Published: October 28, 2013
Updated: October 29, 2014
Applies To: Azure, Office 365, Windows Intune
If your organization has an on-premises directory service, you can integrate it with your Microsoft Azure Active Directory (Microsoft Azure AD) directory and embrace the Microsoft enterprise-grade cloud service, IT governance and self-service capabilities, thus improving your end-user productivity, enable compliance, and reduce administrative costs.
Extending your on-premises directories to Azure AD provides the following benefits:
Simplifying your cloud-based administrative tasks
Providing your users with a more streamlined sign-in experience
Obtaining single sign-on to all cloud-based applications
Securely and seamlessly managing your user and device identities, both cloud and on-premises, through a unified experience
Managing your first- and third-party applications, SaaS and other existing enterprise cloud and on-premises applications through a unified experience
For more information, see Similarities between Active Directory and Azure AD.
|An important part of planning your hybrid identity infrastructure (extending your local directories to Azure AD) is determining how you want to administer your directory, as well as how your users will sign into Microsoft cloud services. For more information and a high-level matrix of benefits and features provided with each of these scenarios, see Determine which directory integration scenario to use.|
Azure AD supports the following four directory integration scenarios:
Directory Sync Scenario
- Used to synchronize on-premises directory objects (users, groups, contacts) to the cloud to help reduce administrative overhead. Directory synchronization is also referred to as directory sync. Once directory sync has been set up, administrators can manage directory objects from your on-premises Active Directory and those changes will be synchronized to your tenant. In this scenario, your users will use different user name and passwords to access your cloud and on-premises resources.
Directory Sync with Password Sync Scenario
– Used when you want to enable your users to sign in to Azure AD and other services using the same user name and password as they use to log onto your corporate network and resources. Password sync is a feature of the Directory Sync tool.
Directory Sync with Single Sign-On Scenario
- Used to provide users with the most seamless authentication experience as they access Microsoft cloud services while logged on to the corporate network. In order to set up single sign-on, organizations need to deploy a security token service on-premises, such as Active Directory Federation Services (AD FS). Once it has been set up, users can use their Active Directory corporate credentials (user name and password) to access the services in the cloud and their existing on-premises resources.
Multi-forest Directory Sync with Single Sign-On Scenario
- Used to provide users with the most seamless authentication experience as they access Microsoft cloud services while logged on to the corporate network. In order to set up single sign-on, organizations need to deploy Active Directory Federation Services (AD FS) as security token service on-premises. Once it has been set up, users can use their Active Directory corporate credentials (user name and password) to access the services in the cloud and their existing on-premises resources.
Extending your on-premises directories to Azure AD Directory can be accomplished using the following tools.
Azure Active Directory Synchronization Tool (DirSync)
Azure Active Directory Synchronization Services (AAD Sync)
Forefront Identity Manager 2010 R2
For more information, see Directory Integration Tools.
|AAD Connect is currently in a Public Preview release.|
AAD Connect streamlines the experience of extending your local directories into Azure AD so that fewer tools are required to install; it guides you through the entire experience so you are not required to read many pages of documentation; and it reduces the on-premises footprint because you are not required to deploy many servers.
AAD Connect is a single wizard that performs all of the steps you would otherwise have to do manually for connecting your Windows Server Active Directory to Azure Active Directory:
It downloads and installs pre-requisites like the .NET Framework, Azure Active Directory PowerShell Module, and Microsoft Online Services Sign-In Assistant
It downloads, installs and configures Dirsync (or AAD Sync), and enables it in your Azure AD directory.
It configures either the password sync or the single sign-on scenario, depending on which sign-on option you prefer, including any required configuration in Azure.
It checks to make sure that your configuration is working!
For more information, see AAD Connect.