Microsoft Entra Connect
{{Short description|Software cloud service tool}}
Microsoft Entra Connect (formerly known as Azure AD Connect){{Cite web |title=New name for Azure Active Directory |url=https://learn.microsoft.com/en-us/entra/fundamentals/new-name |access-date=2024-11-25 |website=Microsoft}} is a tool for connecting on-premises identity infrastructure to Microsoft Entra ID. The wizard deploys and configures prerequisites and components required for the connection, including synchronization scheduling and authentication methods.[https://www.zdnet.com/article/microsoft-remakes-its-active-directory-tool-for-linking-windows-server-azure/#ftag=RSSbaffb68 Mary Jo Foley article on Azure AD Connect], ZDNet, 15 December 2014 Entra Connect encompasses functionality that was previously released as Dirsync and AAD Sync. These tools are no longer being released individually, and all future improvements will be included in updates to Entra Connect.[http://blogs.technet.com/b/ad/archive/2014/12/15/azure-ad-connect-one-simple-fast-lightweight-tool-to-connect-active-directory-and-azure-active-directory.aspx Active Directory Team Blog article on Azure AD Connect Preview], Microsoft, 15 December 2014[http://windowsitpro.com/azure/azure-ad-connect-public-preview-combines-dirsync-and-aad-sync-single-tool Windows IT Pro article on Azure AD Connect Preview], Microsoft, 15 December 2014
Microsoft Entra Connect synchronizes on-premises objects present in Active Directory to a corresponding Azure AD service within a Microsoft 365 tenant.{{Cite web |last= |date=14 September 2022 |title=What is Azure Active Directory? |url=https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis |access-date=2022-09-28 |website=Microsoft Ignite |language=en-us}} Supported on-premise objects include user accounts, group memberships, and credential hashes.{{Cite web |last= |date=23 August 2022 |title=How synchronization works in Azure AD Domain Services |url=https://learn.microsoft.com/en-us/azure/active-directory-domain-services/synchronization |access-date=2022-09-28 |website=Microsoft Ignite |language=en-us}} Synchronization can be configured to operate in two directional flow configurations. In a one-way configuration changes to an object on-premise updates the corresponding object in Azure AD. Two-way or bidirectional synchronization configurations allow for object changes to be made either on-premise or within Azure AD/Microsoft 365 and update the corresponding object on the opposite end.{{Cite web |last= |date=21 September 2022 |title=Azure AD Connect sync: Understand and customize synchronization |url=https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-whatis |access-date=2022-09-28 |website=Microsoft Ignite |language=en-us}}
Azure AD Connect (now Entra Connect) GA was released to the public on 24 June 2015[http://blogs.technet.com/b/ad/archive/2015/06/24/azure-ad-connect-amp-connect-health-is-now-ga.aspx Active Directory Team Blog article on Azure AD Connect GA], Microsoft, 24 June 2015 and is currently on Version 2.1.16.0.{{Cite web |last= |first= |date=19 September 2022 |title=Azure AD Connect: Version release history |url=https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history |access-date=2022-09-28 |website=Microsoft Ignite |language=en-us}} On 31 August 2022 all 1.x versions of Azure AD Connect were retired. On 15 March 2023 Versions 2.0.3.0 through 2.0.91.0 will be retired.
The current release offers the following high level options:[https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/ Microsoft Azure Documentation on Azure AD Connect], Microsoft, 6 August 2015
Dirsync upgrade
Organizations with an existing Dirsync deployment can upgrade in place (for directories with less than 50,000 objects) or otherwise migrate their Dirsync settings to Entra Connect.
Express settings
Express Settings is the default option and deploys sync with the password hash sync option for a single-domain, single-forest on-premise Active Directory domain. This allows for authentication and authorization to resources in Azure/Microsoft 365 based on Active Directory passwords.
Custom settings
With custom settings, the administrator can connect one or multiple Active Directory domains and forests and choose between password hash sync, pass-through authentication, and Active Directory Federation Services (AD FS) for authentication. Custom settings also allows the administrator to choose sync options such as password reset write back and Exchange hybrid deployments.
Key features
| class="wikitable"
!Feature !Description |
| Password Writeback
|In bidirectional synchronization configurations passwords changed in the Azure/Microsoft 365 cloud will apply to corresponding on-premise users when the next synchronization takes place{{Cite web |last= |date=9 September 2022 |title=Enable Azure Active Directory password writeback |url=https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback |access-date=2022-09-28 |website=Microsoft Ignite |language=en-us}} |
| Bidirectional Synchronization
|Bidirectional synchronization configurations allow for certain object changes in the cloud to apply to the corresponding on-premise object. With one-way synchronizations object changes in Azure AD/Microsoft 365 such as Full Name and proxyAddresses can not take place and instead require the changes to be made on-premise first. |
| Simplifying Identity Management
|Without Microsoft Entra Connect the user accounts and groups located on-premise will be separate objects from ones in the Azure AD/Microsoft 365 cloud even if the cloud objects were configured similarly. By synchronizing objects between on-premise and the cloud, Microsoft Entra Connect allows administrators to maintain less separate user identities. When used in combination with SSO, such as with Azure Enterprise Applications, user identities can be centralized further.{{Cite web |last= |date=20 September 2022 |title=What is application management? |url=https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-application-management |access-date=2022-09-28 |website=Microsoft Ignite |language=en-us}} |
What it does
When an administrator installs and runs the Microsoft Entra Connect wizard, it performs the following steps:
- Installs pre-requisites like the .NET Framework, Azure Active Directory Powershell Module and Microsoft Online Services Sign-In Assistant
- Installs and configures the sync component (formerly named AAD Sync), for one or multiple Active Directory forests, and enables synchronization in the Azure AD tenant
- Configures either password hash sync or AD FS with Web Application proxy, depending on which authentication option the administrator has chosen, and including any required configuration in Azure
Use with PowerShell
The Azure AD PowerShell module allows administrators granular control over synchronization behaviors.{{Cite web |last= |title=AzureAD Module |url=https://learn.microsoft.com/en-us/powershell/module/azuread/ |access-date=2022-09-28 |website=Microsoft Ignite |language=en-us}} To begin working with the Azure AD PowerShell module it must be imported:
Import-Module AzureAD
To manually run a synchronization with current configurations:
- Specify Delta to only synchronize objects that have been updated since the most recent synchronization
Start-AADSyncSyncCycle -PolicyType Delta
- Specify Initial to synchronize all objects
Start-AADSyncSyncCycle -PolicyType Initial
To retrieve current synchronization schedule settings:
- Display synchronization schedule configuration settings
Get-ADSyncScheduler
<#
AllowedSyncCycleInterval : hh:mm:ss
CurrentlyEffectiveSyncCycleInterval : hh:mm:ss
CustomizedSyncCycleInterval : hh:mm:ss
NextSyncCyclePolicyType : Delta/Initial
NextSyncCycleStartTimeInUTC : MM/DD/YYY hh:mm:ss AM/PM
PurgeRunHistoryInterval : DD:hh:mm:ss
SyncCycleEnabled : True/False
MaintenanceEnabled : True/False
StagingModeEnabled: : True/False
SchedulerSuspended: : True/False
- >
To change the current synchronization schedule settings:
Set-ADSyncScheduler -$Setting $Value