Last week I wrote about strategic benefits with Microsoft Azure and included some market research of other big cloud competitors. Continuing on that and in part 2 of this series I will talk about the one of the most awaited multi-forest identity solutions – Azure Active Directory Sync Tool
In April this year, Microsoft announced set of great new identity synchronization features available in preview. Including password write back, Azure AD Sync (AAD Sync), and multi-forest support. Working with customers with multiple on-premises Active Directory forests and multiple on-premises Exchange organizations wanting to migrate to Exchange Online using a hybrid deployment it’s not been a trivial approach implementing Forefront Identity Manager (FIM). FIM provides self-service identity management for users and a framework to enforce security policies. FIM implementation isn’t trivial and cost effective for many Office 365 scenarios and as a result I experienced customers with complex multi forest environments turning their backs to Microsoft and going after other vendors.
Customers with single forest typically relied on DirSync which is really a downsized version of FIM. Although a clean and easy setup DirSync suffers from a number of limitations. The most painful for large companies being the fact that it only synchronizes identity data from one forest to Azure AD. The other drawbacks includes creating an Office 365 account for all Active Directory users of a particular OU and minimal control over the user object.
Hence on the path to bridge gaps and prompted by the need for in-the-cloud password replication back to the on-premises AD( their users log on to every day), Microsoft released “DirSync with password reset write-back”. It’s part of the Azure AD Premium offering which allows users to reset their Azure AD user account password via the “MyApps” web portal. Now came the need to address multi-forest synchronization and greater control over configuration. This lead to the next big announcement from Microsoft – Azure Active Directory Sync (AAD Sync).
AADSync has its underpinnings from components of Microsoft’s Forefront Identity Manager (FIM) metadirectory service, so its architecture is similar to both DirSync and FIM. You connect your active directory forests to AADSync via a connector. Like FIM and other meta directory services, these connectors feed into an aggregated store that contains a consolidated view of all the inbound identities. It’s this view that AADSync replicates to Azure AD. With Microsoft making progress with AAD Sync preview versions, partners and customers are now anxiously waiting for a public release to help them address their multi-forest identity needs.
(Fig: AADSync account resource forest scenario-image source: Microsoft)
Just today Microsoft announced another version – AAD Sync Beta 3 with investments in hybrid exchange and multi-forest configuration by adding the multi-forest password write-back capabilities. Check out the installation guide for more details http://social.technet.microsoft.com/wiki/contents/articles/24057.aadsync-installation-guide.aspx. AAD Sync will allow customers to
Onboard their multi-forest Active Directory deployment to AAD
- Advanced provisioning, mapping and filtering rules for objects and attributes, including support for syncing a very minimal set of user attributes
- Configuring multiple on-premises Exchange organizations to map to a single AAD tenant
- Selective synchronization which enables you to only sync attributes required for the services you want to enable.
- AD password reset with multi-forests.
- Exchange hybrid deployment in multi-forests environments which enables you to have mailboxes in Office 365 as well as in your on-premises exchange.
An integrated on-premises / cloud identity directory is a key piece of Microsoft’s Cloud OS vision and this goes to show their commitment to cloud first, mobile first strategy.