Azure AD Connect Cloud Provisioning. The new feature that may come in handy!

Microsoft have finally answered the prayers of the IT admins! Long story short, gone of the days where the IT admins had to make sure 2 AD forests can see each other and the ports are opened, before it adds to the Azure AD Sync tool as another directory, so the users from that directory will be synced to the portal.
Once I saw this in Microsoft’s roadmap, I thought I’d read more and play with it and see how it can be helpful for anyone who is curious about it.

This is still in the Public Preview mode and set to be released in Q4 2020 according to Microsoft Roadmap. By looking at the tool, it looks like it needs more improvements. Hopefully it will be feature-full when its generally available.

This lightweight tool is specially designed for the purpose of syncing objects of disconnected AD forests.

Usually this happens after a merger or an acquisition where the management is required to add the new set of users to the cloud and authenticate to resources. Ideally, this will happen after the networks between the 2 AD forests can see each other and with some DNS config changes.

Limitations

Because this is in the Preview mode and also this being a lightweight tool compared to the Azure AD Connect Sync tool, some capabilities have not been added. This is according to this Microsoft Article

FeatureAzure Active Directory Connect syncAzure Active Directory Connect cloud provisioning
Connect to single on-premises AD forest
Connect to multiple on-premises AD forests
Connect to multiple disconnected on-premises AD forests 
Lightweight agent installation model 
Multiple active agents for high availability 
Connect to LDAP directories 
Support for user objects
Support for group objects
Support for contact objects
Support for device objects 
Allow basic customization for attribute flows
Synchronize Exchange online attributes
Synchronize extension attributes 1-15
Synchronize customer defined AD attributes (directory extensions) 
Support for Password Hash Sync
Support for Pass-Through Authentication 
Support for federation
Seamless Single Sign-on
Supports installation on a Domain Controller
Support for Windows Server 2012 and Windows Server 2012 R2
Filter on Domains/OUs/groups
Filter on objects’ attribute values 
Allow minimal set of attributes to be synchronized (MinSync)
Allow removing attributes from flowing from AD to Azure AD
Allow advanced customization for attribute flows 
Support for writeback (passwords, devices, groups) 
Azure AD Domain Services support 
Exchange hybrid writeback 
Support for more than 50,000 objects per AD domain 

Few notable features that could have been added to the Public Preview

No PowerShell features
The on-demand sync command Start-ADSyncSyncCycle is not available unfortunately and have to rely on the standard sync cycles.

No Password Writeback – Imagine your newly added AD forest need to be setup with PWB option. This will not support that feature.

No Pass-Through Authentication enabled – Only Password Hash Sync is enabled at the moment. If you looking not to bring the password hashes to the cloud, well either go with the AAD Sync Connect tool or probably wait for a more mature version of this tool.

Azure AD Domain Services support – If you planning to configure the newly added users to access Azure Files for an example, you’ll not be able to grant permissions as this the AAD Cloud Provisioning tool is not compatible with the AAD Domain Services feature.

Prerequisites

In-Cloud Identity Administrator Account
This is a user that is not synced, but created in the cloud with Global Admin access. Why in-cloud? It’s because if you lose the access to the on-premises servers, you still can manage the account because its created in cloud.

Server to run the agent
Windows Server 2012R2 or later

Security
TLS 1.2 must be activated in the server that the agent is getting installed

How to configure and use the AAD Cloud Provisioning Tool?

Scenario – My test AAD Tenant name is – eclipsetest.onmicrosoft.com
On premises AD Forest Name: eclipse.local
My on-premises domain is a non-routable domain. Meaning I have to change the UPN after synced to the cloud.

  1. Open Azure AD Portal and navigate to Azure Active Directory > Azure AD Connect
  2. Navigate to Manage Provisioning link under “Provision From Active Directory”
  3. Download the agent on to the desired server in the AD forest
  4. Provide the in-cloud administrator credentials to connect the tool to the tenant
  5. Enter the On-Premises Domain name > select Add Directory > Provide On-prem admin credentials and complete the installation.



    Once you go back the AAD portal, you will see below
    Status of the added domain will be shown as below

    Configure the domain for the sync

    This will create the config profile for the installed agent for that on-premises AD domain. And finally the config needs to be enabled and it will start provisioning the objects.

  6. Select New Config


  7. Set the sync scope. This is the same as AAD Sync Connect tool where you specify what OUs to be synced.
    However this has the option to select the security groups as well
  8. Provide the notification email address to alert regarding sync errors under Settings.
    Enable the config and Save once you done.


    Event Viewer logs on that on-premises server to verify the agent is now running


    Make sure the below 2 services are running
    * Microsoft Azure AD Connect Agent Updater
    * Microsoft Azure AD Connect Provisioning Agent


    Provisioning logs from Azure AD Portal to check the status

Final Words

Because this needs more improvements, you still need to have the standard Azure AD Sync Connect tool installed so the other domains can get the full benefit of the Azure AD features in a hybrid environment.

However, in a generally available/ more mature AAD Cloud Provisioning Tool will be more feature rich and maybe will be able to replace the Azure AD Sync Connect tool that can give admins more portability and manageability with less hassle.

 

 

Feature image from: https://www.businessnewsdaily.com/10748-top-5-cloud-certifications.html

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.