Syncing On-Premise Active Directory to Azure Active Directory

August 22nd, 2017
Amol DalviSenior Director, Product

Companies may have migrated to the cloud but it remains vital to sync an on-premise active directory (AD) and the Azure Active Directory (Azure AD). This association permits on-premise network computers to access virtual environments in Azure and conversely cloud-based applications to access on-premise devices.

Azure AD’s most popular feature is for businesses integrating on-premises AD domain with applications running in the cloud and users connecting through the internet. The biggest benefit of synchronization is enabling users to access different resources on both on-premise and cloud environments with just a single set of sign-on credentials. Let’s look at the services each type of AD provides and why syncing them is essential.

What’s the Difference Between the Two?

On-premise AD and Azure AD each have different types of oversight and management. AD provides access via authentication and authorization to manage enterprise directories and on-premise resources like applications, printers, and file services. It employs protocols like Kerberos for user authentication and LDAP to interact with resources. It was not, however, designed to control web-based internet services.

Azure AD, on the other hand, uses an entirely different set of protocols (RESTful interfaces) designed to support web-based services, and offers cloud-based identity and access management capabilities through protocols such as SAML and OAuth 2.0. Azure AD provides a service-based approach to Active Directory that is hosted in Azure in the cloud, but also integrates with the on-premise active directory.

Most organizations will not choose one AD approach over the other, but instead they will incorporate both.

active directory

Single Identity

As organizations move infrastructure to the cloud, it is essential they integrate on-premise network computers with their Azure virtual machines by providing single identity functionality for users to access cloud applications. Azure AD Connect, the successor to DirSync and Azure AD Sync, is now the only directory synchronization tool supported by Microsoft. It integrates an on-premises AD with Azure AD by managing user and group accounts, linking client computers, and incorporating identity management into applications by implementing single identity  and multifactor authentication.

By utilizing Azure AD Connect, systems administrators replicate on-premise AD to Azure AD, so the two different security principals maintain the same password. This means the identical password can be used for on-premises AD and Azure AD achieving single identity.

User Authentication

The next item in syncing the two active directories is to leverage federation between Azure AD and on-premise AD. When a user authenticates against services that leverage Azure AD, the actual authentication is redirected to on-premise AD and then a token is passed back to the Azure AD service. The token message includes the user privileges applied by the cloud service to authenticate that user.

After combining an on-premises AD with Azure AD by setting up directory synchronization and federation, Azure AD essentially becomes a federation hub used to authenticate internet-based services and countless other applications already linked with Azure AD. This enables users to sign on with their AD credentials to seamlessly access applications and internet services.

securing your data

Azure AD is Flexible

Another benefit of utilizing Azure AD is to tear down the rigid AD hierarchy of setting up an organization that contains groups of users. This compartmentalization is not flexible enough to meet the requirements of contemporary SaaS solutions.

Many organizations use external cloud-based services such as Salesforce or Dropbox.. These services do not connect to the on-premise AD making it difficult for a system administrator to effectively manage user privileges and identities.

In addition, if company applications are hosted partly on-site and partly in Azure, there may be latency issues sending authentication requests from Azure back to an on-premise network. Implementing directory and identity services in Azure can reduce these system delays.

To sync Azure virtual machines to an on-premise network, configure a site-to-site VPN. There are three phases in creating the virtual network and adding virtual machines in Azure: Configuring an on-premise network with a route that points to and directs traffic to the virtual network; creating the virtual network in Azure; and installing and configuring Azure AD Connect. Follow this procedure to connect an on-premises network to a Microsoft Azure virtual network.

Better Productivity Through Synchronicity

Syncing an on-premise AD with Azure AD leverages existing on-premise infrastructure while taking advantage of the federation and authentication of Microsoft Azure cloud services. This, in turn, allows organizations to provide users with a common identity across on-premise and cloud-based services.

This make those users more productive by simply utilizing single sign-on to access both on-premise and cloud services and applications. For system administrators, multi-factor authentication provides conditional access based on application, device, user identity, network location, and many other options. Finally, for application developers, apps can be created with a common identity model and then integrated into either on-premise AD or Azure AD for cloud-based applications.