When organizations want to extend Active Directory to Azure Active Directory, AD Connect sync is the way to go. AD Connect sync is your go-to feature for all your hybrid workloads, such as identity, domain join, and Exchange.
But as we all know, AD Connect sync is running on a SQL (express) database and is not high-available. For bigger companies with complex requirements, AD Connect sync is the best solution. But there are also companies that don’t need AD Connect sync to take advantage of the hybrid identity and password hash sync. Meet Azure AD Connect Cloud Sync. Let’s take a look at what it can do, but more important: what it cannot do. Cloud Sync is not for everybody…..
What is Azure AD Connect Cloud sync
Azure AD Connect Cloud Sync is a new feature to sync attributes from Active Directory to Azure Active Directory without the need to install and maintain AD Connect on-premises. It is a lightweight solution that only needs an Azure AD cloud provisioning agent to build the bridge between both environments. High Availability can be easily done by installing more than one agent. This is very important when organizations rely on password hash synchronization as their primary authentication method. AD Connect will sync hashes every two minutes, so when AD Connect is down, passwords are not updated.
Next, Azure AD Cloud Sync can be used to connect more than one forest. So if you are already using AD Connect sync, you can also extend your installation with AD Connect Cloud Sync.
How to setup Cloud Sync from scratch?
In this scenario, we have a single forest, single domain setup with no AD Connect Sync in place. Let see how easy it is to install AD Connect Cloud Sync.
To get started, go to the Azure management portal and select Azure Active Directory. Next, select the Manage Azure AD cloud sync hyperlink.
Select Download agent, and agree with the term and conditions to download the installer for the Azure Cloud sync agent.
To install the agent you’ll need Windows 2016 or later. Start the installation by executing the installer file. Again, agree with the license term and conditions and click Install. You can also do a scripted installation with PowerShell.
In the first screen, click Next.
You will get prompted to enter your Azure AD credentials.
Next, enter your Active Directory credentials to create a Service Account. You can also use a custom group managed service account.
In the next screen, select the directory and domain that you want to connect.
Check the settings, and Confirm if everything looks right.
After the installation is done, select Exit to finish the wizard. In case you are wondering: By default, cloud sync uses ms-ds-consistency-GUID with a fallback to ObjectGUID as source anchor. There is no supported way to change the source anchor.
Now that the installation is done, go back to the Azure portal to see if the agent shows up. You can install multiple servers if you need to.
Now that we have one agent installed, we can go on and create a new configuration.
Select the Active Directory domain that we connected earlier and click Create. Notice that password hash sync is selected and enabled by default. I suggest you leave this enabled.
In the next screen, you can select the scope, similar to ADConnect sync, only a bit limited. You can enable the sync for all users, for selected groups, or for specific Organizational Units (OU’s).
In this example, we’ll pick the latter one. To get the right OU distinguishedName, we’ll use ADSI edit. Here, we only want to sync the objects in the CloudSyncObjects OU.
Paste the distinguishedName and click add. You can add multiple OU’s if needed.
If needed, you can adjust the mappings of your users, groups, and contacts. This is a similar experience as the Rule Editor in AD Connect Sync. For now, we leave everything to default.
Next, we are going to provision a single object to test the configuration.
Here, we do the same trick as we did with the OU’s. Just copy the distinguishedName of the object with ADSI edit and paste this in the field to
After the provisioning is complete, you can see the details in the right pane. Adjust your settings if needed.
In the last step, you are able to set up a notification and configure the threshold to prevent accidental deletion of objects. In step 5, select the Enable toggle and save the configuration.
In the overview page, the configuration will show up as healthy.
In the log files, you can check out the objects that are being provisioned by Azure AD Connect Cloud Sync.
Wrap things up
You might be noticed that we didn’t have to set up any SQL (Express) database, and the installation of the agent is just a few clicks and doesn’t require complex configuration settings. To sum up the benefits of Azure AD Connect Cloud Sync:
- Azure AD Connect Cloud Sync is a mouthful, so you might impress any client or fellow administrator during your daily standup 😉
- It does not require a SQL (Express) database on your server
- By installing multiple agents, you will create high availability without the need to configure inbound ports or load balancers
- The agents will get auto-updated, so no more painful AD Connect swing migrations over the weekends.
- It gives better insights into the sync-logs from the Azure portal
- You can easily force synchronization from the Azure portal (no more Start-ADSyncSyncCicle magic) And also good to know: Cloud provisioning is scheduled to run every 2 mins.
- It can sync up to 50.000 users in a single group
But wait Jan, what are the limitations? It can’t be all puppies and sunshine here. You are absolutely right. Let’s take a look a the limitations of AD Connect Cloud Sync. Keep in mind that some features may be added later, such as password write-back.
- Cloud Sync does not support Pass-Through Authentication
- Cloud Sync does not support Hybrid Exchange Deployment
- Cloud Sync is not suitable for device sync, so for hybrid join scenario’s
- Cloud sync does not support writeback (passwords, devices, groups)
A full comparison between AD Connect Sync and AD Connect Cloud sync can be found here.
To learn more about Azure AD Connect Cloud Sync, check out these Microsoft Docs sources:
Azure AD Connect cloud sync FAQ | Microsoft Docs
What is Azure AD Connect cloud sync. | Microsoft Docs
Azure AD Connect cloud sync deep dive – how it works | Microsoft Docs
Stay safe!
Pingback: Azure Active Directory Connect – Cloud Sync – JanBakker.tech – 365 admin service
Great post Jan.
I was curious about the limitations and differences between AD Connect and Sync while i was reading this article.
But at the end of the article i found the answers:)
Pingback: Azure AD Connect Cloud Sync – Georges Duck – Tech Blog
http://www.urlatlas.info
Your summary for what is not supported does not appear 100% accurate. The Microsoft link you’ve provided with the comparison matrix states that password write-back is supported (maybe this is a recent change).
Thanks for sharing, In this setup can we use both On-perm and cloud authentication at the same time ? for different groups.