Key Features of Azure AD Connect

Published: 2023-10-27 Author: Microsoft Docs Team Version: 2.1.23.0

Azure AD Connect is a powerful hybrid identity solution that bridges your on-premises environments with Azure Active Directory (Azure AD). It provides several key features to facilitate seamless synchronization and management of identities.

Single Sign-On (SSO)

Azure AD Connect supports various Single Sign-On (SSO) options, allowing users to access both on-premises and cloud resources with a single set of credentials. This improves user experience and reduces password fatigue.

Password Hash Synchronization (PHS): The simplest form of SSO, where a hash of the on-premises password is synchronized to Azure AD.
Pass-through Authentication (PTA): Users authenticate directly against your on-premises Active Directory.
Federation with Active Directory Federation Services (AD FS): Provides advanced authentication and authorization capabilities through federation.

Password Writeback

This feature allows users to reset their on-premises passwords and have those changes synchronized back to Azure AD. This is crucial for self-service password reset scenarios in a hybrid environment.

Note: Password writeback requires Azure AD Premium licensing.

Device Writeback

Device writeback enables synchronization of device objects from Azure AD to your on-premises Active Directory. This is essential for implementing Conditional Access policies that rely on device state and for enabling features like seamless SSO for Windows 10 devices.

Hybrid Azure AD Join

Azure AD Connect facilitates Hybrid Azure AD Join for devices. This allows devices to be joined to both your on-premises Active Directory and Azure AD, enabling single sign-on to cloud resources and enabling features like Windows Hello for Business.

Group Writeback

While not enabled by default, Azure AD Connect can be configured to synchronize specific group types (like Microsoft 365 groups) back to your on-premises Active Directory. This can simplify group management for certain applications.

Synchronization Rules Editor

Azure AD Connect includes a robust Synchronization Rules Editor that allows for granular control over how objects and their attributes are synchronized between your on-premises Active Directory and Azure AD. You can customize the flow of data to meet specific organizational requirements.

# Example of a custom attribute flow rule
Import-Module ADSync
$Rule = Get-ADSyncRule -Identifier 'your-rule-id'
$Rule.Step = 20 # Set precedence
Set-ADSyncRule -Rule $Rule

Staging Mode

Azure AD Connect supports a staging mode that allows you to install and configure a secondary server without impacting your production synchronization. This is invaluable for testing configuration changes or preparing for a disaster recovery scenario.

Azure AD Connect Health

Integrated with Azure AD Connect, Azure AD Connect Health provides monitoring and reporting capabilities for your hybrid identity infrastructure. It helps proactively identify and address potential issues related to synchronization, federation, and other services.

Tip: Regularly review Azure AD Connect Health dashboards for optimal performance and health of your synchronization service.

Filtered Synchronization

You can configure Azure AD Connect to synchronize only specific Organizational Units (OUs), groups, or users, allowing for a phased rollout or selective synchronization based on your needs.

Customizing Synchronization

Beyond simple attribute filtering, Azure AD Connect provides advanced customization options through its Synchronization Rules Editor and Metaverse Search tool, enabling complex scenarios like attribute transformations and custom object types.