Azure Active Directory Cloud Sync is a software that synchronizes objects from Active Directory to Azure Active Directory.
Azure AD Connect cloud synchronization orchestrates the provisioning of AD objects to Azure AD in Microsoft Online Services. Locally only a simple agent is needed.
The entire synchronization configuration is set up in the Azure Portal (https://portal.azure.com). Azure AD Cloud Sync supports high availability by installing the agent on multiple servers.
This tutorial describes how to install and configure Azure AD Cloud Sync.
Prerequisites and Licensing
No license is required for the Azure AD Cloud Sync feature.
- Windows Server 2016 or higher
- Outgoing port 80 (CRL, Certificate Revocation Lists)
- Outgoing port 443 (outgoing communication to the Microsoft Online Service)
- Access to the following URLs
– *.msappproxy.net
– *.servicebus.windows.net
– login.windows.net
– login.microsoftonline.com
– mscrl.microsoft.com
– crl.microsoft.com
– ocsp.msocsp.com
– www.microsoft.com
Azure AD Cloud Sync does not yet have all the features that are known from Azure AD Connect. The following table shows the supported features: https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/what-is-cloud-sync
Azure AD Cloud Sync Agent
Install agent
The agent is available for download from the Azure Portal (https://portal.azure.com) under “Azure Active Directory” > “Azure AD Connect” > “Cloud Sync” > “Agents” > “Download on-premises agent”.
Accept terms and download agent
Start installation by double-clicking the downloaded file “AADConnectProvisioningAgentSetup.exe”.
Configure agent
After successful installation, the “AAD Connect Provisioning Agent Wizard” is started.
Select “HR-drive provisioning”
Connect to Azure AD with a global administrator
The service requires a group managed service account.
Either a new service account can be created or an existing one can be used.
The credentials are used to create a group managed service account and the credentials are not stored permanently.
Connect to the local Active Directory
Check and confirm the agent configuration
A few minutes later, the agent is installed
To achieve high availability, the agent can be installed on additional servers in the same way.
Check agent status
Azure Portal
In the Azure Portal (https://portal.azure.com) under “Azure Active Directory” > “Azure AD Connect” > “Cloud Sync” > “Agents” all agents are listed with their actual status.
Local server (services)
On the server with the installed agent, start “services.msc” and check the following services are visible and running:
- Microsoft Azure AD Connect Agent Updater
- Microsoft Azure AD Connect Provisioning Agent
Deployment options
Configuration
For the deployment, a new configuration is created in the Azure Portal (https://portal.azure.com) under “Azure Active Directory” > “Azure AD Connect” > “Cloud Sync” > ”New configuration”.
The next step is to select the Active Directory domain (1).
It is recommended to enable Password Hash Sync (2) to get benefits like
- Authenticate fully in Azure (no need of on-premise)
- Detect leaked passwords and receive appropriate warnings
- Seamless SSO (Single Sign On)
In the next step, all settings are shown and can be adjusted to your own needs.
Recommended to check the following:
“Overview” > “Properties”
- Check settings for “Password Hash Sync”
- Set email address for quarantine notification
“Scoping filters” is used to specify which objects are synchronized by Active Directory.
If all settings are correct, the configuration under “Overview” > “Review and enable” will activate
After a few minutes, the status of the deployment is displayed in the Cloud Sync overview.
Check deployment
The logs under “Azure Active Directory” > “Azure AD Connect” > “Cloud sync” > “Provisioning logs” list in detail which synchronizations are performed.
Follow me on LinkedIn and get informed about my latest posts.
Was this post helpful to you? Show your enthusiasm with the delightful aroma of a freshly brewed coffee for me!