AAD Connect compared to new Azure Cloud sync


“Automate provisioning users from Azure AD into on-premises applications

Azure AD now supports provisioning into on-premises applications, and we have a preview that we’re excited for you to deploy and share your feedback.

You must have an Azure AD Premium P1 or P2 tenant and an on-premises application that uses SQL as a data store or supports SCIM. You can request an invitation to the preview here. We plan to remove the invitation requirement in the coming months and add support for provisioning users into LDAP directories (excluding AD DS).”

Notes from the field (I like this term and still not corn) So, first it was Dirsync, then it was Azure AD Connect and the next generation is Cloud sync.

With Cloud Sync you will download an agent and install it in your environment.

Use group Managed Service Account (gMSA) service account for the Windows service so you don’t have to worry about passwords.


When the agent is installed you will make a configuration locally … you actually don’t, you do it in the cloud.

And You can also enable PHS to sync the passwords https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs

Then you will configure the OU’s, add attribute mapping and notification email.

And finally enable the sync. When you close settings, you will see the status turn to green and it’s syncing.

In my tests 3 months ago it was really unstable and stopped syncing and still the service on on-premises side was working like it should. Then you just have disable and enable the sync and it started again.

Three biggest up-sides in my opinion with Cloud sync are that it will store the config in the cloud, not anymore inside SQL Express or SQL Server in the on-prem servers.

Secondly it will support multiple offline forests, that was something you couldn’t do with AAD Connect, it worked well but it was limited with this kind of functionality.

Third will be ability to create user object from the cloud to on-prem. I believe that this the future where it is going, now you can use external cloud-based SCIM (System for Cross-Domain Identity Management) to automate user provisioning.

It’s nice to see how things evolve in the Microsoft Evergreen service layer. Monthly there coming something new, some of them from User voice requests, some just from Microsoft them selves. Don’t care who gave the first idea, but still insane amount of new stuff coming all the time. https://azure.microsoft.com/en-us/updates/archives/

Keep tuned!


Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *