Microsoft has your identity sync covered (AADSync)

  • Article

With the release of Azure Active Directory Synchronization Services (AADSync) Microsoft has another tool for your tool bag to populate identity information in Azure Active Directory (Azure AD).

For those not familiar with Azure AD its Microsoft’s cloud identity provider please visit: https://msdn.microsoft.com/library/azure/jj673460.aspx

How is Azure Active Directory Sync different from the DirSync?

DirSync is typically utilized to synchronize directory information from a single Active Directory forest. For more information, I dive deeper into DirSync in another post: https://blogs.technet.com/b/cbernier/archive/2014/09/02/identity-as-a-service-idaas.aspx

To learn more about the differences between the directory integration tools please visit: https://msdn.microsoft.com/en-us/library/azure/dn757582.aspx

Azure Active Directory Synchronization Services

Some of the highlights of the Azure AD Sync tool are as follows:

  • Synchronize multi-forest Active Directory environments without needing the full blown features of Forefront Identity Manager 2010 R2.
  • Advanced provisioning, mapping and filtering rules for objects and attributes, including support for syncing a very minimal set of user attributes.
  • Configuring multiple on-premises Exchange organizations to map to a single AAD tenant.

Source: https://msdn.microsoft.com/en-us/library/azure/dn790204.aspx

Azure AD Sync Download: https://www.microsoft.com/en-us/download/details.aspx?id=44225

Let's get started

Download and install the AADSync tool on a machine that is not a domain controller. Once installed launch the DirectorySyncTool. The icon will look like the following:

clip_image001

Once the DirectorySyncTool is launched step through each screen and add the requested information:

clip_image003

clip_image005

clip_image007

clip_image009

clip_image011

clip_image013

clip_image015

clip_image017

Once AADSync is installed we see new apps in the start screen. Pin these to the taskbar and go there when finished.

clip_image019

Azure AD Sync Key Management Wizard

This option allows you to export and backup the keys used to encrypt data in Azure AD Sync to a file. The file should be stored in a secure location.

clip_image020

Synchronization Rules Editor

Launching the Synchronization Rules Editor we see the different type of rules set for inbound and outbound directory connections. Rule may be added, deleted, and customized to align with an organizations requirements.

clip_image022

If you’re familiar with Forefront Identity Manager, the images below will look very familiar only it’s the Azure AD Sync Tool.

Synchronization Service Manager

In AD I have two users I expect to be synchronized with Azure Active Directory:

clip_image024

Opening the Sync Manager we see a number of operations that ran. Select the Delta Import and then Updates.

clip_image026

We then see some fairly cryptic information, however these are the distinguished names of the objects.

clip_image027

Selecting each DN I found the two users I was looking for, Bill and Stella.

clip_image029

clip_image031

Looking at the Connectors tab, we see a connector for my on premises Active Directory server (which happens to be running on an Azure VM J) and another for Azure Active Directory. We can also run these connectors manually if needed.

clip_image033

Searching the Metaverse we see that Bill and Stella are included:

clip_image035

Now that we’re confident the Azure AD Sync tool is working correctly, let’s look to see if Bill and Stella are populated in Azure AD.

Azure Active Directory

clip_image037

Office 365 Admin Portal

Since Office 365 uses Azure AD as its identity provider we see Bill and Stella in the list of users within the O365 admin portal as well:

clip_image039

Upgrading from DirSync or FIM to Azure AD Sync

Upgrading from DirSync is a simple process, in fact I went through it when writing this post. For more information on the upgrade process please visit: https://msdn.microsoft.com/en-us/library/azure/dn783462.aspx

Next Steps

There are a lot of advantages to using Microsoft Azure Active Directory as an identity provider as well as added benefits when synchronizing accounts from on premises AD to Azure AD. The Azure AD Sync tool is feature rich and offers much more than what I walked through today.

Again, to learn more about the differences between the directory integration tools please visit: https://msdn.microsoft.com/en-us/library/azure/dn757582.aspx