Objects and credentials, from an on- premises AD DS domain, can be synchronized to Azure AD using Azure AD Connect in a hybrid environment. Once those objects are synchronized to Azure AD, the automatic background sync then makes those objects and credentials available to applications using the managed domain.
A main component of Azure AD Connect is the Azure Active Directory Connect synchronization services (Azure AD Connect sync). Azure AD Connect Sync handles all the operations that pertain to synchronizing identity data between your on- premises environment and Azure AD. Azure AD Connect sync replaces DirSync, Azure AD Sync, and Forefront Identity Manager.
FIGURE 10.13 Enable Self-S ervice Password Reset
The Azure AD Connect sync service consists of two components:
■ The on- premises Azure AD Connect sync component, also called Sync Engine
■ The service side in Azure AD called Azure AD Connect sync service
These settings are configured by the Azure AD Module for Windows PowerShell. To see the configuration in your Azure AD directory, run Get- MsolDirSyncFeatures (as shown in Figure 10.14).
FIGURE 10.14 Running Get- MsolDirSyncFeatures
Many of these settings can only be changed by Azure AD Connect. The following settings can be configured by Set- MsolDirSyncFeature:
■ EnableSoftMatchOnUpn: Allows objects to join on userPrincipalName in addition to the primary SMTP address
■ SynchronizeUpnForManagedUsers: Allows the Sync Engine to update the user PrincipalName attribute for managed/licensed (non- Federated) users.
Using PowerShell Commands
Once you have enabled a feature, it cannot be disabled again. Table 10.3 shows you the settings configured by Azure AD Connect that cannot be modified by Set- MsolDirSyncFeature.
TABLE 10.3 Settings configured by Azure AD Connect
DirSync feature | Note |
DeviceWriteback | Azure AD Connect: Enables device writeback |
DirectoryExtensions | Azure AD Connect sync: Directory extensions |
DuplicateProxyAddress Resiliency DuplicateUPNResiliency | Allows an attribute to be quarantined when it is a duplicate of another object rather than failing the entire object during export |
Password Hash Sync | Implement password hash synchronization with Azure AD Connect sync |
Pass- through Authentication | User sign- in with Azure Active Directory Pass- through Authentication |
UnifiedGroupWriteback | Group writeback |
UserWriteback | Not currently supported |