Why should you be reviewing cloud synchronization? What is the point of synchronization? If you are like any typical organization, you have a robust on-premises Active Directory structure with many uses, groups and customizations. Thus, your initial goal is to not reinvent the wheel, but rather to integrate your on-premises users with the users you intend to allow access to your cloud resources.
If you deal with any sort of cloud technologies, you are familiar with changing URLs, changing names and changing brand names. Microsoft’s cloud technologies are no exception. Recently, Microsoft rebranded Azure Active Directory to Microsoft Entra ID, representing that it is now the identity part of the cloud software.
In this post, we’ll explore the differences between Azure AD Connect Sync and AD Connect cloud sync and discuss the intricacies that impact security with these two offerings.
What is Azure Active Directory sync?
Azure Active Directory sync often refers to two different Microsoft identity management tools, Azure AD connect sync and Azure AD Connect cloud sync.
Microsoft has always had a bit of an issue positioning the various pieces that connect cloud services to on-premises servers. The naming of the software used to connect your workstations to cloud services may (and probably will) change but the concept is the same. Synchronization software ensures that the usernames and passwords you have locally match up to what is in your cloud setting.
While many Information Technology professionals groan that the name change will mean that websites and other locations will move and we will have to re-learn where locations are, others applaud the fact that this name change means that there will be break between on-premises active directory and cloud services. Additionally, it should mark a clearer distinction between the two platforms and hopefully lead to less confusion as it will be clearer that Microsoft Entra ID is NOT the same as Active Directory.
The difference between Azure AD Connect sync and Azure AD Connect cloud sync
Microsoft provides two technologies that connect your resources to their cloud resources. The older software called Connect Sync (also known as Azure AD Connect sync) connects your existing Active Directory infrastructure. The newer, Azure AD Connect cloud sync will be the de–facto synchronization tool going forward once the feature set between the two is more comparable. It uses the Azure AD cloud provisioning agent and thus is less impactful on your network and better for performance.
Azure AD Connect sync
As Microsoft defines it, “The Azure Active Directory Connect synchronization services (Azure AD Connect sync) is a main component of Azure AD Connect. It takes care of all the operations that are related to synchronize identity data between your on-premises environment and Azure AD.” Note that, at this time, it’s still called Azure AD Connect sync, but it’s anticipated to be renamed and realigned under the Entra family name. There are many reasons and advantages to having and using Connect sync. Many of us still need and use Active Directory. While having a pure cloud and Azure AD infrastructure is possible and can be done, it works best when a brand-new company starts with a cloud-first viewpoint. Some key capabilities of Azure AD Connect sync include:
- Synchronization between single forest, multiple forest and LDAPv3 compatible tenants
- Password Hash Synchronization (PHS)
- Pass-Through Authentication (PTA) and Domain Controllers as your identity provider without the need to deploy AD Federation Services configurations
- Exchange hybrid writeback capabilities for organizations with Exchange Server
- Hybrid Azure AD join capabilities
- Office 365 Group writeback to prevent email overlaps
- Support of password writebacks
Azure AD Connect cloud sync
For organizations that still haven’t moved to the cloud, you may also want to evaluate the newer sync tool called Cloud sync (formerly called Azure cloud sync). Azure AD Connect cloud sync allows you to connect to multiple disconnected on-premises AD forests and provides multiple active agents for high availability. The tool does not connect to LDAP directories or support Pass-Through Authentication. It is not designed for large groups with up to 250,000 members.
Cloud sync continues to increase its comparability to Connect sync. At the present time, it performs following actions:
- Refrains from adding a lot of CPU or overhead with a lightweight agent installation model
- Connects to multiple on-premises Active Directory forests
- Allows connectivity to multiple disconnected on-premises Active Directory forests, blending several disparate units
- Synchronizes directory changes more frequently than Azure AD Connect and thus if you have many changes, it is the preferred setup
- Works alongside Connect sync to connect in multiple ways
- Does not support LDAPv3-compatible identity stores and will not connect to LDAP directories.
- Does not support device objects
- Supports user objects, group objects and contact objects synchronization
- Supports synchronizing Exchange online attributes
- Supports password writeback
- Supports device writeback but you should use Cloud Kerberos trust moving forward
- Supports Exchange hybrid writeback (currently in preview mode)
Running Azure AD Connect sync with Azure AD
Azure AD Connect is the older of the two synchronization platforms and will ultimately be phased out once the parity between Azure AD Connect sync and Azure AD Connect cloud sync no longer exists. Currently, if you have a large organization, this is still the preferred tool for syncing with Active Directory. But there is a larger resource requirement, as well as a concern over security.
Running Azure AD Connect cloud sync with Azure AD
Azure AD Connect cloud sync is the newer sync platform, and while currently it’s anticipated to replace Azure AD Connect sync, it is currently designed for smaller organizations and requires fewer resources in terms of server specifications.
Security considerations for Azure AD Connect sync and Azure AD Connect cloud sync
Develop a thorough installation plan
When you begin to deploy Azure AD Connect cloud sync, you need to plan accordingly. Just like with Azure AD Connect, consider where and how you install the software. It should be installed on an infrastructure that you consider with the same security concerns as your domain controller assets. It needs to be monitored and maintained, as the software does get updated when security issues are identified. You’ll also want to be aware of any new research on potential security risks, such as recent research regarding potential man-in-the-middle attacks.
Restrict installation access
Restricting who can install this software and knowing who is restricted from using it is key. It should be installed with an Enterprise Administrator account in Active Directory and with a Global administrator account. You’ll want to ensure that you have it installed on a modern operating system that can support TLS 1.2 or higher. You can use PowerShell to ensure that the TLS version is set appropriately. I would recommend that you use third-party tools to review the SSL settings on any server in your domain, and ensure any web server or IP address that is exposed to the web has their crypto settings set to optimal. Both Connect Sync and Cloud Sync should be reviewed to ensure that permissions have not been adjusted and both are installed with proper security settings.
Review configuration settings
In addition, if you have used Cloud sync in the past, consider reviewing how you’ve set up certain settings. As with anything in the cloud, things change as well as naming, so don’t install something and expect that you never have to review its deployment ever again. Rather, you want to revisit the documentation on a regular or annual basis and ensure you are always staying with what is best practice, as the attackers continually devise new ways to gain access to our data. Case in point, Microsoft now recommends that you use a Cloud Kerberos trust deployment when you use the Cloud sync tool.
Consider passwordless authentication
Traditional Active Directory is based on authentication via passwords. Passwords that can be guessed, hacked, or cracked. Going forward with a more cloud–first, cloud sync deployment look to Passwordless authentication methods such as Windows Hello for Business, Microsoft authenticator or FIDO2 keys keeps an organization more secure. And all these newer authentication techniques rely more on Microsoft Entra ID (Azure Active Directory). Regardless of the synchronization platform you use, I would strongly recommend annually reviewing what authentication processes you are using and if you can increase protection accordingly.
Reduce your AD attack surface.
Limit on-premise firewall traffic
I would also recommend that you limit, through your on–premises firewall, the traffic that flows between your network and the Cloud synchronization process. As Microsoft documents, it primarily goes through port 80 and port 443 and uses specific URLs for its connection. Take the time to review your firewall logs and limit as you see fit. The same is true for other Microsoft Entra (formerly Azure Active Directory) functions that require cloud services and web access. If you use geographic IP filtering, you may need to adjust your firewalls to allow connection to Microsoft servers.
Review and test
The best way to review how Connect sync works is to set up a test bed, as documented on the Microsoft web site, and review how it will work in your network. As they note in their documentation, set up a cloud-only global administrator account on your cloud resources and provide it with a secure password. Consider a two-factor methodology that won’t lock you out of your resources. Use a local server running Windows Server 2016 or later version of Server operating system. Ensure that the necessary firewall ports are open, and if you don’t limit or provide egress filtering on the servers and firewalls in your organization, I would recommend that you consider adding this as an additional protection means. Port 80, 443 or 8080 should be available with connections open to *.msappproxy.net and *.servicebus.windows.net or the appropriate Azure datacenter IP ranges. Agents need to be able to access login.windows.net and login.microsoftonline.com for initial registration. For certificate validation, unblock the following URLs: mscrl.microsoft.com:80, crl.microsoft.com:80, ocsp.msocsp.com:80, and www.microsoft.com:80.
Use the normal privileged workstation considerations and set up this service on a workstation that has been set up to access cloud services securely. You may even consider using a cloud-based workspace in the form of Windows 365 as your cloud deployment workstation to better protect and secure your resources and to ensure that attackers can’t harvest cloud passwords from premise assets.
Conclusion
More and more of us are moving our resources and assets to the cloud. Some firms may stay with a fully hybrid network. Some may look to a cloud–first deployment. If you are just starting your journey to cloud synchronization, look to cloud–first deployment tools such as Azure AD Cloud sync to make your deployments more efficient and, more importantly, more secure. If you are currently using Azure AD Connect Sync, keep reviewing the lifecycle information and platform updates to review when it will ultimately be phased out in favor of Azure AD Cloud sync.
