With the release of Azure Active Directory Synchronization Services (AADSync) Microsoft has another tool for your tool bag to populate identity information in Azure Active Directory (Azure AD).
For those not familiar with Azure AD its Microsoft’s cloud identity provider please visit: http://msdn.microsoft.com/library/azure/jj673460.aspx
How is Azure Active Directory Sync different from the DirSync?
DirSync is typically utilized to synchronize directory information from a single Active Directory forest. For more information, I dive deeper into DirSync in another post: http://blogs.technet.com/b/cbernier/archive/2014/09/02/identity-as-a-service-idaas.aspx
To learn more about the differences between the directory integration tools please visit: http://msdn.microsoft.com/en-us/library/azure/dn757582.aspx
Azure Active Directory Synchronization Services
Some of the highlights of the Azure AD Sync tool are as follows:
- Synchronize multi-forest Active Directory environments without needing the full blown features of Forefront Identity Manager 2010 R2.
- Advanced provisioning, mapping and filtering rules for objects and attributes, including support for syncing a very minimal set of user attributes.
- Configuring multiple on-premises Exchange organizations to map to a single AAD tenant.
Azure AD Sync Download: http://www.microsoft.com/en-us/download/details.aspx?id=44225
Let's get started
Download and install the AADSync tool on a machine that is not a domain controller. Once installed launch the DirectorySyncTool. The icon will look like the following:
Once the DirectorySyncTool is launched step through each screen and add the requested information:
Once AADSync is installed we see new apps in the start screen. Pin these to the taskbar and go there when finished.
Azure AD Sync Key Management Wizard
This option allows you to export and backup the keys used to encrypt data in Azure AD Sync to a file. The file should be stored in a secure location.
Synchronization Rules Editor
Launching the Synchronization Rules Editor we see the different type of rules set for inbound and outbound directory connections. Rule may be added, deleted, and customized to align with an organizations requirements.
If you’re familiar with Forefront Identity Manager, the images below will look very familiar only it’s the Azure AD Sync Tool.
Synchronization Service Manager
In AD I have two users I expect to be synchronized with Azure Active Directory:
Opening the Sync Manager we see a number of operations that ran. Select the Delta Import and then Updates.
We then see some fairly cryptic information, however these are the distinguished names of the objects.
Selecting each DN I found the two users I was looking for, Bill and Stella.
Looking at the Connectors tab, we see a connector for my on premises Active Directory server (which happens to be running on an Azure VM J) and another for Azure Active Directory. We can also run these connectors manually if needed.
Searching the Metaverse we see that Bill and Stella are included:
Now that we’re confident the Azure AD Sync tool is working correctly, let’s look to see if Bill and Stella are populated in Azure AD.
Azure Active Directory
Office 365 Admin Portal
Since Office 365 uses Azure AD as its identity provider we see Bill and Stella in the list of users within the O365 admin portal as well:
Upgrading from DirSync or FIM to Azure AD Sync
Upgrading from DirSync is a simple process, in fact I went through it when writing this post. For more information on the upgrade process please visit: http://msdn.microsoft.com/en-us/library/azure/dn783462.aspx
There are a lot of advantages to using Microsoft Azure Active Directory as an identity provider as well as added benefits when synchronizing accounts from on premises AD to Azure AD. The Azure AD Sync tool is feature rich and offers much more than what I walked through today.
Again, to learn more about the differences between the directory integration tools please visit: https://msdn.microsoft.com/en-us/library/azure/dn757582.aspx