News

Microsoft Releases Azure Active Directory Sync Services Tool

• By Kurt Mackie
• 09/16/2014

Microsoft released its Azure Active Directory Sync Services tool on Monday, with little fanfare.

The tool can now be downloaded from this page. It was last available as a second preview version about a month ago. Azure AD Sync Services is notable for being Microsoft's intended replacement tool for the Directory Synchronization (DirSync) tool. Both tools are used to synchronize (or copy) user identities managed through Active Directory in organizations.

In addition, Microsoft has another way of synchronizing AD identities via its Forefront Identity Manager 2010 R2 Service Pack 1 product. The next version of this product, to be called "Microsoft Identity Manager," will be designed specifically to support hybrid cloud and premises-based deployments with support for Azure AD and multifactor authentication, Microsoft indicated back in April. At TechEd in May, Adam Hall, product manager for hybrid identity solutions, suggested in a presentation that this next product release would simply drop the Forefront brand. Ease of deployment will be another big focus of this next Identity Manager product.

Microsoft plans to release Identity Manager sometime next year. It will coexist with Azure AD Sync, according to an explanation from a Microsoft spokesperson:

Microsoft Identity Manager is targeted to complex organizations which have significant requirements for synchronization and provisioning between on-premises applications. Azure AD Sync is optimized for all organizations to easily on-board to Azure and take advantage of both Microsoft online services such as O365 and a world of connected SaaS applications.

Azure AD Sync Services
Microsoft has made it clear that the newly released Azure AD Sync Services tool will be replacing DirSync in the near future, perhaps by the end of this year. Azure AD Sync Services is slated to get a number of new capabilities that DirSync and Forefront Identity Manager 2010 R2 won't get. It's not clear when those new capabilities will arrive, but Microsoft has published a table comparing the current and future capabilities of DirSync, Azure AD Sync and Forefront Identity Manager 2010 R2 at this page. Update 5/1/15: Microsoft has removed this helpful MSDN resource, apparently without a replacement -- KM.

Azure AD Sync Services can do some things that DirSync can't. It can synchronize multiforest AD environments. It can sync a small set of user attributes. It can also map multiple Exchange deployments to a single Azure AD tenant. However, Azure AD Sync Services currently lacks a few of DirSync's capabilities. For instance, password hash synchronization is currently not supported in Azure AD Sync Services, although Microsoft plans to add support for it in a future release, according to a Microsoft FAQ.

Microsoft's proliferation of various AD tool options has been confusing to Microsoft's customers, as well as internally, according to a blog post by Ryan Sizemore of Microsoft. He explained that DirSync is based on the Forefront Identity Manager product but DirSync was designed to streamline the setup process for organizations. It apparently has been difficult to use Forefront Identity Manager to synchronize a premises-based AD with the cloud-based Azure AD.

Azure AD Sync Services, which will succeed DirSync as the next-generation sync tool, also features "a simplified deployment experience," according to Sizemore. It's also considered by Microsoft to be a "next generation synchronization server (to supersede FIM [Forefront Identity Manager])," he explained. However, moving from DirSync or Forefront Identity Manager to Azure AD Sync Services apparently is a manual process. That process is described in this Microsoft Azure library article.

Azure AD Connect
Microsoft also has an Azure AD Connect (AADConnect) solution that acts as a sort of wizard for all of Microsoft's Active Directory products, connecting premises based AD with cloud-based Azure AD. The Azure AD Connect solution seems to have evolved from a connector tool designed to facilitate Forefront Identity Manager 2010 R2 synchronization.

Sizemore described Azure AD Connect as a more general-purpose deployment tool that works across all AD technologies.

"AADConnect isn't a synchronization engine like FIM or AADSync -- simply installing AADConnect won't cause identities to magically begin synchronizing with AAD," Sizemore explained. "What [it] does do however is provide an easy-to-understand experience for deploying whatever technologies are required, based on your needed [sic]."

Azure AD Connect was at the preview stage back in August. It downloads all of the software needed to connect premises-based AD to Azure AD. It installs DirSync and Azure AD Sync Services and sets up password syncing for organizations using Azure AD Federation Services. Microsoft claims that Azure AD Connect can "configure directory integration in just 3 clicks."

The Azure AD Connect wizard is currently available through the Microsoft Connect test portal page here.