.com\/en-gb\/products\/active-directory\/ds\/#layout-container-uid4619\" target=\"_blank\" rel=\"noopener noreferrer\">functionality of domain controllers can be moved to the cloud<\/a>, most organizations that use Active Directory need a hybrid infrastructure that gives users access to cloud resources (like OneDrive and Microsoft 365) through <a href=\"https:\/\/www.techrepublic.com\/article\/microsoft-azure-the-smart-persons-guide\/\">Azure<\/a> Active Directory as well as on-premises file shares, printers and applications that still need local credentials.<\/p>\n<p>Over the years, Microsoft has had multiple tools for managing hybrid identity and syncing cloud and on-premises users and groups.<\/p>\n<p><strong>SEE:<\/strong> Explore TechRepublic\u2019s <a href=\"https:\/\/www.techrepublic.com\/article\/hybrid-cloud-the-smart-persons-guide\/\">hybrid cloud cheat sheet<\/a>.<\/p>\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-identity-manager\/microsoft-identity-manager-2016\" target=\"_blank\" rel=\"noopener noreferrer\">Microsoft Identity Manager<\/a>, which replaced Forefront Identity Manager, is supported until January 9, 2029, but its Azure AD Connector is deprecated. Azure AD Multi-Factor Authentication Server is also deprecated and will stop handling MFA requests after September 30, 2024. If you\u2019re still using these tools, you will need to move to a newer option.<\/p>\n<p>Jump to:<\/p>\n<h2 id=\"azure\">Azure AD Connect and its limitations<\/h2>\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/hybrid\/whatis-azure-ad-connect\" target=\"_blank\" rel=\"noopener noreferrer\">Azure AD Connect<\/a> replaced the older DirSync and Azure AD Sync options for syncing users, groups and other directory objects to Azure AD. It supports:<\/p>\n<ul>\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/hybrid\/whatis-phs\" target=\"_blank\" rel=\"noopener noreferrer\"><strong>Password hash synchronization<\/strong><\/a><strong>:<\/strong> Syncing a hash of each user\u2019s AD password into Azure AD.<\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/hybrid\/how-to-connect-pta\" target=\"_blank\" rel=\"noopener noreferrer\"><strong>Pass-through authentication<\/strong><\/a><strong>:<\/strong> Sending users to Azure AD to sign in and then validating against AD, so they can use the same password in the cloud and for local resources without needing to set up federation.<\/li>\n<li><strong>Active Directory Federation Services<\/strong> use.<\/li>\n<\/ul>\n<p>But, Azure AD Connect requires setting up and maintaining a server on your network, and some of the<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/hybrid\/how-to-connect-install-prerequisites\" target=\"_blank\" rel=\"noopener noreferrer\"> requirements<\/a> for running it don\u2019t work for every organization, especially if you have multiple AD \u201c<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory-domain-services\/concepts-forest-trust\" target=\"_blank\" rel=\"noopener noreferrer\">forests<\/a>,\u201d which<a href=\"https:\/\/techcommunity.microsoft.com\/t5\/microsoft-entra-azure-ad-blog\/seamless-application-access-and-lifecycle-management-for-multi\/ba-p\/3728752\" target=\"_blank\" rel=\"noopener noreferrer\"> makes working with Azure AD complicated<\/a>.<\/p>\n<p>\u201cTo use it, you need to be in a connected forest; you need to have installed a database,\u201d said Joseph Dadzie, a director in the Microsoft identity team. \u201cThat\u2019s expensive to manage and deploy.<\/p>\n<p>\u201cWe started getting feedback from a lot of customers around the cost of a deploying AD Connect sync and of maintaining it, and some feature gaps around if you are in a disconnected forest or you are in an organization where you are trying to do an M&amp;A. So, we set out to look at ways to simplify it.\u201d<\/p>\n<h2 id=\"cloud\">Cloud sync aims to replace Azure AD Connect for cloud<\/h2>\n<p>The result is<a href=\"https:\/\/learn.microsoft.com\/en-gb\/azure\/active-directory\/cloud-sync\/what-is-cloud-sync\" target=\"_blank\" rel=\"noopener noreferrer\"> Azure AD Connect cloud sync<\/a>, which started out as a tool for<a href=\"https:\/\/techcommunity.microsoft.com\/t5\/microsoft-entra-azure-ad-blog\/bring-identities-from-disconnected-ads-into-azure-ad-with-just-a\/ba-p\/827835\" target=\"_blank\" rel=\"noopener noreferrer\"> bringing identities from multiple disconnected AD forests<\/a> into a single Azure AD tenant.<\/p>\n<aside class=\"pinbox right\">\n<h3 class=\"heading\">Cloud: Must-read coverage<\/h3>\n<\/aside>\n<p>It still does that, but it\u2019s now a lightweight alternative to AD Connect that doesn\u2019t have quite as many features but is much faster to set up and requires fewer resources. This is because cloud sync moves much of the configuration into the cloud, needing only provisioning agents.<\/p>\n<p>\u201cWhen you look at AD Connect, almost all the configuration is done in the on-prem world, and it\u2019s stored in that local server,\u201d said Dadzie. \u201cFor cloud sync, the idea is to switch the configuration to be cloud based and have a very lightweight agent in the customer\u2019s environment so that it\u2019s easy to deploy.<\/p>\n<p>\u201cIt takes about 10 megabytes, so you can have multiple of these working together for high availability solutions; something that\u2019s more difficult to do if you have a full Connect sync capability.\u201d<\/p>\n<p>That high availability is particularly useful if you\u2019re using Microsoft\u2019s recommended password hash synchronization.<\/p>\n<h3>The future of cloud sync<\/h3>\n<p>Cloud sync can handle groups with up to 50,000 members, but it doesn\u2019t cover everything you can do with AD Connect sync yet, Dadzie told us.<\/p>\n<p>\u201cIf you\u2019ve done a lot of customizations on attributes in your AD and you still use Exchange on-prem, there\u2019s still some delta in the capabilities,\u201d said Dadzie. \u201cIn the longer term, we will want to have it be the full replacement; we are not there yet.\u201d<\/p>\n<p>Currently, it can\u2019t connect to LDAP directories and doesn\u2019t yet have support for device objects, just users, groups and contacts. There are advanced customization and filtering options that aren\u2019t available, and cloud sync can\u2019t handle Exchange hybrid writeback, so you can\u2019t use it for Exchange hybrid migrations.<\/p>\n<p>Federation is supported but not Azure AD Domain Services or Pass Through Authentication, at least for disconnected forests. That\u2019s something the AD Connect team is working on, Dadzie said, and writeback for security groups is also in development.<\/p>\n<p>\u201cOver the past year, we added the self-service password writeback scenarios,\u201d said Dadzie.<\/p>\n<p>Device writeback is also under development, because \u201calmost any deployment starts with getting some of the users from on-prem to the cloud,\u201d Dadzie notes. It\u2019s slightly confusing because both Azure AS and Windows Hello For Business have services named<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/security\/identity-protection\/hello-for-business\/hello-hybrid-cloud-kerberos-trust?tabs=intune\" target=\"_blank\" rel=\"noopener noreferrer\"> Cloud Kerberos trust<\/a>, which do different things, but Microsoft tells us the naming and documentation should become clearer in future.<\/p>\n<p>The cloud sync team is also looking at alternatives to writeback.<\/p>\n<p>\u201cIf you have an on-prem app and you have a cloud user who needs access to it, how do you give that user access without having an account in the on-prem AD,\u201d said Dadzie. \u201cWe\u2019re looking at what we might do in that space: Is there a way to have some of the secrets go down so that you can have the user credentials, where the user gets access to on-prem without having to have the user object in there?\u201d<\/p>\n<p>That\u2019s still in the early stages, but there are regular updates to cloud sync functionality.<\/p>\n<p>\u201cEvery quarter to six months, we update and add new capabilities,\u201d said Dadzie. \u201cWe\u2019re on a mission to chip away at the reasons why someone might still want to use the full AD Connect sync. We\u2019re on a mission to keep adding to cloud sync to the point that we eventually replace AD Connect sync, but we are not there yet.\u201d<\/p>\n<h2 id=\"choosing\">Choosing between Azure AD Connect and cloud sync<\/h2>\n<p>There\u2019s no urgency about moving to cloud sync if you need an AD Connect sync feature, but there are some scenarios where cloud sync is already the better choice, as well as less demanding.<\/p>\n<p>\u201cIt works well for organizations that are not as complicated or don\u2019t have a lot of objects; if they have less than 150K objects in their directory, then it\u2019s easier to start off using cloud sync,\u201d said Dadzie.<\/p>\n<p>There\u2019s a<a href=\"https:\/\/aka.ms\/Syncwizard\" target=\"_blank\" rel=\"noopener noreferrer\"> wizard<\/a> in the Microsoft 365 admin center that walks you through choosing the right identity sync option as well as a step-by-step<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/cloud-sync\/migrate-azure-ad-connect-to-cloud-sync?source=recommendations\" target=\"_blank\" rel=\"noopener noreferrer\"> migration guide<\/a> if you want to move from Azure AD Connect sync to cloud sync.<\/p>\n<p>How complex that migration will be depends on how complex your AD environment is: \u201cThe more complex the environment is, then a more phased approach works,\u201d Dazie said. But if your needs are less complex and you\u2019re starting out with hybrid identity, he suggests starting with cloud sync for simplicity (<strong>Figure A<\/strong>).<\/p>\n<p><strong>Figure A<\/strong><\/p>\n<figure id=\"attachment_4105580\" aria-describedby=\"caption-attachment-4105580\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"size-article wp-image-4105580\" src=\"http:\/\/cloudnewshub.com\/wp-content\/uploads\/2023\/06\/should-you-migrate-from-azure-ad-connect-to-cloud-sync.png\" alt=\"This list of scenarios in the Azure AD sync wizard makes it straightforward to find out if cloud sync fits your needs.\" width=\"770\" height=\"465\"><figcaption id=\"caption-attachment-4105580\" class=\"wp-caption-text\">This list of scenarios in the Azure AD sync wizard makes it straightforward to find out if cloud sync fits your needs. Image: Mary Branscombe.<\/figcaption><\/figure>\n<p>In fact, a big part of the appeal of cloud sync is that it\u2019s designed to be much easier to get started with.<\/p>\n<p>\u201cIn Connect sync, you have to do all the Schema Mapping yourself, whereas in cloud sync we try to autodiscover them for you, so you don\u2019t have to hunt around and to make it easy for you to configure those,\u201d said Dadzie. \u201cThe main philosophy we are trying to get with cloud sync is to make it super, super easy, so customers don\u2019t have to think through these things.\u201d<\/p>\n<p> <!-- default newsletter at the end --> <\/p>\n","protected":false},"excerpt":{"rendered":"<p>Image: Dilok\/Adobe Stock Even though a lot of the functionality of domain controllers can be moved to the cloud, most organizations that use Active Directory need a hybrid infrastructure that gives users access to cloud resources (like OneDrive and Microsoft 365) through Azure Active Directory as well as on-premises file shares, printers and applications that [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":92346,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[40,783,152,27],"tags":[],"class_list":["post-92345","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cloud","category-cloudsync","category-microsoft","category-software"],"_links":{"self":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/92345","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=92345"}],"version-history":[{"count":0,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/92345\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/media\/92346"}],"wp:attachment":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=92345"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=92345"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=92345"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}