Identity synchronization has developed over the last couple of decades. It promised simplified administration, a better user experience, enhanced security, and easier compliance processes. It has delivered on its promises, and it continues to do so.
There are three stand-out areas where identity synchronization matters in the Microsoft stack: Microsoft Identity Manager (MIM), Azure AD Connect and synchronization in the Microsoft Cloud – for simplicity I will call this “AAD Sync”. The last of these is not a brand, but it is a thing – and, as so many organizations use all three of these (whether they know it or not), it is well worth saying a few things about how they work, and how they work together.
MIM has been the identity sync workhorse for over a decade – although it has been through many name changes. It is an on-premises solution, but it can reach out to cloud services when necessary. It will continue to be supported by Microsoft for about 8 years, and although it may come out of mainstream support in about 3 years, you should be able to count on your Microsoft partner to support your use of MIM beyond that.
Azure AD Connect is a group of tools that help you synchronize your on-premises users, groups and devices with cloud users, groups and devices. At its heart is Azure AD Connect Sync – a synchronization tool based on MIM, one of the subjects in our new Azure AD Connect Masterclass. This sync tool will presumably outlive MIM.
AAD Sync (as I am calling it) is Microsoft’s synchronization capability in the cloud. At a detailed level there are probably all sorts of things going on, but the key thing is that you connect up to all manner of SaaS apps to enable SSO and/or to provision them with user objects and flow various Azure AD attributes to target system attributes. And now you can draw authoritative user information from WorkDay (a cloud HCM system).
Hybrid and synchronization
Many, many organizations now live in a hybrid world, with cloud users in Azure AD benefitting from Office 365 and other cloud apps and services, but also with on-premises users in AD to support legacy systems. We have sync in the cloud, sync on-premises, and Azure AD Connect keeping those two areas synchronized.
So far, so good – but where is it all going?
If you have Azure AD and AD, you probably already have Azure AD Connect – if not, it certainly makes sense, because it is free and it does its job well. You will need this as long as you still have a need for an on-premises Active Directory estate.
If you roll out a SaaS app that requires user provisioning, it probably makes sense to provision it using a cloud connector: if the app isn’t already in the Azure Gallery, it probably soon will be, and if it isn’t, a Microsoft partner can create a “SCIM” connector to do so.
For everything else there is MIM, but the space it occupies is gradually being squeezed as the “AAD Sync” capabilities mature. However, even though you may feel it is a technology with a limited life, it does its job well, and the work you do to clean data and streamline your processes will make transition easy when the time comes.
What we are talking about here is mostly Identity Lifecycle Management (with a bit of entitlement management thrown in). It’s not new, and it’s not sexy – but it is as important as it has ever been. Without it you can’t do Identity Governance properly, and identity-driven security is working with one arm tied behind its back. MIM, Azure AD Connect and AAD Sync working together are an effective future-proof solution.