Recently a new option for AD sync is in preview Azure AD Connect cloud provisioning, Azure AD Connect Cloud Provisioning can run in a tenant already using Azure AD Connect Sync, Support for synchronizing to an Azure AD tenant from a multi-forest disconnected Active Directory forest environment. This is currently not possible with AD connect. and many organizations are struggling with this.
Simplified installation with light-weight provisioning agents: The agents act as a bridge from AD to Azure AD, with all the sync configuration managed in the cloud.
- Multiple provisioning agents can be used to simplify high availability deployments, particularly critical for organizations relying upon password hash synchronization from AD to Azure AD.
The common scenarios include merger & acquisition, where the acquired company’s AD forests are isolated from the parent company’s AD forests and companies that have historically had multiple AD forests.
Multiple provisioning agents can be used to simplify high availability deployments, particularly critical for organizations relying upon password hash synchronization from AD to Azure AD.
Here I have a sample of 3 the same used accounts but different domain, now with the Azure Active Directory (Azure AD) Connect Cloud Provisioning they are synced into a single AAD.
If there is a firewall between your servers and Azure AD, configure the following items:
Ensure that agents can make outbound requests to Azure AD over the following ports:
Port number and How it’s used
- 80 Downloads the certificate revocation lists (CRLs) while validating the SSL certificate
- 443 Handles all outbound communication with the service
- 8080(optional) Agents report their status every 10 minutes over port 8080, if port 443 is unavailable. This status is displayed on the Azure AD portal.
Also the Following URL’s need to be unblocked.
- exception for:
- *.msappproxy.net
- *.servicebus.windows.net
- login.windows.net
- login.microsoftonline.com
- mscrl.microsoft.com
- crl.microsoft.com
- ocsp.msocsp.com
- http://www.microsoft.com
- or if you can’t manage URL you need to allow the Azure IP address (see https://www.microsoft.com/download/details.aspx?id=41653) But this could be a big list.
You can test access using the test portal https://aadap-portcheck.connectorporttest.msappproxy.net/
Now that I know that all the ports are open we can start with the deployment.
Go to the Azure portal and open the Active directory Blade.
https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/AzureADConnect
When clicking the Provisioning link the new window opens with the download Agent in the ribbon.
Now that we have downloaded the Agent we can start the installation, Keep in mind if you don’t have installed the latest .NET version you need to install this and it will take a kernel reboot.
A quick setup and our next step is the Configuration.
Us a service account for the Sync, and keep in mind that your domain settings are correct else all the accounts got synced with the *.onmicrosoft.com
My local Active directory domain.
In this demo I use the Administrator but don’t use this account in you production site. Create a proper account for this.
Now that the AD is connected we can kick off the sync and move on to the next steps/
The Agent is creating two services on the sync server.
In the Azure portal you can see the sync status. I did already do a couple of installs so no panic if your layout is different.
Now we are checking if the Agent is running and use review all agents as default there is an extra step to take
In previews you can always give feedback so when the product is GA there is a good chance that the menu’s will change.
As you can see it is active, If it is not active check the Services on the on-premises server where you installed the Agent
You can also your external public IP
You can also check the services state:
- Microsoft Azure AD Connect Agent Updater (in charge of updating to the latest agent version)
- Microsoft Azure AD Connect Provisioning Agent (in charge of the synchronization)
Our next step is configuring the Azure AD Connect cloud provisioning, using password hash and setup a notification email.
Now that the configuration is complete we are ready for production
we save this config and check the agent health status.
For testing you can use the Cloud applications portal. https://myapps.microsoft.com
When logging in you will see the apps that are assigned to that user.
Configuration changes are synced every 2 minutes while the provisioning interval is every 40 minutes.
All agent activities are logged into the Applications and Services Logs\Microsoft\AzureADConnect\ProvisioningAgent\Admin
AgentUpdater for any agent updated activities (you will see there if there has been an update) or ProvisioningAgent for any provisioning activities.
Follow Me on Twitter @ClusterMVP
Follow My blog https://robertsmit.wordpress.com
Linkedin Profile Robert Smit MVP Linkedin profile
Google : Robert Smit MVP profile
Robert Smit MVP Blog 