Azure AD Connect – You can now provision cloud identity from disconnected Active Directory

As you already know Azure Active Directory Connect (AAD Connect) is the easiest and quickest way to provision identities in Azure AD, especially for large organization, while providing simple authentication method to cloud services (password hash sync, Seamless SSO…).

That being said, you may find yourself in position you have to quickly provide cloud identities for other ‘independent’ entities (due to merger or historical disconnected environment) in your organization while you do not have the ability or the time to setup trust relationship.

This challenge now has a response with a new cloud provisioning feature of Azure AD Connect, providing a lightweight synchronization solution to onboard disconnected Active Directory.

Another advantage of this capability is you can deploy multiple agents, providing high availability for the service (opposite to the ‘full’ Azure AD Connect which does not provide such capability, unless you deploy a standby instance).

Before starting digging into this new feature (in preview), you need to ensure the following prerequisites are matched:

  • you have a global administrator account on your Azure AD tenant
  • at least one Windows Server 2012 R2 or later domain joined (to the disconnected domain) is available to run the provisioning agent
    • with the .Net Framework 4.7.1
    • TLS 1.2 enabled
    • NOTE I have tested installing the agent on the domain controller itself and while this is not clearly documented, it works; the agent can be installed, configured and syncing with Azure AD successfully
  • the firewall allows outbound traffic from this/these server(s) on port 80, 443 and 8080 (optional and being used if 443 can not be used)
  • firewall/proxy exception for:
    • *.msappproxy.net
    • *.servicebus.windows.net
    • login.windows.net
    • login.microsoftonline.com
    • mscrl.microsoft.com
    • crl.microsoft.com
    • ocsp.msocsp.com
    • www.microsoft.com
    • or if you can;t manage URL you need to allow the Azure IP address (see https://www.microsoft.com/download/details.aspx?id=41653)

You can test access using the test portal  https://aadap-portcheck.connectorporttest.msappproxy.net/

image_thumb

Once all of these prereqes are matched, you can start using the Cloud Identity provisioning for disconnected AD features by connecting to your Azure portal (https://portal.azure.com/) or Azure AD portal (https://aad.portal.azure.com/) to reach the Azure Active Directory\Azure AD Connect blade

image_thumb[2]  image_thumb[1]

There you will see the new feature Manage provisioning (preview) to download he lightweight and manage the agent

image_thumb[3]  image_thumb[4]

Once the agent is downloaded, the installation steps are pretty simple and straightforward: accept the license terms (as always Smile) and that’s it

image_thumb[5]  image_thumb[6]

Then the configuration wizard will popup (if not a shortcut is available on the Desktop) and will ask you to connect to your Azure AD tenant

image_thumb[7]

Then (as for the ‘classic’ Azure AD Connect), you will have to connect to the disconnected domain

image_thumb[8]

You can even select the order domain controllers to connect to using the Select domain controller priority option

image_thumb[9]

That’s is for the configuration; you do not have to configure the synchronization or authentication options. All the management capability is available only through the Azure AD/Azure portal

image_thumb[10]  image_thumb[11]  image_thumb[12]

Once the agent(s) is/are registered, when you refresh the Azure AD Provisioning blade, you can confirm the

agent(s) is/are up and running and successfully connected using the Review all agents

image_thumb[16]  image_thumb[15]

You can also check the services state:

  • Microsoft Azure AD Connect Agent Updater (in charge of updating to the latest agent version)
  • Microsoft Azure AD Connect Provisioning Agent (in charge of the synchronization)

image_thumb[22]

Then New Configuration option becoming available; use this option to configure the agent and define the various synchronization options

image_thumb[13]  image_thumb[17]

Same as with Azure AD Connect, you can select if you are syncing the full directory, or just members of a security group or a selected OU’s (you can add multiple OU’s)

If you want to sync selected OU’s, you have to enter the OU path using the Distinguished Name (you can not browse)

image_thumb[18]

It is recommended to keep the password hash sync option enabled, even if your are not planning to use it

An email address is then required to get notified if the agent(s) is/are getting unhealthy

image_thumb[19]

When you go back to the main Azure AD Provisioning blade, the disconnected domain is now showing up with his status and associated agents

image_thumb[20]  image_thumb[21]  image_thumb[24]

Configuration changes are synced every 2 minutes while the provisioning interval is every 40 minutes

All agent activities are logged into the Applications and Services Logs\AzureADConnect log

  • either AgentUpdater for any agent updated activities (you will see there if there has been an update)
  • or ProvisioningAgent for any provisioning activities

image_thumb[23]

Important events for the ProvisioningAgent will be:

  • Event 14000 when the agent has been starting
  • Event 14003 when a synchronization configuration has been applied/updated

You can access the provisioning logs and other settings for the domain by accessing the Enterprise Applications\All Applications blade and then searching for the synced domain using the All Applications type filter

image_thumb[25]

Then go to the Provisioning blade for the application

image_thumb[26]

This application will be automatically deleted when you delete the configuration you have created above

Users and groups from the disconnected AD should now show up in your Azure AD

image_thumb[27]  image_thumb[28]

In addition an new synchronization account (ADToAADSyncServiceAccount) should also show up in your Azure AD

image_thumb[29]

You can provide feedbacks using the ULR https://go.microsoft.com/fwlink/?linkid=2033943

Benoit Hamet
Benoit Hamet
Benoit is working on Microsoft collaborative technologies He has been awarded as MVP for more than 12 years Currently MVP on Office 365 after being awarded on SharePoint (2011-2012) and Windows client & server (2002-2007) Speaker at various Microsoft events (TechDays, TechNet seminars) and Quest Software He works on on-premises (Active Directory, RADIUS/NPS, Exchange, Skype for Business, SharePoint, SQL, Terminal Server, Windows client and Windows Server) or online (Azure, Intune, Office 365, Exchange Online, SharePoint Online, Skype for Business Online, Teams) technologies