Upcoming Webinar
Cayosoft Shows How Forest Recovery Tech Addresses Survey Issues
Join this webinar and not only learn about what your peers are doing, but also learn about a new patent-pending modern approach to AD forest recovery from Cayosoft.
New episode!
The Scoop on Loop: The Latest Innovations Directly From Microsoft!
Darrell Webster speaks to Rebecca Keys, a Program Manager from the Microsoft Loop team.
Turn Data Protection into an MRR Growth Engine
Security for your customers, revenue for your MSP practice. Access key insights on how to scale your practice with SkyKick’s new eGuide.
MSP eGuide to Package, Sell and Deliver M365 Security Services
Based on input from our top-performing MSPs, SkyKick prepared the MSP Guide to help you navigate the security landscape.

Azure AD Connect Cloud Provisioning Syncs Identities from Disconnected Forests

Most readers are likely familiar with Azure AD Connect, previously DirSync, Microsoft’s tool for synchronizing Active Directory (AD) accounts to Azure AD. Azure AD Connect can synchronize password hashes to the cloud, which is Microsoft’s recommended option, or alternatively use pass-through authentication (PTA). PTA keeps passwords on-premises and lets organizations enforce Windows Server AD security and password policies.

You can find out more about setting up PTA in Azure AD Connect on Petri here.

Cloud provisioning simplifies synchronizing on-premises identities to Azure AD during mergers and acquisitions

After an acquisition, it’s common that IT is required to synchronize identities from a new business group, which has its own AD domains and forests, to the cloud. But Azure AD Connect can’t synchronize identities from disconnected AD forests because it only works with one Azure AD tenant. And Azure AD Connect must be able to connect to every AD forest.

Microsoft added ‘cloud provisioning’ to Azure AD Connect in 2019. Cloud provisioning simplifies synchronizing on-premises identities to Azure AD during mergers and acquisitions. Azure AD cloud provisioning is in preview, so it shouldn’t be used in production environments.

Azure AD cloud provisioning moves the workload from Windows Server AD to Azure AD. It uses lightweight on-premises agents to synchronize accounts from disconnected AD forests to Azure AD. All the synchronization configuration and processing happen in the cloud. High availability is also an option using multiple agents.

Azure AD cloud provisioning limitations

But in its current form, cloud provisioning has some limitations. For example, it doesn’t support synchronizing device objects, customer defined AD attributes, pass-through authentication, or attribute value filters. Because of these restrictions, organizations using hybrid Azure AD join or hybrid Exchange deployments will run into problems with cloud provisioning.

For a full list of the limitations, see Microsoft’s website here.

Duplicate objects can pose an issue if the same user exists in AD forests being synchronized to Azure AD. Cloud provisioning doesn’t match objects across disconnected forests, so you’ll need to make sure the objects being synchronized are unique. Duplicate users synchronized using cloud provisioning can result in errors in Azure AD.

Cloud provisioning doesn’t support Exchange hybrid deployments. Microsoft says: “The Exchange Hybrid Deployment feature allows for the co-existence of Exchange mailboxes both on-premises and in Office 365. Azure AD Connect is synchronizing a specific set of attributes from Azure AD back into your on-premises directory. The cloud provisioning agent currently does not synchronize these attributes back into your on-premises directory and thus it is not supported as a replacement for Azure AD Connect.”

It’s not clear when cloud provisioning will hit general availability

It’s not clear when cloud provisioning will hit general availability. Or if the shortcomings I mentioned above, will be addressed in the shipping version. Microsoft updated its FAQ on cloud provisioning in June 2020 but with no changes to the information about hybrid Exchange deployments.

Azure AD cloud provisioning will help synchronize identities to the cloud from disconnected AD forests for some organizations. But if Microsoft isn’t able to address the current limitations, many businesses will need to turn to third-party alternatives.

by Russell Smith
Aug 13, 2020

Editorial Director at Petri IT Knowledgebase. Russell has more than 20 years' experience working in IT. From small business to large government IT infrastructure projects. Russell started his writing career for Windows IT Pro magazine in the early...

Microsoft Entra ID App Registration and Enterprise App Security Explained

Oct 19, 2023
Apr 17, 2024
How to Properly Secure and Govern Microsoft Entra ID Apps

Oct 19, 2023
Apr 17, 2024
What is Azure AD B2C?

Feb 7, 2024
Feb 12, 2024

Take our survey

PETRI NEWSLETTERS

Join Petri Insider

Create a free account today to participate in forum conversations, comment on posts and more.