Azure AD Connect for hybrid identity – a summary guide

We regularly run webinars on a variety of topics. A recent one, entitled How Azure AD Connect enables hybrid identity, garnered more interest than any I can remember (when measured by the number of attendees, the fact that they nearly all stayed until the end, and the number of superb questions posed.)

[Update March 2018: View the recording of our AAD Connect: Beyond the Wizard webinar during which an expert panel answered 30+ questions from attendees, and find out more about our new AAD Connect Masterclass.]

Azure AD Connect (AAD Connect) is a sync engine, based on the tried and tested Microsoft Identity Manager (MIM) – and yet very different from it in many ways. It is easy to set up for a number of scenarios, but if you get under the covers it can do a lot more. Here is a quick summary:

  • AAD Connect has some clever tricks, but it can’t do everything.
  • Its primary use is to connect on-premises Active Directory (AD) to in-cloud Azure AD, synchronizing users – including their passwords – and (optionally) groups.
  • You can use it in addition to MIM, but you do not have to have MIM.
  • There are some simple scenarios where you can extend it to do a “MIM-like” job – a good example is the inclusion of an HR feed as an authoritative source users to be provisioned into AD and AAD.
  • Where it replaces MIM, there may be license savings, but don’t assume that overall implementation costs are significantly impacted (the solution still needs to be designed, implemented and tested).
  • MIM is the serious workhorse that is still needed for any fancy password management beyond AD to AAD, for any “GALSync-like” scenario (e.g. where you are merging global address lists across AD forest), for anything involving the MIM portal (like SSPR or group management, white pages/enterprise directory, policy/set/workflow engine). However, some things done by the portal can be done in Azure AD instead (SSPR and group management).
  • Put another way, MIM is good for complex scenarios, where seasoned MIM consultants/developers would find the AAD Connect UI to be very limiting.
  • We can expect AAD Connect to develop, and perhaps we might extrapolate the ideas and imagine, one day, a cloud based synchronization service that is more AAD Connect-like than MIM-like.

If that's whetted your appetite and you want to find out more, you can view a recording of my webinar here and it includes lots of demos.

And in this blog, 'Azure AD Connect questions answered', I answer some of the questions posed by those who attended the webinar.

We have training courses! AAD Connect Masterclass and an Azure AD training course.