Table of Contents
What is AAD Cloud sync?
Azure AD Connect Cloud sync is a light-weight agent that is commanded from the cloud. So there is no databases with the agent unlike with the old Azure AD Connect. I wrote a post about the differences these have.
How is cloud sync different from AAD sync?
With Azure AD Connect cloud sync, provisioning from AD to Azure AD is orchestrated in Microsoft Online Services. An organization only needs to deploy, in their on-premises or IaaS-hosted environment, a light-weight agent that acts as a bridge between Azure AD and AD. The provisioning configuration is stored in Azure AD and managed as part of the service.
Comparison between the two
|Feature||Azure Active Directory Connect sync||Azure Active Directory Connect cloud sync|
|Connect to single on-premises AD forest||●||●|
|Connect to multiple on-premises AD forests||●||●|
|Connect to multiple disconnected on-premises AD forests||●|
|Lightweight agent installation model||●|
|Multiple active agents for high availability||●|
|Connect to LDAP directories||●|
|Support for user objects||●||●|
|Support for group objects||●||●|
|Support for contact objects||●||●|
|Support for device objects||●|
|Allow basic customization for attribute flows||●||●|
|Synchronize Exchange online attributes||●||●|
|Synchronize extension attributes 1-15||●||●|
|Synchronize customer defined AD attributes (directory extensions)||●|
|Support for Password Hash Sync||●||●|
|Support for Pass-Through Authentication||●|
|Support for federation||●||●|
|Seamless Single Sign-on||●||●|
|Supports installation on a Domain Controller||●||●|
|Support for Windows Server 2016||●||●|
|Filter on Domains/OUs/groups||●||●|
|Filter on objects’ attribute values||●|
|Allow minimal set of attributes to be synchronized (MinSync)||●||●|
|Allow removing attributes from flowing from AD to Azure AD||●||●|
|Allow advanced customization for attribute flows||●|
|Support for password writeback||●||●|
|Support for device writeback||●|
|Support for group writeback||●|
|Azure AD Domain Services support||●|
|Exchange hybrid writeback||●|
|Unlimited number of objects per AD domain||●|
|Support for up to 150,000 objects per AD domain||●||●|
|Groups with up to 50,000 members||●||●|
|Large groups with up to 250,000 members||●|
|Cross domain references||●|
|Support for US Government||●||●|
- An Azure AD tenant with at least an Azure AD Premium P1 or trial license enabled. If needed, create one for free.
- An account with either:
- Azure AD configured for self-service password reset. If needed, complete this tutorial to enable Azure AD SSPR.
- An on-premises AD DS environment configured with Azure AD Connect cloud sync version 1.1.587 or later. If needed, configure Azure AD Connect cloud sync using this tutorial.
- Enabling password writeback in Azure AD Connect cloud sync requires executing signed PowerShell scripts.
- Ensure that the PowerShell execution policy will allow running of scripts.
- The recommended execution policy during installation is “RemoteSigned”.
Configure Azure AD Connect cloud sync service account permissions
Permissions for cloud sync are configured by default. If permissions need to be reset, see Troubleshooting for more details about the specific permissions required for password writeback and how to set them by using PowerShell.
For public preview, you need to enable password writeback in Azure AD Connect cloud sync by using the Set-AADCloudSyncPasswordWritebackConfiguration cmdlet and tenant’s global administrator credentials:PowerShellCopy
Import-Module 'C:\\Program Files\\Microsoft Azure AD Connect Provisioning Agent\\Microsoft.CloudSync.Powershell.dll'
Set-AADCloudSyncPasswordWritebackConfiguration -Enable $true -Credential $(Get-Credential)
With password writeback enabled in Azure AD Connect cloud sync, now verify, and configure Azure AD self-service password reset (SSPR) for password writeback. When you enable SSPR to use password writeback, users who change or reset their password have that updated password synchronized back to the on-premises AD DS environment as well.
To verify and enable password writeback in SSPR, complete the following steps:
- Sign into the Azure portal using a global administrator account.
- Navigate to Azure Active Directory, select Password reset, then choose On-premises integration.
- Verify the Azure AD Connect cloud sync agent set up is complete.
- Set Write back passwords to your on-premises directory? to Yes.
- Set Allow users to unlock accounts without resetting their password? to Yes.
- When ready, select Save.
Passwords are written back in the following situations for end-users and administrators.
|End users||Any end-user self-service voluntary change password operation.|
Any end-user self-service force change password operation, for example, password expiration.
Any end-user self-service password reset that originates from the password reset portal.
|Administrators||Any administrator self-service voluntary change password operation.|
Any administrator self-service force change password operation, for example, password expiration.
Any administrator self-service password reset that originates from the password reset portal.
Any administrator-initiated end-user password reset from the Azure portal.
Any administrator-initiated end-user password reset from the Microsoft Graph API.
Passwords aren’t written back in the following situations.
|End users||Any end user resetting their own password by using PowerShell cmdlets or the Microsoft Graph API.|
|Administrators||Any administrator-initiated end-user password reset by using PowerShell cmdlets.|
Any administrator-initiated end-user password reset from the Microsoft 365 admin center.
Any administrator cannot use password reset tool to reset their own password, or any other Administrator in Azure AD for password writeback.
The Azure AD Connect cloud sync group Managed Service Account should have the following permissions set to writeback the passwords by default:
- Reset password
- Write permissions on lockoutTime
- Write permissions on pwdLastSet
- Extended rights for “Unexpire Password” on the root object of each domain in that forest, if not already set.
If these permissions are not set, you can set the PasswordWriteBack permission on the service account by using the Set-AADCloudSyncPermissions cmdlet and on-premises enterprise administrator credentials:
Import-Module ‘C:\\Program Files\\Microsoft Azure AD Connect Provisioning Agent\\Microsoft.CloudSync.Powershell.dll’
Set-AADCloudSyncPermissions -PermissionType PasswordWriteBack -EACredential $(Get-Credential)
After you have updated the permissions, it may take up to an hour or more for these permissions to replicate to all the objects in your directory.
If you don’t assign these permissions, writeback may appear to be configured correctly, but users may encounter errors when they update their on-premises passwords from the cloud. Permissions must be applied to “This object and all descendant objects” for “Unexpire Password” to appear.
If passwords for some user accounts aren’t written back to the on-premises directory, make sure that inheritance isn’t disabled for the account in the on-prem AD DS environment. Write permissions for passwords must be applied to descendant objects for the feature to work correctly.
Password policies in the on-premises AD DS environment may prevent password resets from being correctly processed. If you are testing this feature and want to reset password for users more than once per day, the group policy for Minimum password age must be set to 0. This setting can be found under Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies within gpmc.msc.
If you update the group policy, wait for the updated policy to replicate, or use the gpupdate /force command.
For passwords to be changed immediately, Minimum password age must be set to 0. However, if users adhere to the on-premises policies, and the Minimum password age is set to a value greater than zero, password writeback will not work after the on-premises policies are evaluated.