What is Azure AD Connect?
Azure AD Connect (now referred to also as Azure AD Connect “Classic”) is a Microsoft brand that is mostly about presenting on-premises Active Directory and Azure Active Directory in a seamless way, in particular giving users the experience of single sign-on, or at least same sign on. It includes a number of technologies:
- Azure AD Connect Sync
- Azure AD Connect Health
- ADFS (Active Directory Federation Services)
- The PHS/PTA/SSSO Provisioning Connector
The primary component (and what people often mean when they say “Azure AD Connect”) is Azure AD Connect Sync. This is a synchronization service intended to run between AD (Active Directory) and Azure AD (though it can in fact do much more). The interface looks the same as the FIM or MIM synchronization service manager (and that’s because it is based on FIM 2010), but with far fewer types of Management Agents (“connectors”) available.
A significant difference is that synchronization rules bear little correspondence to those in FIM or MIM, and are configured in a special interface, entirely through a UI (no coding).
Azure AD Connect is a sync engine, based on the tried and tested Microsoft Identity Manager (MIM) – and yet very different from it in many ways. It is easy to set up for a number of scenarios, but if you get under the covers it can do a lot more. Here is a quick summary:
- Azure AD Connect has some clever tricks, but it can’t do everything.
- Its primary use is to connect on-premises Active Directory (AD) to in-cloud Azure AD, synchronizing users – including their passwords – and (optionally) groups.
- You can use it in addition to MIM, but you do not have to have MIM.
- There are some simple scenarios where you can extend it to do a “MIM-like” job – a good example is the inclusion of an HR feed as an authoritative source users to be provisioned into AD and AAD.
- Where it replaces MIM, there may be license savings, but don’t assume that overall implementation costs are significantly impacted (the solution still needs to be designed, implemented and tested).
- MIM is the serious workhorse that is still needed for any fancy password management beyond AD to AAD, for any “GALSync-like” scenario (e.g. where you are merging global address lists across AD forest), for anything involving the MIM portal (like SSPR or group management, white pages/enterprise directory, policy/set/workflow engine). However, some things done by the portal can be done in Azure AD instead (SSPR and group management).
- Put another way, MIM is good for complex scenarios, where seasoned MIM consultants/developers would find the AAD Connect UI to be very limiting.
- Azure AD Connect continues to develop, and perhaps we might extrapolate the ideas and imagine, one day, a cloud based synchronization service that is more Azure AD Connect-like than MIM-like.
The whole thing is set up using a wizard, and while there is nothing to stop you manually editing all manner of configuration options, you should do any further configuration with care, as not all usage is supported. What is and is not supported is not something we can explore on this page – nor why! If you want to know about this, you need our 3-day Masterclass.
Azure AD Connect Health, as the name implies, is an on-cloud service that gives you insights into the synchronizations performed by Azure AD Connect Sync and lets you know (for example) about any synchronization failures.
The Provisioning Connector is a multi-purpose component which enables password hash synchronization, pass-through authentication, seamless single sign on, and can provision WorkDay users into Active Directory (WorkDay is a cloud HR system). Between this and the remaining components, Azure AD Connect can support a number of authentication methods, ranging from Same Sign-On (username and password are synchronized), to pass-through authentication, to federated single sign-on. See here for further details.