AAD Connect and Beyond

First came DirSync, then came AADSync and now it’s and I’m sure you’ll agree with me that through each phase of Microsoft’s identity synchronisation platform, we’ve seen many changes for the greater good of mankind.

Hey folks! Pure Awesomeness here and I’m back again with a brand-new blog post about identity across the big wide world of Office 365 and Azure AD. You’re probably wondering what more I can talk about as a follow up to my last blog – Identity – The Boss of All Bosses? Well, there’s a new topic to talk about along the lines of identity synchronisation. You see, our good friends at Microsoft have been working on another way to synchronise identities to your Azure AD and although it’s in preview mode, you, my fellow apprentice, can go through the configuration and deploy in your lab for testing. Do not under any circumstances deploy this new method in a production environment. It’s exactly what the word “preview” means. There are limitations with the product at the moment, so the best thing to do is:

  • Deploy in a lab
  • Test said deployment in a lab
  • Try and break said deployment in a lab
  • Provide feedback to Microsoft
  • Sign up to Insentragram - oh you knew this was coming

You can read more about the differences between Azure AD Connect and Azure AD Connect Cloud Provisioning here

So, Pure Awesomeness, what is this new sync technology you keep talking about but haven’t mentioned what it’s called yet…?

Buckle up my apprentice. Here we go!

Azure AD Connect Cloud Provisioning – easy to remember right?

So, what is it and how is it different to the other three sync technologies we’ve been configuring over the years?

With the huge adoption rate of Microsoft cloud services across the globe, it’s only logical (admit it, you just read this out in Spock’s voice) Microsoft will modernise the way identities are synchronised to the cloud. How do they envision this to be done? By removing the need for any heavy lifting from on-premises infrastructure to the cloud and replacing it with light weight agents. These agents communicate with Azure AD using the Azure AD Application Proxy to trigger the required sync jobs. Currently, this job relies solely on a single Azure AD Connect server installed in your on-premises network.

What happens if this server were to go offline? If you had deployed another Azure AD Connect server in staging mode, excellent. You could leverage this bad boy to keep your identities in sync. If you had no staging server, uh oh (and yes, you just said this in the voice of the ICQ notification from way back in the day – shows my age!), you would have to implement a new Azure AD Connect server! And who has time for that???

What does Azure AD Connect Cloud Provisioning bring to your organisation I hear you ask? At a first glance, High Availability (HA)! Installing multiple agents across your infrastructure will give your organisation the HA it needs to keep identity synchronisation ticking along in the event of an agent outage.

Now, you purely awesome mad man, how do you go about deploying Azure AD Connect Cloud Provisioning? I thought you’d never ask.

The main thing to note is my lab contains a brand-new Active Directory forest and a brand-new Office 365 tenant. There are currently no identities being synchronised in any way, shape or form to the tenant.

First thing’s first; log into your Azure AD Admin Centre (aad.portal.azure.com) with your Global Administrator credentials and click on the Azure Active Directory blade from the list on the left-hand side and then navigate to the Azure AD Connect blade.

Next, click on Manage Provisioning (Preview)

Click on Download agent

Before you proceed with the installation of the agent(s), ensure the following pre-requisites are met within your lab environment:

  • Windows Server 2012 R2 or higher to install the agent on and yes, installing on a Domain Controller is supported
  • .Net Framework 4.7.1 or higher
  • Outbound TCP 80 and 443 access

Now the fun part – installing and configuring the agent.

When the agent has been installed, you’ll be presented with the configuration wizard, which has less options than the Azure AD Connect wizard. The reason for this is the bulk of the configuration is completed within Azure AD. #winning

To begin the wizard, enter in your Azure AD Global Admin credentials

Then, connect to your on-premises Active Directory environment

Confirm the details and sit back and wait for the installation to complete

Next on the list of tasks, review and make sure the agent has installed correctly and is reporting back with an active status. You can do this through the Review all agents tab.

Next, click on the New configuration tab to configure the newly installed agent

Configure the options provided

The scope can be changed to one of the following:

  • All users
  • Selected security groups
  • Selected organisational units

When the configuration has been saved, you can then review the synchronisation logs to ensure successful jobs have occurred. You can also confirm by navigating to the Users blade in Azure AD. There, you will see your set of users  whic have successfully synced across based on the scope you selected in the configuration options above.

But what about the HA functionality of the agents? Well, it’s pretty straight forward. Given you’ve already gone through and configured the sync settings for the first agent, all you need to do is download the agent on other servers within the domain and install it following the steps in this blog. Once the additional agents are installed successfully, they’ll report back to Azure AD. The beauty of the additional agents is they deploy in an active/active configuration. If one agent fails, the other takes over with the sync cycle!

 Here’s what you’ll see when and if an agent goes offline:

So, there you have it folks. Azure AD Connect Cloud Provisioning at a very high level. As it’s still in preview mode, you’re limited with what you can do with it for the time being but watch this space, as it matures, there will come a point where it could very well replace Azure AD Connect as a whole.

Until next time, Pure Awesomeness signing off!

 “If you want to live a happy life, tie it to a goal, not to people or things.” – Albert Einstein

 

Join the Insentra Community with the Insentragram Newsletter

Hungry for more?

[FastTrack]

How Does the Microsoft FastTrack Benefit Work for Clients?

By [Lauren Rutter]

Microsoft FastTrack is one of the most misunderstood services by both the reseller community and end customers alike.  The service is an ongoing free benefit for all qualified clients who have purchased over 150 seats of Microsoft 365 or Office 365 (exclusions apply).

[FastTrack]

Faster Deployment and Adoption of Microsoft Workloads? Your Clients will Thank you.

By [Ronnie Altit]

Microsoft FastTrack is one of the most misunderstood services by both the reseller community and end customers alike.  The service is an ongoing free benefit for all qualified clients who have purchased over 150 seats of Microsoft 365 or Office 365 (exclusions apply).

[FastTrack]

Insentra Insights - Unpacking FastTrack

By [Ronnie Altit]

Microsoft FastTrack is one of the most misunderstood services that Microsoft provides to their end-user customers...