ThirdSpace ThirdSpace
ThirdSpace Contact Us
Close 0 Reset Search Run Search What are you looking for? Type at least three characters to search. Filter Search Results
  • All Content
  • Blog
  • Page
  • Case Studies
  • Event
  • Resources
  • News
  • Careers
  • Access Centre
  • Technologies
  • Workshops
  • Service
  • Solutions
  • People
Load more
30 September 2020

Uniting disparate directories: What is Azure AD Connect cloud provisioning?

Profile shot of Simon Veale.
Written by Simon Veale

Achieving a single user instance across all your applications is key to a hybrid approach, but what if you’ve multiple Active Directories to sync into your Azure AD tenant?

At the 2019 ThirdSpace Identity and Security Summit, I asked the audience if any of them were NOT operating a hybrid IAM model at their organisation.

Only one out of two hundred delegates raised their hand.

All these organisations (except one, apparently) need their users to have a single identity that will grant them seamless access across their on-premises and cloud applications.

Azure AD Connect sync is the tool that synchronises users and other objects (contacts, groups, devices) in your on-premises Active Directories with your Azure AD tenant.

But what if your Azure AD Connect sync server can’t connect to all of your Active Directories?

What if your organisation just acquired or merged with another organisation and wants to bring new employees into your Azure AD tenant to provide them with the same access to corporate email, office and collaboration tools and SaaS business applications?

Well, that’s where Azure AD Connect cloud provisioning comes in.

How does Azure AD Connect cloud provisioning work?

Azure AD Connect sync is straightforward to install and configure via a wizard and sits at the centre of a hybrid organisation’s identity management infrastructure.

It ensures that new users are created in the Cloud, kept up to date as they move around the organisation, and then, when they are no longer part of the organisation, deleted.

Ideally, new users will be entered into the HR system and automated provisioning processes will take over – creating corresponding accounts in Active Directory, Azure AD and other non-Microsoft SaaS applications.

What Microsoft’s Azure AD Connect cloud provisioning service allows you to do is extend your IAM infrastructure to synchronise multiple disconnected Active Directories into your Azure AD tenant.

Unlike Azure AD Connect sync, which runs on an on-premises synchronisation server, Azure AD Connect cloud provisioning runs in the Cloud using light-weight provisioning agents.

These agents are either on-premises or in your IaaS-hosted environment and act as bridges between Active Directory and Azure AD.

All the configuration is stored in Azure AD and managed centrally in the Cloud. Multiple agents may be installed in an Active Directory forest for high availability.

It works happily in an Azure AD tenant that is already using Azure AD Connect sync but it is not currently a replacement for it.

What isn’t supported?

Noteworthy omissions, at the time of writing, include support for:

  • Device synchronisation
  • User-defined attributes
  • Pass-through authentication
  • Password write-back
  • Attribute-based filtering
  • Advanced attribute flows

Active Directories with more than 50,000 objects are also not supported. Neither is hybrid Exchange. A complete feature comparison can be viewed here.

These limitations notwithstanding, we can probably predict Microsoft’s direction of travel.

Everything is moving towards the Cloud, but currently, Azure AD Connect cloud provisioning is targeted at this very specific “disconnected Active Directory” scenario.

Some other things to bear in mind as you plan your deployment of Azure AD Connect cloud provisioning:

  • Users and groups must be uniquely identified across all forests.
  • Matching across forests does not occur with cloud provisioning.
  • A user or group must be represented only once across all forests.
  • The source anchor for objects is chosen automatically. It uses ms-DS-ConsistencyGuid if present, otherwise objectGUID is used.
  • You cannot change the attribute that is used for the source anchor.
Webinar: Azure AD – The only cloud identity provider you'll need

Webinar: Azure AD – The only cloud identity provider you'll need

Discover how Azure AD can secure your internal and external identities – and provide seamless access to all your applications and data. You'll learn how to:

  • Provide secure access with MFA, conditional access and more
  • Create a unified identity approach across your entire enterprise
Watch on-demand now

How to install and configure Azure AD Connect cloud provisioning

The Azure AD Connect provisioning agent is installed from the Azure portal.

A wizard then allows the connection to Active Directory to be configured.

Note that the provisioning agent will be updated automatically by Microsoft, which you may or may not see as a benefit. But there is no option to turn off auto-updating.

The Azure portal is then used to configure Azure AD Connect cloud provisioning.

If you have users in one or more disconnected Active Directories in your organisation, but you want to offer those users access to services from your Azure AD tenant, then this is the tool you’ve been waiting for.

Key takeaways

  • Azure AD Connect sync synchronises users and objects on-premises into your Azure AD tenant.
  • Azure AD Connect cloud provisioning allows you to connect multiple on-premises Active Directories to Azure AD.
  • Azure AD Connect sync is based on-premises whereas cloud provisioning sits in the Cloud and uses light-weight provisioning agents.
  • Some limitations apply, but it will help you to unite disparate network forests.
Subscribe to the ThirdSpace mailing list and get your free buyer’s guide to Microsoft Enterprise Security

Subscribe to the ThirdSpace mailing list and get your free buyer’s guide to Microsoft Enterprise Security

Submit your business email to join our mailing list and we'll send you 'A buyer’s guide to Microsoft Enterprise Security'.

Next steps

Profile shot of Simon Veale.

About Simon Veale

Senior Architect

A ThirdSpace veteran, Simon has a highly developed IAM skill set and the flexibility to adapt it to whatever the situation requires. Having been in 'identity management' forever, there’s probably not...


You may also like...


How the SolarWinds breach highlights the dangers of federated authentication – and what you can do to protect against it


What is Microsoft Identity Manager (MIM)? Everything you need to know


The definitive guide to Azure AD: Everything you need to know

Recent Blog Articles

View All
Related topics

Worth a watch: Azure AD webinar on-demand

Discover how you can secure your internal and external identities – it’s all you need!

Watch now

Need some help?

Send us your questions or feedback.

Friendly folks are standing by!

Contact Us
Award-winning solutions Award-winning solutions

Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.

ThirdSpace Please upgrade your browser

You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:

Windows Mac

Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.