Introduction
If you are looking for a way to synchronize your on-premises Active Directory (AD) with Azure Active Directory (Azure AD), you might be wondering which solution is best for you: Azure AD Connect or Azure AD Connect cloud sync.
In this blog post, I will compare these two options and help you decide which one suits your needs better.
Azure AD Connect : is the older and more mature solution that has been available since 2015. It is a Windows Server application that you install on your on-premises domain controller or a dedicated server. It allows you to synchronize your on-premises AD objects (such as users, groups, contacts, devices, etc.) with Azure AD using various methods, such as password hash synchronization, pass-through authentication, federation, or writeback. Azure AD Connect also supports advanced features, such as filtering, transformations, custom rules, and hybrid Azure AD join.
Azure AD Connect requires a dedicated server to run on and can handle up to 100,000 objects per sync cycle.
Azure AD Connect cloud sync is a new offering from Microsoft designed to meet and accomplish your hybrid identity goals across any environment. It is a lightweight agent that runs on any Windows server and can synchronize multiple AD forests and domains with Azure AD. It supports password hash synchronization and seamless single sign-on features. Azure AD Connect cloud sync can handle up to 50,000 objects per agent and can scale up by adding more agents.
How do you choose between Azure AD Connect and Azure AD Connect cloud sync?
Here are some factors to consider:
- Complexity: If you have a simple AD environment with one forest and domain, Azure AD Connect might be easier to set up and manage. However, if you have a complex or heterogeneous AD environment with multiple forests and domains, Azure AD Connect cloud sync might be more flexible and scalable.
- Features: If you need advanced features such as federation, pass-through authentication, or health monitoring, Azure AD Connect might be the better option. However, if you only need basic features such as password hash synchronization and seamless single sign-on, Azure AD Connect cloud sync might be sufficient.
- Performance: If you have a large number of objects to synchronize, Azure AD Connect might offer better performance and reliability. However, if you have a smaller number of objects or need faster synchronization cycles, Azure AD Connect cloud sync might be faster and more efficient.
- Cost: If you have a limited budget or want to reduce your infrastructure costs, Azure AD Connect cloud sync might be more cost-effective as it does not require a dedicated server. However, if you already have a server available or want to leverage your existing infrastructure, Azure AD Connect might be more economical.
Factors to consider before choosing between Azure AD Cloud Sync and Azure AD Connect
- If you need more than password hash synchronization, such as pass-through authentication, federation, or writeback, you should use Azure AD Connect.
- If you have a complex or customized on-premises AD environment, such as multiple domains or forests, custom attributes or schemas, or custom synchronization rules, you should use Azure AD Connect.
- If you want to minimize the impact on your on-premises infrastructure and reduce the administrative overhead of managing synchronization software, you should use Azure AD Cloud Sync.
- If you have a simple or standard on-premises AD environment, such as a single domain or forest, default attributes and schemas, or no custom synchronization rules, you can use either Azure AD Cloud Sync or Azure AD Connect.
Feature Comparison between Azure AD Connect and Azure AD Cloud sync
| Feature | Azure Active Directory Connect sync | Azure Active Directory Connect cloud sync |
|---|---|---|
| Connect to single on-premises AD forest | ● | ● |
| Connect to multiple on-premises AD forests | ● | ● |
| Connect to multiple disconnected on-premises AD forests | ● | |
| Lightweight agent installation model | ● | |
| Multiple active agents for high availability | ● | |
| Connect to LDAP directories | ● | |
| Support for user objects | ● | ● |
| Support for group objects | ● | ● |
| Support for contact objects | ● | ● |
| Support for device objects | ● | |
| Allow basic customization for attribute flows | ● | ● |
| Synchronize Exchange online attributes | ● | ● |
| Synchronize extension attributes 1-15 | ● | ● |
| Synchronize customer defined AD attributes (directory extensions) | ● | ● |
| Support for Password Hash Sync | ● | ● |
| Support for Pass-Through Authentication | ● | |
| Support for federation | ● | ● |
| Seamless Single Sign-on | ● | ● |
| Supports installation on a Domain Controller | ● | ● |
| Support for Windows Server 2016 | ● | ● |
| Filter on Domains/OUs/groups | ● | ● |
| Filter on objects’ attribute values | ● | |
| Allow minimal set of attributes to be synchronized (MinSync) | ● | ● |
| Allow removing attributes from flowing from AD to Azure AD | ● | ● |
| Allow advanced customization for attribute flows | ● | |
| Support for password writeback | ● | ● |
| Support for device writeback | ● | Customers should use Cloud Kerberos trust for this moving forward |
| Support for group writeback | ● | |
| Support for merging user attributes from multiple domains | ● | |
| Azure AD Domain Services support | ● | |
| Exchange hybrid writeback | ● | |
| Unlimited number of objects per AD domain | ● | |
| Support for up to 150,000 objects per AD domain | ● | ● |
| Groups with up to 50,000 members | ● | ● |
| Large groups with up to 250,000 members | ● | |
| Cross domain references | ● | ● |
| On-demand provisioning | ● | |
| Support for US Government | ● | ● |
Conclusion
In summary, both Azure AD Connect and Azure AD Connect cloud sync are viable solutions for synchronizing your on-premises AD with Azure AD. The best choice depends on your specific requirements and preferences. You can also use both solutions in parallel for different parts of your organization if needed.