Azure AD Connect is Microsoft’s tool designed to meet and accomplish your hybrid identity goals. It offers components like synchronization, health monitoring, and more. Through this tool, you can integrate your on-premises directories with Azure Active Directory. Allowing users to create a secure identity to use with any service that leverages Azure AD, for instance, Office 365, Microsoft Intune, and SaaS applications.
Azure AD Connect provides features such as:
- Password hash synchronization: A sign-in method that synchronizes a hash of your on-premises AD users’ password with Azure AD.
- Pass-through authentication: A method that allows your users to sign-in to both on-premises and cloud-based applications using the same password.
- Federation integration: Enables configuration of federation with AD FS (Active Directory Federation Services) or a third-party identity provider.
- Synchronization: This ensures your users’ identity information is updated in Azure AD
Understanding Azure AD Connect cloud sync
Azure AD Connect cloud sync, previously known as Azure AD Connect cloud provisioning, is a lightweight on-premises agent that allows you to sync your on-premises users to Azure AD. It can sync disconnected on-premises AD forests and can also work in conjunction with an existing AD Connect Sync deployment, extending the reach to directories that were previously unsynchronized.
Azure AD Connect cloud sync provides features such as:
- Multi-forest and disconnected-namespace scenarios: Where the on-premises environment may have multiple AD forests.
- Flexible scheduler: This allows setting up sync time and intervals according to one’s business needs.
- Azure-based UI: Allows managing provisioning configurations and viewing sync errors.
- Automatic upgrades: The cloud sync agent updates automatically, minimizing management overhead.
Choosing Between Azure AD Connect and Azure AD Connect Cloud Sync
When choosing between Azure AD Connect and Azure AD Connect cloud sync, one would need to understand the specific requirements of their environment and choose the tool that provides the most suited capabilities.
| Factor | Azure AD Connect | Azure AD Connect cloud sync |
|---|---|---|
| Hybrid Identity needs | Complete | Basic |
| Environment | Single/Multi-forest | Multi-forest with disconnected namespaces |
| High Availability | Manual | Built-in |
| Schema and sync rule customization | Yes | No |
| Password hash synchronization | Yes | Yes |
| Pass-through authentication | Yes | No |
| Federation with AD FS | Yes | No |
| Seamless SSO | Yes | No |
| Device writeback | Yes | No |
| Group writeback | Yes | No |
From the table above, Azure AD Connect is suitable when there is a need for a complete hybrid identity with single or multiple forests, and customization of schema and sync rules is necessary. On the other hand, Azure AD Connect cloud sync is more favorable for environments with multi-forest scenarios with disconnected namespaces and when built-in high availability, simple set-up, and automatic agent upgrades are key considerations.
In sum, the choice between Azure AD Connect and Azure AD Connect Cloud Sync largely depends on the specific needs of your organization. Evaluating these needs and environmental factors will help you choose the most suitable option. Understanding these concepts is also beneficial for preparation towards the “MS-100 Microsoft 365 Identity and Services” exam.
Practice Test
True or False: Azure AD Connect supports password hash synchronization as a sign-in method.
- True
Answer: True
Explanation: Azure AD Connect supports password hash synchronization, pass-through authentication and federation.
Azure AD Connect cloud sync and Azure AD Connect can provide the same level of synchronization.
- False
Answer: False
Explanation: Unlike Azure AD Connect, Azure AD Connect cloud sync does not offer all capabilities such as schema and directory extensions.
True or False: Azure AD Connect cloud sync supports the use of filtering.
- True
Answer: True
Explanation: Cloud sync supports filtering and allows you to choose which Organizational Units (OU) are to be synchronized.
Which of the following methods is supported by both Azure AD Connect and Azure AD Connect cloud sync: (Choose 2)
- A) Password hash synchronization
- B) Pass-through authentication
- C) Federation
- D) Seamless Single Sign-On
Answer: A) Password hash synchronization, D) Seamless Single Sign-On
Explanation: Both Azure AD Connect and Azure AD Connect cloud sync support Password hash synchronization and Seamless Single Sign-On.
True or False: Azure AD Connect cloud sync requires an on-premises server.
- True
Answer: True
Explanation: A small footprint agent needs to be installed on on-premises servers to synchronize identity data to the cloud.
Which synchronization solution provides higher availability: Azure AD Connect or Azure AD Connect cloud sync?
- Azure AD Connect cloud sync
Answer: Azure AD Connect cloud sync
Explanation: Azure AD Connect cloud sync has a distributed and fault-tolerant architecture which provides better availability.
True or False: Azure AD Connect supports multi-forest environments.
- True
Answer: True
Explanation: Azure AD Connect supports complex on-premises environments including multi-forest environments.
Azure AD Connect can synchronize more entities than Azure AD Connect cloud sync.
- True
Answer: True
Explanation: Azure AD Connect can sync up to 500,000 objects which is more than Cloud Sync could handle.
Which of the following authentication capabilities is provided by Azure AD Connect but not by Azure AD Connect cloud sync?
- A) Federation
- B) Pass-through authentication
- C) Password hash synchronization
- D) None of the above
Answer: A) Federation
Explanation: Federation is a supported sign-in method in Azure AD Connect but not in Azure AD Connect cloud sync.
True or False: Azure AD Connect cloud sync has an automatic upgrade feature.
- True
Answer: True
Explanation: Azure AD Connect cloud sync automatically upgrades, which reduces the need for manual maintenance.
Only Azure AD Connect supports writeback capabilities such as user writeback, group writeback, and password writeback.
- True
Answer: True
Explanation: Writeback capabilities are only supported in Azure AD Connect and not in Azure AD Connect cloud sync.
Azure AD Connect cloud sync requires a SQL Server license.
- False
Answer: False
Explanation: Azure AD Connect may require a SQL Server license for larger directories, while the Azure AD Connect cloud sync does not.
Which of the following is true about Azure AD Connect cloud sync?
- A) It supports schema and directory extensions.
- B) It does not support multi-forest environments.
- C) It offers the same sync capabilities as Azure AD Connect.
- D) It does not require an on-premises server.
Answer: B) It does not support multi-forest environments.
Explanation: Azure AD Connect cloud sync currently does not support multi-forest and non-AD directories environments.
Both Azure AD Connect and Azure AD Connect cloud sync support device write back.
- False
Answer: False
Explanation: Only Azure AD Connect supports device write back.
True or False: Only Azure AD Connect supports pass-through authentication.
- False
Answer: False
Explanation: Both Azure AD Connect and Azure AD Connect cloud sync support pass-through authentication.
Interview Questions
What is Azure AD Connect?
Azure AD Connect is Microsoft’s tool for connecting on-premises directories and identity systems with Azure Active Directory.
What are the two primary functions of Azure AD Connect?
Syncing directories and setting up federation (SSO).
How is Azure AD Connect cloud sync different from Azure AD Connect?
Azure AD Connect cloud sync, or simply “cloud sync”, is an alternate lighter-weight tool to Azure AD Connect, it provides the same basic capabilities but with more flexibility in terms of topology and implementation prerequisites.
When should I choose Azure AD Connect over Azure AD Connect cloud sync?
Azure AD Connect is a good choice when you need more advanced options such as federation for single sign-on, or have specific requirements like syncing many attributes or supporting multiple forests.
When should I choose Azure AD Connect cloud sync over Azure AD Connect?
Azure AD Connect cloud sync is a good choice when you have a simpler setup or need to stage migration of identities to the cloud on a per-forest basis.
Can Azure AD Connect and Azure AD Connect cloud sync coexist in the same environment?
Yes, both tools can coexist in the same environment, but they must be configured to manage different sets of users.
Does Azure AD Connect cloud sync support password hash synchronization?
Yes, Azure AD Connect cloud sync supports password hash synchronization, which lets users sign in to Azure AD services with the same password they use on-premises.
Is it possible to transition from Azure AD Connect to Azure AD Connect cloud sync?
Yes, Microsoft provides guidance on how to transition from Azure AD Connect to Azure AD Connect cloud sync.
Can Azure AD Connect cloud sync be used with Active Directory Federation Services (ADFS)?
No, Azure AD Connect cloud sync does not support federation with ADFS. It is a scenario where Azure AD Connect should be used.
Does Azure AD Connect support multi-forest environments?
Yes, Azure AD Connect does support multi-forest environments.
extutorials.com