“Automate provisioning users from Azure AD into on-premises applications
With Cloud Sync you will download an agent and install it in your environment.
Use group Managed Service Account (gMSA) service account for the Windows service so you don’t have to worry about passwords.
When the agent is installed you will make a configuration
locally … you actually don’t, you do it in the cloud.
And You can also enable PHS to sync the passwords https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs
Then you will configure the OU’s, add attribute mapping and notification email.
And finally enable the sync. When you close settings, you will see the status turn to green and it’s syncing.
In my tests 3 months ago it was really unstable and stopped syncing and still the service on on-premises side was working like it should. Then you just have disable and enable the sync and it started again.
Three biggest up-sides in my opinion with Cloud sync are that it will store the config in the cloud, not anymore inside SQL Express or SQL Server in the on-prem servers.
Secondly it will support multiple offline forests, that was something you couldn’t do with AAD Connect, it worked well but it was limited with this kind of functionality.
Third will be ability to create user object from the cloud to on-prem. I believe that this the future where it is going, now you can use external cloud-based SCIM (System for Cross-Domain Identity Management) to automate user provisioning.
It’s nice to see how things evolve in the Microsoft Evergreen service layer. Monthly there coming something new, some of them from User voice requests, some just from Microsoft them selves. Don’t care who gave the first idea, but still insane amount of new stuff coming all the time. https://azure.microsoft.com/en-us/updates/archives/