Azure AD Connect cloud sync

Andres Bohren

2023-09-07

Hi All,

I am using Azure AD Connect since it was named DirSync.

As i am setting up my new Exchange Hybrid Lab - i had the opportunity to try “Azure AD cloud sync”.

MS Learn What is Azure AD Connect cloud sync?

In the Link abvoe you can find a Table of Features that Azure AD cloud sync is not capable of.

Connect to LDAP directories
Support for device objects
Support for Pass-Through Authentication
Filter on objects’ attribute values
Allow advanced customization for attribute flows
Support for device writeback > Customers should use Cloud Kerberos trust for this moving forward
Support for group writeback
Support for merging user attributes from multiple domains
Azure AD Domain Services support
Unlimited number of objects per AD domain
Large groups with up to 250,000 members

Exchange hybrid writeback

Long time, one of the biggest issue was that Azure AD cloud sync did not support the “Exchange hybrid writeback”. A functionality where the LegacyExchangeDN from Exchange Online is written back as a X500 Address in the “proxyAddresses” Attribute in the OnPrem Active Directory.

Since December 16, 2022 with the release of the Verson 1.1.1107.0 of the provisioning agent it is now possible

Before deploying Exchange Hybrid with cloud sync you must meet the following prerequisites.

The provisioning agent must be version 1.1.1107.0 or later.
Your on-premises Active Directory must be extended to contain the Exchange schema

Set up Azure AD cloud sync

Time to set it up in Microsoft Entra Admin Center https://entra.microsoft.com/#view/Microsoft_AAD_Connect_Provisioning/AADConnectMenuBlade/~/GetStarted

First we need to install the Agent

Under “Agent” you can download the Agent

Installation of the Agent

First i was unsure what option to pick. But the first one with “Azure AD Connect Cloud Sync” seemed the right one

Now you need to log in with a user with the “Global Administrator” Role

Let the Setup create a Managed Service Account

Review Screen

Agent is registering in Azure Active Directory (Entra ID)

Then the Agent is restarting

The Agent is sucessfully installed

We can see the Agent now in the Entra Admin Center under Agents

Under Configuration let’s create a new Configuration

Select the Domain from the Dropdown

By default Exchange hybrid writeback is disabled

But you can change that in Properties. I’ve also set the value for “Accidental Deletion Prevention” to 500

Now we can select what will be syncronized. We have the options:

All Users
Member of a Group
Organizational Units (by Distinguished Name)

Attribute Mapping - didn’t change anything here

Expression Generator - didn’t change anything here

Activate Azure AD Cloud Sync

Let’s start the Sync by clicking on “Review and activate”

Review and select start

You can see the Log under Deployment Protocols

With Sync on Request you can sync a single Object.

For me it was a little bit odd, that they need the Distinguished Name (DN). An Attribute where you need to go to the Attribute Editor. Probably the better Option is to use the ActiveDirectory PowerShell Module where the DistinguishedName is displayed by default.

Details of the Synced user

It has sucessfully synced the user

Let’s check the Properties of the User in Entra ID

Before i did setup the Azure AD Cloud Sync i checked the Microsoft Graph for onPremisesSynchronization

https://graph.microsoft.com/beta/directory/onPremisesSynchronization

Required Permissions:

OnPremDirectorySynchronization.Read.All
OnPremDirectorySynchronization.ReadWrite.All

The Attribute synchronizationClientVersion still shows the last Azure AD Connect Version before i decommissioned Exchange Hybrid and moved to Cloud Only. Documented in the Blog Articles below

In the Microsoft 365 Admin Center > Directory sync status the synchronizationClientVersion still shows that old Version. That’s a little bit odd and i would rather see the sychronization Agent Version here.

Regards
Andres Bohren