Achieving a single user instance across all your applications is key to a hybrid approach, but what if you’ve multiple Active Directories to sync into your Azure AD tenant?
At the 2019 ThirdSpace Identity and Security Summit, I asked the audience if any of them were NOT operating a hybrid IAM model at their organisation.
Only one out of two hundred delegates raised their hand.
All these organisations (except one, apparently) need their users to have a single identity that will grant them seamless access across their on-premises and cloud applications.
Azure AD Connect sync is the tool that synchronises users and other objects (contacts, groups, devices) in your on-premises Active Directories with your Azure AD tenant.
But what if your Azure AD Connect sync server can’t connect to all of your Active Directories?
What if your organisation just acquired or merged with another organisation and wants to bring new employees into your Azure AD tenant to provide them with the same access to corporate email, office and collaboration tools and SaaS business applications?
Well, that’s where Azure AD Connect cloud provisioning comes in.
Azure AD Connect sync is straightforward to install and configure via a wizard and sits at the centre of a hybrid organisation’s identity management infrastructure.
It ensures that new users are created in the Cloud, kept up to date as they move around the organisation, and then, when they are no longer part of the organisation, deleted.
Ideally, new users will be entered into the HR system and automated provisioning processes will take over – creating corresponding accounts in Active Directory, Azure AD and other non-Microsoft SaaS applications.
What Microsoft’s Azure AD Connect cloud provisioning service allows you to do is extend your IAM infrastructure to synchronise multiple disconnected Active Directories into your Azure AD tenant.
Unlike Azure AD Connect sync, which runs on an on-premises synchronisation server, Azure AD Connect cloud provisioning runs in the Cloud using light-weight provisioning agents.
These agents are either on-premises or in your IaaS-hosted environment and act as bridges between Active Directory and Azure AD.
All the configuration is stored in Azure AD and managed centrally in the Cloud. Multiple agents may be installed in an Active Directory forest for high availability.
It works happily in an Azure AD tenant that is already using Azure AD Connect sync but it is not currently a replacement for it.
Noteworthy omissions, at the time of writing, include support for:
Active Directories with more than 50,000 objects are also not supported. Neither is hybrid Exchange. A complete feature comparison can be viewed here.
These limitations notwithstanding, we can probably predict Microsoft’s direction of travel.
Everything is moving towards the Cloud, but currently, Azure AD Connect cloud provisioning is targeted at this very specific “disconnected Active Directory” scenario.
Some other things to bear in mind as you plan your deployment of Azure AD Connect cloud provisioning:
Discover how Azure AD can secure your internal and external identities - and provide seamless access to all your applications and data. You'll learn how to:
The Azure AD Connect provisioning agent is installed from the Azure portal.
A wizard then allows the connection to Active Directory to be configured.
Note that the provisioning agent will be updated automatically by Microsoft, which you may or may not see as a benefit. But there is no option to turn off auto-updating.
The Azure portal is then used to configure Azure AD Connect cloud provisioning.
If you have users in one or more disconnected Active Directories in your organisation, but you want to offer those users access to services from your Azure AD tenant, then this is the tool you’ve been waiting for.
Keep your finger on the pulse of identity and Microsoft technology. Submit your business email to get the latest content and event invites straight to your inbox.
A ThirdSpace veteran, Simon has a highly developed IAM skill set and the flexibility to adapt it to whatever the situation requires. Having been in 'identity management' forever, there’s probably not...
Send us your questions or feedback.
Friendly folks are standing by!
Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.
You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:
Windows MacPlease note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.