Mar 26, 2015
If you have been following the Active Directory space over the last 12 months or so, particularly in the AD to Azure AD Integration arena, there have been a lot of confusing changes and releases. We started off with the old DirSync tool which has been around since Microsoft first started climbing into the cloud. DirSync was a great workhorse, but had some limitations, such as one-way syncing up to Azure AD, and only able to handle single forest scenarios.
Then last year Microsoft released Azure Active Directory Sync (AAD Sync – more info can be found here) which added the following capabilities:
- Active Directory and Exchange multi-forest environments can be extended now to the cloud
- Control over which attributes are synchronised based on desired cloud services
- Selection of accounts to be synchronised through domains, OUs, etc.
- Ability to set up the connection to AD with minimal Windows Server AD privileges
- Setup synchronisation rules by mapping attributes and controlling how the values flow to the cloud
- Preview AAD Premium password change and reset to AD on-premises
Then there is the more advanced Directory Integration tool FIM (Forefront Identity Management), which was designed to manage user’s digital identities, credentials and grouping in enterprise scenarios. These are all good tools with some great features, but they are sometimes quite complex to configure properly (particularly FIM) and quite confusing at times as to which tool to use in a given AD Integration scenario.
Well it looks like Microsoft have been listening to all of our feedback, done a re-think and gone back to the drawing board so to speak (just to mix my cliches!), and have come up with their latest “one sync to rule them all” tool - Azure Active Directory Connect Wizard.
As Microsoft says, “Azure Active Directory Connect encompasses functionality that was previously released as DirSync and AAD Sync.” and “is now the one stop shop for sync, sign-on, and all other aspects of your on-premises to Azure AD integration.” – i.e. the “new” Azure Active Directory Connect is intended to replace an earlier version of Active Directory Connect, DirSync, AAD Sync and FIM. Note especially that Microsoft have said that when Azure Active Directory Connector is officially released, DirSync and AAD Sync will no longer be released as separate products.
Now despite the Microsoft marketing department’s messages (and the AD Integration tool names) all starting to sound the same, this is a huge step up for administrators trying to manage AD integration. Again, to quote Microsoft, (here) “Azure AD Connect has everything you need to connect your Windows Server AD(s) and Azure AD with only 4 clicks.” Now that has to be a good thing and it is – Microsoft has even published a chart comparing all the features of the previously mentioned tools and Azure AD Connect here. The chart still shows some of the features as “coming soon” (CS), but some of the features already implemented include:
- Supports installation on Domain Controllers
- Able to Connect to single and multiple on-premises AD forests
- Attribute writeback (for Exchange hybrid deployment) and writeback of passwords (from self-service password reset (SSPR) and password change)
- Password Sync for single and multiple on-premises AD forests, including Single Sign-on (SSO) (also called Federation)
- Ability to filter on objects’ attribute values as well as Domains and Organisational Units
- Allow a minimal set of attributes to be synchronized (MinSync) and
- Allow different service templates to be applied for attribute flows
Microsoft have also promised to include all the features (at least all the DirSync and AAD Sync features) listed as CS before the product is available for general release – possibly sometime in March 2015. This will certainly be one powerful tool! It is currently in public preview release, which means you shouldn’t use it in your production environment as yet, but you can find out more info about the Azure Active Directory Connect Wizard here, and download a copy for testing here. One word of caution though, it looks like this wizard will have support for Windows Server 2012 and above only.
So strap yourself into your favourite comfy chair and hang on, because when this product finally hits official release (General Availability or GA in Microsoft speak), we are likely to see a lot of changes happening fast in the Active Directory Integration arena!