Sergey Galushko - Fotolia


On-premises to Azure AD synchronization tips for success

There are benefits to synchronizing on-premises AD users to Azure AD, but to do so effectively, you need to fully understand the process and the restrictions associated with it.

Azure AD synchronization, sometimes referred to as DirSync and Azure AD Connect sync, is a tool that's available to synchronize AD users from on-premises AD -- running in a VM -- to Azure AD. You're required to deploy the on-premises Azure AD Connect server to synchronize on-premises AD users to Azure AD and to implement synchronized identity topology. In synchronized identity topology, the sync is one-way. Users can sync from on-premises AD to Azure AD but can't sync from Azure AD to on-premises AD. However, you do have the option to deploy the password writeback function, which allows you to synchronize passwords for synchronized identities from Office 365 to on-premises AD. You'll be better equipped to take advantage of these features after learning a little more about the process.

What is the benefit of synchronizing on-premises users to Azure cloud?

The major benefit of Azure Active Directory synchronization is that it allows users to have one set of credentials for access to both on-premises and cloud resources. However, just synchronizing the on-premises users to Azure cloud doesn't help with implementing single sign-on (SSO). You'll need to deploy AD Federation Services (AD FS) servers to achieve SSO. Remember that you're synchronizing users from on-premises AD to Azure cloud so users don't need to remember two passwords -- one for on premises and another one for Office 365.

What is the password policy for synchronized users?

Once you synchronize users from on-premises AD to Azure cloud, password policies, like minimum password age and complexity requirements, will be governed by AD domain controllers. Office 365 password policies will be ignored. However, for user accounts created in the cloud, the password policies configured in Office 365 will be applicable.

How does authentication work for SSO?

If you've completed Azure AD synchronization and implemented AD FS servers to achieve SSO, the Office 365 authentication subsystem will no longer act as an authentication provider. The authentication will happen directly at the AD FS servers. Any authentication traffic either from Office 365 or on-premises AD will be rerouted to the AD FS Web Application Proxy server if authentication traffic is external or the AD FS server if the traffic is internal.

Does Azure AD Connect server allow filtering?

You might not want to sync all users to Azure cloud. For example, you always want to exclude service accounts used by applications and any other user accounts that you don't need to synchronize. Azure AD Connect server allows group-based filtering in which only users who are added to a security group are synced to Azure cloud. However, you must configure organizational units where users reside.

Do I see downtime if Azure AD Connect sync is enabled?

Once you synchronize users from on-premises AD to Azure cloud, password policies, like minimum password age and complexity requirements, will be governed by AD domain controllers.

When you enable Azure AD Connect sync, the ability to change passwords from the Office 365 portal is disabled, and if you already have a large number of cloud-only users created in Azure, these users won't be able to change their passwords, resulting in several calls to the service desk. So, if you have cloud-only users, either make sure they've been informed of the change, or plan to convert these users to synchronized identities.

Can I have both cloud and synchronized identities?

Some organizations would like to keep both synchronized and cloud identities. For example, third parties and contractors might just want to access Office 365 email. You can have both cloud and synchronized identities in Azure, but if you've implemented AD FS SSO, the authentication for each identity will work differently. Synchronized identities will always rely on the AD FS server for authentication, and cloud-only users will always use the Office 365 authentication subsystem.

Do I consider synchronizing all users?

In a production environment, it's necessary to assess which users to synchronize. For example, if a group of users are just using the Office 365 mailbox service and don't remember their AD passwords, you might see disruption in the service. It's because, when you synchronize these users from on-premises AD with password sync enabled on the Azure AD Connect server, the Azure AD Connect server will overwrite the AD passwords of these users in Office 365. Since these users don't know their AD passwords and their passwords have already been overwritten as part of the synchronization, they will fail to log in to the Office 365 portal. In such cases, you might want to implement Azure self-service password portal -- a service available in Azure AD Premium -- to allow users to change passwords from the Office 365 portal.

Can synchronized identities be converted to cloud identities?

The short answer is yes, but in a production environment, you might not want to because it disrupts user services in the cloud. Converting synchronized identities to cloud-only identities requires disabling Azure AD Connect in Office 365, moving users out of sync organizational units and then forcing a complete Azure AD synchronization. When a complete Azure AD synchronization is forced, users that haven't been selected for synchronization will be deleted from Office 365, and then, you'll need to restore these users and set passwords to convert them to cloud-only users.

Dig Deeper on Cloud computing architecture