AD Connect and Connect Health – Identity Management for Office 365

In a world where major releases are a thing of the past and rapid deployment of new features is the future, Microsoft has set the perfect example with their latest cloud product; Office 365.

Organisations across the globe are rapidly improving and simplifying the management of their IT. The IT Roadmap has changed. We are in a world where major releases are a thing of the past and rapid deployment of new features is the future. With their latest cloud products Microsoft really do seem to have stumbled across a book or two on the Japanese art of Kaizen (continuous improvement); Office 365 is the perfect example of that.

The suite itself comes in a plethora of colours and flavours with something to suit everyone, from the 5 user Home Office right up to organisations like the All India Council for Technical Education (AICTE) which is currently deploying the suite to 7 million students and 500,000 faculty members.

Users more familiar with Office 365 will be aware that it has had a fairly rocky road to where it proudly stands today. One of its original incarnations BPOS was the bane of many an IT admin, however through constant innovation and a monumental shift in methodology and process from Microsoft it is now the premier platform for pretty much everything an IT infrastructure needs.

Since its inception, one of the core issues surrounding major deployments of Office 365 has been Identity Management. The original DirSync tool, used to synchronise an on premise Active Directory to the Windows Azure Active Directory, had a limited feature set and only ran a full synchronisation every three hours, for many organisations this simply wasn’t an option. The next tool brought in to replace DirSync earlier this year is Azure Active Directory Sync Tool, this introduced features such as the ability to connect to multiple on-premises Active Directory Forests, Attribute Write Back (for hybrid Exchange Deployments) and Password Write Back from self-service password reset. This tool although much more comprehensive and easier to configure than previous iterations was still not ideal for large scale deployments.

On top of this fairly basic toolkit for Identity Management, IT pro’s wanting features such as restriction of device by IP, disabling an account to take instant effect or fully featured Single Sign On also require ADFS. ADFS although highly effective has an almost complete lack of monitoring and reporting tools for the Office 365 Admin.

Well I am more than pleased to inform you that the community has spoken and Microsoft has listened!

On the 24th of June the most technologically advanced utilities for Identity Management in Office 365 were released to general availability: Azure AD Connect and Connect Health.

The most important thing here is what does this mean for real world users of Office 365 right now, the following should give you a good idea of what’s just arrived:

Azure AD Connect

Directory Synchronisation based on Active Directory Group membership

Previous directory synchronisation solutions only allowed for users to be synced based on either Active Directory Attributes or per OU. This meant that unless you utilised a highly structured Active Directory or had meaningful attributes set for items like departments, syncing a specific business unit was overly complicated and required an additional administrative overhead to configure.

Almost every organisation does however have groups in place and ready to go, these groups will normally align very neatly with user groups you may wish to move to Office 365.

With the introduction of this feature you can now simply select the groups you want and have them vaporised into the cloud in minutes.

Provision users in the cloud and write back to on-premises Active Directory

All user creation and management within a directory synced cloud solution was always done in the on premise directory. This meant that any changes done on premise would either take up to 3 hours to synchronise to the cloud or you would have to run a manual delta sync after every change or group of changes. Cumbersome right?

With these new tools you can now edit users in cloud and have them synchronise back to your on premises Active Directory. Once major benefit of this is where you give security permissions and access, this potentially means that many of your admins never even touch your on premises directory and infrastructure.

Write back of ‘Groups in Office 365’ to on premises distribution groups in a forest with Exchange

Group Write Back has been a major adoption hindrance of organisations who heavily utilise distribution groups and especially distribution group delegation whereby a manager or elected person may moderate the group membership of groups under their authority.

Previously this feature was not available in organisations where directory synchronisation was utilised. With the introduction of this feature, groups and group members are now replicated back to the on premises Directory where they can be utilised by on premise systems.

Enable device write back so that your on-premises access control policies enforced by ADFS can recognise devices that have registered with Azure AD. This includes the recently announced support for Azure AD Join in Windows 10

So, a major feature being touted in Windows 10 is the ability to domain join straight into Windows Azure Active Directory, this can also be used with some mobile devices. Previously they would remain cloud provisioned devices and policies defined by Active Directory Federation Services would not apply to them.

This Write Back feature allows those devices to be written back to the on premises directory, enforcing policies required by your organisation on the devices.

Sync custom directory attributes to your Azure Active Directory tenant and consume it from within your cloud applications

Custom Active Directory attributes have long been used to integrate data held within Active Directory with an organisations core line of business applications. Often this means adding some additional attributes to Active Directory, which previously could not be synchronised to the cloud.

Going forward with Azure AD Connect these attributes will be available for consumption within Windows Azure Active Directory to all of your applications homed within the cloud.

Connect multiple AD Forests at one time to integrate users, groups and contacts that may exist in one or more forests

Multi-Forest Office 365 has been a major headache and although the Azure Active Directory Sync Tool alleviated some of this it didn’t quite push it to being production ready.

This latest iteration of Microsoft’s Identity Management platform for cloud allows organisations to not only meet each other in the cloud but also to rapidly on board new organisations in the event of acquisitions or mergers.

Configure password sync or federation for your sign-in needs. Choosing federation provides you with a simplified and streamlined deployment of ADFS

Initially when configuring the Azure Active Directory Sync Tool there is no option to configure it for utilisation of Active Directory Federation Services. This version allows for a wizard based configuration of the federated relationship between Office 365 and the on premise organisation.

Although you still need to deploy Active Directory Federation Services and Web Application Proxy on premises the ground work is done for you as part of the installation.

Stage your sync cutover process or setup a new “Hot Spare” using “Staging Mode” for sync

A staging mode server can be used to setup a new Directory Synchronisation server in tandem with the current server. This allows major configuration changes and updates to be made to the new server while the old one is still in place. Once you are happy with the configuration changes you can simply disable the old one and enable the new one to get started straight away. Although this may not be the active/active or active/passive high availability solution we have been looking for it’s a significant improvement on the complete lack of high availability in the previous iterations.

As you can see this is a tremendous list which comprehensively covers many of the most desired features for the Office 365 IT pro. As a true cherry on top, Microsoft have automated the deployment process so the new tool can be installed in place on top of the existing installation with next to no interruption in Directory Synchronisation.

I know from experience that many of these features will open the pathway to truly consolidate many of our customers within a cloud platform, finally enabling the Microsoft’s Cloud Collaboration dream.

Azure AD Connect Health

Currently within Windows Azure Active Directory 32% of logins utilise ADFS for single sign on, this moves the authentication process from the cloud to the on premises directory. This means that the service itself becomes a major piece of the infrastructure required within the organisation that must be stable, reliable and most importantly monitored.

Currently there is no easy way to monitor ADFS in relation to Office 365, most solutions walk the fine line between clunky and basic at best. However, yet again the customers screamed and Microsoft has listened, in this case at a small cost to the end user in the form of Azure AD Premium. However, users of Microsoft’s MDM solution Enterprise Mobility Suite already have Azure AD Premium included within their current subscription pricing.

The Azure AD Connect Health tool allows IT admins to acquire information on the reliability, health and performance of ADFS and Windows Azure Active Directory, something that has been almost completely missing from the product to date.

This current release adds the following three major capabilities:

  • Email alerts based on events, configuration information, synthetic transactions and performance data.
  • Graphs of login activity to gain usage insights into what your users and doing, these are generated from the user token generation
  • Performance Indicators for token request counters, processor, memory, latency and more.

Compared to the previous monitoring options which was very much flying by the seat of your pants this provides almost everything necessary to ensure the health of your organisation when utilising Microsoft’s cloud platform.

For me the quintessential point of note is that Microsoft is listening, engaging and rapidly responding to community demand. This truly is a far cry from the attempted removal of every admins headache Public Folders in Exchange 2007.

Both of these tools are in general availability and ready for deployment right now!

Blog published by: Adam Cooperman, Esteem Solution Architect

Get in touch

Get in touch with us by completing the form below and we'll get back to you shortly. Alternatively, you can e-mail us on or call us on 01937 861 000.