New sync capabilities in preview: Password Write Back, New AAD Sync and Multi-forest support

New sync capabilities in preview: Password Write Back, New AAD Sync and Multi-forest support

  • Comments 57
  • Likes

Howdy folks,

It's a great day here in Redmond – The sun is out, it's not raining and we have some cool new identity synchronization features available in preview!

Preview Self Service Password Reset writeback to Windows Server AD using DirSync

First, we've added a preview of DirSync password writeback for Self Service Password Reset. This preview capability allows customers who rely on federation or password hash sync to use Azure AD Premium to reset on-premises passwords in Windows Server Active Directory.

Preview Multi-forest identity synchronization using Azure AD Sync (AAD Sync)

Additionally, we've also released a preview of our new AAD Sync. AAD Sync is our newly created "one sync service to rule them all". In this first preview, we are using AAD Sync to enable synchronization from multi-forest Windows Server AD Deployments, a capability that all of our largest customers have been asking for. Over time (6-8 months), Azure AD Synch will replace DirSync and be included for all AAD, Office 365 and other Microsoft cloud service customers. It will enable simple synchronization like DirSync does today, but also have a set of much more advanced capabilities, for instance, support for combinations of directories (AD, LDAP, SQL, and others) and the ability to remap and swizzle existing on-premises attributes. AAD Premium customers will also use it for writeback scenarios like Self Service Group Management.

Using the AAD Sync preview you will be able to:

  • Onboard your multi-forest Active Directory deployment to AAD
  • Advanced provisioning, mapping and filtering rules for objects and attributes, including support for syncing a very minimal set of user attributes (only 7!)
  • Configuring multiple on-premises Exchange organizations to map to a single AAD tenant (as recently announced at the MEC conference)

Getting the new DirSync tool

You can access the updated DirSync with Password Reset writeback here. Once installed, you can configure the password reset writeback agent by opening an elevated DirSync configuration shell and running the Enable-OnlinePasswordWriteback commandlet. Want more details? We'll have a writeback installation guide coming next week, so stay tuned!

Getting the AADSync service

You can join the Azure Active Directory Sync Services preview here. The AADSync preview will then be added to your Microsoft Connect account. Through this you will be able to download the most recent version, get information on known issues and updates, as well as provide feedback.

The installation is an easy 3-step process and is similar to DirSync.

Step 1

After you run the installer you will first you need to provide your AAD credentials and click "Next" to continue.

Step 2

Add each of your AD forests, this is done by entering Active Directory Domain Services credentials for each forest and clicking on "Add Forest". Once a forest is added, AADSync will detect what services the forest contains, e.g. Exchange and Lync, and create an initial default configuration which will work for most customers. The configured forest will be added to the list. The forest can also be removed by clicking on the X next to the forest name. Once you are done adding all your forests you will need to click "Next" to continue.

Fig 1: AADSync add AD forests


Step 3

AADSync will now collect additional information on your multi-forest environment. This configuration helps AADSync understand how to map a user represented in more than one forest and how to uniquely identify each user. If you using one forest you can leave the default configuration options and click "Next".

Fig 2: AADSync Multi forest configuration

Post Installation

That is it! Your initial configuration is complete, at this point you can begin synchronizing your users with Azure Active Directory. You can also use the AADSync advanced UI to:

  • Filter out objects you don't want to synchronize to AAD

Fig 3: AADSync OU filters

  • Change the attribute mapping or set transformations between AAD and Windows Server AD users.

Fig 4: AADSync attribute mapping

  • View which attributes are consumed by each Microsoft Online service and control their synchronization. For example, if you do not use SharePoint online it will be possible to remove the entire group of attributes.

Fig 5: AADSync attribute selection by service

Let us know what you think! Whether it's a feature you love, something you think we are missing, questions, or even if it's an experience that you just don't like, you can reach out to us through the AADSync Microsoft connect preview or the Windows Azure AD Forum.

Best regards,

Alex Simons (twitter: Alex_A_Simons)

Director of Program Management

Active Directory

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • In AADSync is it possible to filter out or remove all mail / exchange attributes from the synchronization and just sync basic AD user attributes and passwords to Windows Azure AD and manage all Exchange related stuff using Office 365 / Exchange Online?

  • Support for multiple Azure AD subscribtions coming ? or this still a FIM feature ?

  • Mike, it is possible to synchronize accounts without any of the exchange attributes when you utilize exchange in the cloud only or do not use exchange at all.

  • Thanks, this feature is a very welcome addition to the AADSync. There are many organization that would like to use on-premises AD with password sync and only utilize exchange in the cloud.

  • Marius Sandbu, support for multiple Azure AD subscriptions is not currently available, we are very interested in hearing from customers that need this. Please reach out through connect or the Windows Azure AD Forum with additional details.

  • This is a great addition to Azure AD. Thank you!

  • Great stuff! Installing and evaluating now.

  • Synchally ADDing simplicity

  • Good news! I am sure lot of us have been waiting for these features.
    I have a question - Is the password write back going to be available sooner than 6-8 months for production scenarios?

  • @Ajay - yes, will GA sooner than 6-8 months.

  • Will this version replicate back and forward "Account Locked Out" and "Account Expired" attributes?

  • @Massimo_M - We do not sync these attributes in the preview, but we are analyzing which additional attributes we should synchronize. Please reach out through connect or the Windows Azure AD Forum with additional details on how you want to use these.

  • Can we test the ability to configuring multiple on-premises Exchange organizations to map to a single AAD tenant now with this tool? I was under the impression this capability was still in development. Is there an article that describe the pre-reqs etc...

  • @Amit, this functionality was made available in Exchange 2013 SP1 (which was released in Feb). It is currently not documented and we are working with the Exchange team to get this documented.

  • Hello: Great new functionality... what about syncing with Yammer?