Posted on February 3, 2015 by Wes Kroesbergen
Back in 2011, Microsoft released the Business Productivity Suite, a hosted suite of communications services that would later mature into the suite of services now known as Office 365. However, there was a fundamental issue to solve: how does Microsoft associate enterprise Active Directory user identities with the cloud services for which they are licensed?
Microsoft solved this problem through the use of a tool called Directory Synchronization, also known as DirSync. This tool synchronized user identities from on-premises Active Directory up to Microsoft’s cloud services, allowing the cloud services to be associated with the correct identities. This tool has matured a fair bit, and as the tool matured, so has Microsoft’s approach to identity association to cloud services. Unfortunately however, as the approach to identity matured, the implementation approach and documentation have started to sprawl, causing some level of confusion. This post provides clarity to the seemingly murky waters, particularly because the choice of utility is very important when it comes to implementing the Enterprise Mobility Suite, a licensed suite of products including Azure Active Directory Premium, Azure Rights Management, and Azure Active Directory Premium. As organizations look toward Azure AD Premium and Azure RMS to layer alongside their existing Office 365 environments, there are some important differentiators that come into play.
There are essentially 3 different tools now available. Let’s take a closer look at the two utilities causing confusion, and the differences between them.
|Azure Active Directory Sync Tool (DirSync)||This is the traditional tool originally known as DirSync until it was rebranded in 2014. It is typically used to synchronize identities to Office 365.|
|Azure Active Directory Sync Services (AADSync)||This is a new utility, released late September 2014. This utility has a fairly robust feature set, and is very different than DirSync. It is required for someAzure AD Premium features.|
|ForeFront Identity Manager 2010 R2 (FIM)||This tool has been around for quite some time. It comes at a fairly expensive price, and is traditionally used for more complex identity integration scenarios with multiple on-premises identity repositories.|
This tool was originally shipped under the brand DirSync. In fact, the downloaded executable name is still DirSync.exe! Unfortunately, after the rebrand in 2014, it can be colloquially named AAD Sync. This is unfortunate, as the real AADSync is a very different animal!
Azure AD Sync Tool supports synchronization of a single forest to Azure Active Directory (which is used by Office 365 in the backend as the identity repository). It is essentially a stripped down, modified version of FIM. It also supports Exchange Hybrid integration, which enables co-existence of Exchange on-premises resources as well as Office 365 resources.
Azure AD Sync Tool supports Password Sync, a synchronization of on-premises password hashes to Azure AD, enabling Azure AD to handle the authentication instead of requiring a complex Active Directory Federated Services (ADFS) environment to be deployed. However, there is an important caveat: Azure AD Sync Tool only supports password synchronization from on-premises to Azure. It is not bi-directional, meaning that passwords cannot be changed in Azure and synced back to on-premises. This has implications for Azure AD Premium and Enterprise Mobility Suite deployments, which we’ll see shortly.
This tool was made generally available in September 2014. This utility is also colloquially named AAD Sync! However, there are some important new capabilities in Azure AD Sync Services to be aware of.
Azure AD Sync Services supports the synchronization of user identities from multiple forests to Azure AD, in addition to Exchange Hybrid integration.
Azure AD Sync Services also supports Password Sync, pushing passwords from on-premises to Azure for matching at authentication time. However, it also supports Password Write-Back, a key feature of Azure AD Premium and Enterprise Mobility Suite deployments. This feature enables organizations to leverage self-service password reset for their users via Azure, and have the new password pushed back to on-premises Active Directory. This feature helps to mitigate large volumes of helpdesk calls.
Azure AD Sync Services also has a number of features coming soon. Notably, it will soon be able to support synchronization of user identities created in Office 365 / Azure AD back to on-premises. It will also be able to plug into other identity repositories such as MySQL, LDAP, Oracle, and others, and have those user identities synchronized to the cloud to enable those users to use other Software as a Service (SaaS) applications such as DropBox, Box, or Office 365.
As we can see, the old DirSync used in most of today’s Office 365 implementation is a product of a by-gone era. Most immediately, and perhaps most importantly, new Azure AD Sync Services is a requirement for utilizing advanced features in Azure AD Premium / Enterprise Mobility Suite. For many organizations who’ve implemented Office 365, and are now looking to utilize new capabilities such as Azure Rights Management and Azure AD self-service password reset, an upgrade to their identity synchronization utility is in order. And as hybrid cloud marches forward, and identity becomes ever more important for licensing and management, the Azure AD Sync Services utility is stepping in to fill the gap.
Reach out to your Softchoice representative, and ask how you can leverage Azure AD Sync Services for scenarios like self-service password reset to streamline your operations.
A version of this post also appeared on Wes’ personal blog.