Microsoft’s new Azure Active Directory Synchronization Services tool (AADSync) was released to General Availability last month on the 16th of September. Microsoft calls it the new “one sync service to rule them all”, enabling support for Multi-Forest synchronizations and AD attribute filtering, amongst other features that were previously only possible with a licensed version of Forefront Identity Manager (FIM).
With the latest release, I found this to be a perfect time to reflect on how DirSync has developed over the last few years, to look at what’s possible with the new tool and what we can expect in AADSync vNext. Finally, as we now have 3 Directory Synchronization options for Office 365 and Azure AD (DirSync, AADSync, FIM), we will help you decide which Directory Synchronization option is right for you.
DirSync was first introduced in 2009 to synchronize AD accounts between on-premises AD and the predecessor to Office 365, Microsoft BPOS (Business Productivity Online Suite). Back in those days, DirSync was based on FIM’s predecessor, Microsoft Identity Lifecycle Manager (ILM). DirSync v1 was only available as a 32-bit version and it didn’t offer much more than the synchronisation of all user, group and contact objects from a single Active Directory to the Microsoft Online Identity Directory for BPOS.
When BPOS was rebranded to Office 365 in 2010, not only did MS change the underlying versions of Exchange Online, SharePoint Online and Lync Online, but DirSync became an essential requirement for the new Exchange Hybrid as well as Single Sign-On with Office 365. Support for filtering objects such OUs, accounts and groups was also introduced.
The next major release of DirSync came to us around the end of 2011. The underlying synchronization engine was updated to FIM, providing a 64-bit version of the tool.
In 2012, Microsoft made some bigger changes around DirSync to support synchronisation with Azure AD and it was rebranded to the Windows Azure Active Directory Synchronisation tool (WAAD Sync). The tool was now able to synchronized users and groups into an Azure AD tenant that wasn’t linked to an Office 365 subscription. Furthermore, MS included support for Exchange 2013 Hybrid scenarios, enabled the synchronisation of passwords via the Password Hash sync feature (May 2013), enabled WAAD Sync to be installed on Domain Controllers (Nov 2013) and most recently, enabled password write back in Azure AD premium scenarios (May 2014).
Azure AD Sync Service Tool
Last month (16th of September), Microsoft released a new identity synchronization tool. The new “sync service to rule them all” is called Microsoft Azure AD Sync Services (AADSync) tool. This tool is intended to provide a single synchronization engine to support both Azure Active Directory and Office 365 and includes the following feature additions:
- AADSync will use the new Microsoft Identity Manger (MIM) synchronization, built on a SQL 2012 R2 express database.
- The AADSync tool gives us support for simple multi-forest scenarios.
- After adding our forests, we can specify how our users will be represented in Azure AD. Considering a user might be represented in multiple forests, the first option allows us to choose a unique attribute across all forests.
- The second option allows us to choose the attribute that will be used for the identity federation.
- Exchange Hybrid and Password write-back options are still available.
- Azure AD app and attribute filtering allows us to reduce the set of attributes synced to Azure AD. This will be helpful for customers that, for compliance reason, do not want to have all AD attributes synced to Azure AD.
- AADSync allows you to filter the AD attributes via online service (i.e. Exchange / SharePoint…)… and if that doesn’t suffice, you can filter per attribute!
Coming soon …
As you might have noticed, there is currently no option to synchronize password hashes to Azure AD with the AADSync tool. MS is working on this and says this will be part of the next release.
Additionally MS is also working on integrating the following features into the AADSync tool:
- Support for attribute mapping rules via a simple UX menu.
(This is already available in the current beta version)
- Non-AD directory sources with support for single and multiple directories synchronization. This will allow us to synchronize user database from i.e. LDAP, Oracle, SQL or even MySQL.
- Synchronization of custom AD attributes.
Which tool should I use?
With both tools currently available, it might be a bit confusing which tool is the preferred tool to use. Both tools are currently supported and MS will not drop support for DirSync anytime soon. However, if we compare the two tools at the moment, it becomes clear that the only reason to use DirSync is because of the lack of the password hash synchronization in AADSync.
… and where does FIM fit in with this? In the majority of cases, we recommend our customers deploy FIM to manage identities across disparate systems. If Office 365 or Azure is involved, we recommend deploying DirSync as separate point solution to manage those cloud identities, with FIM managing all the other directories and systems. Using the out-of-the-box DirSync ensures the synchronization of identities with Azure/Office 365 is supported by Microsoft and can easily be updated as new features and functionality are released for Office 365 and Azure (which is often!).
If it is still unclear which tool is right for your organisation, please contact our Office 365 & Identity Management experts.
Update 28th August 2014
Today MS released a new version of the AADSync tool.
Version 1.0.470.1023 is available as today and includes:
- the ability to synchronize Password Hash from multiple on-premises AD to AAD
- Localized installation UI to all Windows Server languages