Active Directory

Active DirectoryAzure ADAzure App ServiceAzure BackupAzure MediaAzure NetworkAzure SQLOffice 365Sharepoint

Attend TEC 2021 and Learn from the Very Best


TEC 2021 (The Experts Conference) takes place as a free virtual event on September 1-2. has a close relationship with TEC as many of our writers are TEC speakers, so I thought that I’d highlight some of the sessions I am looking forward to. Many other sessions covering different topics are on the TEC agenda, so you’re sure to find something interesting to attend.

Please register for TEC to access the sessions. Even if you can’t attend on the day, you’ll be able to use your registration link to access recordings afterwards. Of course, attending live is best because you’ll then have the chance to participate in the live Q&A following the recorded segment of each session. Be nice to the presenters and don’t throw too many curve balls… With that said, here’s my curated list of TEC 2021 sessions. All times are in U.S. eastern time.

Artificial Intelligence and Microsoft 365

Some excellent Microsoft speakers are going to share their unique perspectives on different aspects of Microsoft 365 technology. At 10:30AM on September 2, Jeffrey Snover, the CTO for Modern Workplace Transformation (a fancy name for making stuff work across Microsoft 365) will deliver a keynote covering the use of artificial intelligence within Microsoft 365. Sometimes people get worried about the use of machine learning and AI within Microsoft 365 as they see features like insights and suggested responses turn up in email and meeting requests. I’m more focused on the use of AI in applications like Viva Topics. Jeffrey says that AI will make features more intelligent and easier to use. Turn up and see what you think!

Protecting Office 365 Against Attack

Practical365 traffic spiked in March when the Hafnium attack exploded and many Exchange on-premises administrators discovered just how exposed their servers were to attack. Alex Weinert, Director of Identity Security, is going to improve our knowledge about how attacks develop, the techniques used to penetrate systems, and how Microsoft and other security companies work to mitigate and close off vulnerabilities. Specifically, he’s going to analyze the Nobelium (SolarWinds) attack in December 2020 during his 1:30PM session on September 1.

Using Sensitivity Labels with SharePoint Online

Sensitivity labels are a great way to apply rights management-based encryption to Office documents. They can also be used to protect containers (Teams, Groups, and Sites). I can’t think of a better person to come along and talk about how to protect SharePoint Online and OneDrive for Business with sensitivity labels than Sanjoyan Mustafi, a Principal Product Manager who’s one of my go-to people whenever I have a question about the inner workings of sensitivity labels for SharePoint content. Sanjoyan speaks at 1:30PM on September 2. Apparently, he might even drop some hints about some new features due to appear soon.

Collaborating Teams Channels

A conference would be a pretty bland affair if only Microsoft people spoke, so TEC has many other experts come along to talk about different aspects of technology. MVP Curtis Johnstone talks at 12:45PM on September 1 about the different types of channels used in Teams, including the new shared channels first revealed in March and now getting close to public preview. Curtis plans to cover how shared channels work, differences with private channels, and how organizations can govern channel use.

Power Automate and Teams

Microsoft spends a lot of time banging the publicity drum for Teams and Power Automate. MVP Christina Wheeler brings some practical advice (always appreciated at at 1:30PM on September 1 to show how to connect the two technologies to get real work done by exploring how to launch a flow from a Teams bot.

Go to OneDrive

At 12:45PM on September 2, MVP Andy Huneycutt dives into the topic of moving people off network drives to OneDrive for Business. Many good business and technology reasons exist for this transition. Better data governance, more stable infrastructure, more visibility over content, better sharing, and so on. And of course, the simple fact that Office 365 and Microsoft 365 apps are built to use OneDrive for Business (Stream and Whiteboard are both moving their storage to OneDrive for Business). Why anyone would stay on old-fashioned network drives is beyond me…

Manage Exchange Online at Massive Scale

SAP is a very large software company that also uses Exchange at massive scale. MVP Ingo Gegenwarth gets lots of practice running PowerShell scripts to process tens of thousands of objects, and he’s going to share his experience and give some tips and techniques for how to approach the problem of dealing with so many objects at 2:30PM on September 1. I suspect Ingo might even say that it’s a good idea to use the Microsoft Graph API with PowerShell to get data about service incidents or interrogate Azure AD.

Removing the last Exchange On-Premises Server

After the Hafnium exploit in March, some organizations started to look more closely at the question of removing the last Exchange on-premises server. This has been a hotly debated topic for years, with some people saying that it’s easy to do (by performing brain surgery with ADSIEdit) and Microsoft continually saying that they are seeking a more graceful solution. Steve Goodman takes on the challenge of reporting the current situation at 12:45PM on September 2.

Group Policies Are Dead: Long Live Intune

I hate Group Policy Objects (GPOs). For years, they’ve been a necessary evil to enable workstation and server management. Intune is a better solution, especially in the world of Microsoft 365 where the PC is not the sole focus. Paul Robichaux covers this topic at 11:45AM on September 2 with a real focus on making management easier for your Microsoft 365 tenant.

Leveraging the Graph to Manage Microsoft 365

Finally, if you have time, you could attend my session at 11:45AM on September 1 where I’ll discuss how to use the Microsoft Graph APIs to manage Microsoft 365 tenants and applications. This is not a session for programmers. It’s focused on tenant administrators who automate processes with PowerShell today and want (or need) to use some Graph APIs with PowerShell. Maybe it’s just to get work done faster (like when you need to process thousands of mailboxes) or it’s because a Graph API is the only way to change a tenant setting.

Many articles cover different aspects of using the Graph APIs from reporting the storage used by Teams channels to updating tenant privacy controls. It should be a fun session (for me anyway!).

Enjoy TEC 2021. I plan to and hope that you’ll come along and have a terrific time sharing knowledge with some excellent speakers.

Source Practical365

read more
Active DirectoryAzure AD

How to Decide Between Azure AD Connect and Azure AD Connect Cloud Sync


Microsoft recently announced that Azure AD Connect Cloud Sync had reached GA (general availability), adding another option for directory synchronization with Microsoft 365. This article provides a background on directory synchronization and why it is fundamental for your journey to the cloud. Then we will discuss the solutions and give you the information you need to pick the right solution. Let’s begin with some basics.

What is Azure AD Sync, and Why Do I Need It?

Most organizations run Active Directory on-premises. This directory is usually the source of authority for all users, groups, and computers in a Windows domain. The domain provides a way to centrally manage accounts, passwords, policies, and permissions on-premises.

When an on-premises organization decides to use Microsoft 365, it needs a way to bring those on-premises accounts into Azure AD to use the new cloud services like Exchange Online, Teams, SharePoint Online, etc. Most organizations want to use their existing on-premises accounts rather than create new accounts and manage different passwords. That is where Azure AD Connect comes in. Both Azure AD Connect and Azure AD Connect Cloud Sync synchronize and link objects from AD to Azure AD and synchronize password hashes (not passwords) to maintain a single sign-on experience.

Azure AD Connect

Azure AD Connect has a long and storied past. It is based on Microsoft Identity Manager (MIM), which is used to bridge multiple on-premises authoritative systems and authentication stores. MIM is the sixth generation of Microsoft identity management solutions since they bought two similar technologies in 1997 and 1999.

While MIM can be expensive and bridges multiple authoritative directories, Azure AD Connect is free and purpose-built to bridge Active Directory with Azure Active Directory. This is known as hybrid identity.

Azure AD Connect is installed on an on-premises domain-joined server and is even supported to be installed on a domain controller. It only requires an outbound HTTPS connection to Microsoft 365 servers.


Since its humble beginnings of syncing a single AD to a single Azure AD tenant, Azure AD Connect’s capabilities have expanded significantly. Currently, this includes:

  • Synchronization between
    • Single forest, single Azure AD tenant.
    • Multiple forests, single Azure AD tenant.
    • Single or multiple forests, multiple Azure AD tenants (requires that each object is only represented once in all tenants).
    • LDAPv3-compatible identity stores.
  • Password Hash Synchronization (PHS) – use Azure AD as your organization’s identity provider by synchronizing password hashes to Azure AD.
  • Pass-Through Authentication (PTA) – use your organization’s Domain Controllers as your identity provider without having to deploy a full-blown AD FS configuration.
  • Federation integration with Active Directory Federation Services (AD FS).
  • Health monitoring of both Active Directory and the synchronization process.
  • Accommodating up to 10GB of database space (up to 100,000 objects) using LocalDB. If your organization exceeds this limit, use a full SQL Server.
  • Organizational Unit, group, or attribute filtering.
  • Exchange hybrid writeback capabilities for organizations with Exchange Server.
  • Exchange Public Folder address synchronization for directory-based edge blocking.
  • Password writeback capabilities to support self-service password reset (SSPR).
  • Office 365 Group writeback to prevent email address overlaps.
  • Directory extension attribute synchronization to extend the schema in Azure AD to include specific attributes consumed by LOB apps and Microsoft Graph Explorer.
  • Robust synchronization rule editing capabilities.
  • Seamless single sign-on (SSSO) capabilities that allow domain-joined users and computers to access Microsoft 365 workloads without being prompted to sign-in every time.
  • Hybrid Azure AD Join capabilities.
  • Device writeback capabilities that allow organizations to use on-premises conditional access and Windows Hello.
  • Synchronizing directory changes every 30 minutes and password changes almost immediately when using password hash sync.

Read more about Azure AD Connect: How it works and best practices for synchronizing your data

Azure AD Connect Cloud Sync

Microsoft realizes that it is unfortunate that your organization’s journey to the cloud-first requires installing more software on-premises. Azure AD Connect Cloud Sync is a cloud service alternative to Azure AD Connect software. The organization deploys one or more lightweight agents in their on-premises environment to bridge AD and Azure AD. The configuration is done in the cloud.

The service provides some of the features and capabilities that Azure AD Connect provides, making it useful for some merger and acquisition scenarios. It is important to note that Azure AD Connect Cloud Sync does not support Exchange hybrid, which reduces the number of useful scenarios.


Azure AD Connect Cloud Sync has many of the same features and capabilities as Azure AD Connect with the following differences:

  • Lightweight agent installation model.
  • Adds high availability using multiple agents.
  • Allows connectivity to multiple disconnected on-premises AD forests
  • Synchronizes directory changes more frequently than Azure AD Connect.
  • Can be used in addition to Azure AD Connect.
  • Does not support Exchange hybrid writeback.
  • Does not support LDAPv3-compatible identity stores.
  • Does not support device objects.
    • No hybrid Azure AD join.
    • No support for Windows Hello.
  • Does not support directory attribute synchronization.
  • Does not support Pass-Through Authentication (PTA).
  • Does not support synchronization rule editing capabilities.
  • Does not support writeback for passwords, devices, or groups.
  • Does not support cross-domain references.

As you can see, there are several gaps in functionality that limit the use of Azure AD Connect Cloud Sync. It is expected that Microsoft may close these gaps with future updates. The fact that this is a cloud-based service means that they can iterate rather quickly. I would not expect Exchange hybrid support anytime soon, though.

Appropriate Use Cases for Each

Choosing which directory synchronization solution to use requires a full understanding of what your organization’s needs are.

Azure AD Connect has the most features and compatibility. Almost all customers I encounter use Exchange Server or Exchange Online. The lack of Exchange hybrid support with Azure AD Connect Cloud Sync limits the use of that solution.

If you don’t need Exchange hybrid support or any of the other unsupported features, Azure AD Connect Cloud Sync can be a quick and easy way to configure AD directory synchronization with Azure AD. Examples include mergers and acquisitions where the organization being acquired has limited IT experience. By installing a simple, lightweight agent on a domain server, the acquiring organization can configure and manage directory synchronization from their tenant.

The marketing slides and videos introducing Azure AD Connect Cloud Sync often talk about the “heavy infrastructure investment” required for Azure AD Connect. A LocalDB database is installed with Azure AD Connect and has a 10GB limit (about 100,000 objects). Unless your organization’s Active Directory exceeds this, there is no requirement for additional infrastructure at all. Azure AD Connect can be installed on any existing domain-joined server running Windows Server 2012 or later or directly on a domain controller. It only requires an outbound HTTPS connection to the Internet.

Organizations with over 100,000 objects would likely save money with Azure AD Connect Cloud Sync since it does not require a full SQL server deployment. Still, organizations this size are usually running Exchange.

A scenario where Azure AD Connect Cloud Sync might be useful is one where an organization has AD on-premises but uses Google Workspace for email. This organization can sync their directory to Azure AD and then begin migrating Google mail to Exchange Online.

Azure AD Connect Cloud Sync is also the appropriate choice when connecting to multiple disconnected on-premises AD forests. Azure AD Connect requires line-of-site connectivity between multiple on-premises AD forests. This can be useful in some merger and acquisition scenarios.

Ultimately, you should deploy Azure AD Connect Cloud Sync if it provides the features and compatibility your organization needs. Otherwise, you will need to use the more fully-featured Azure AD Connect.

Security Considerations for Protecting Access to Azure AD Connect and Azure AD Connect Cloud Sync

Organizations should treat any server running Azure AD Connect or the Azure AD Connect Cloud Sync agent as a tier-0 asset – the same as a domain controller – since it is responsible for directory synchronization with Azure AD. Organizations should restrict administrative access to the Azure AD Connect server to only domain administrators or other tightly controlled security groups.

Azure AD Connect installation and configuration must be run with an Enterprise Admin account in AD and requires a Global Administrator account in the tenant.

Azure AD Connect Cloud Sync must be installed with an AD account with local admin permission on the server or Domain Admin permissions on a domain controller and requires a tenant account with Hybrid Identity Administrator or Global Administrator roles in the tenant.

For Azure AD Connect, the user account used to install it is automatically added to the local ADSyncAdmins security group. The best practice is to add Domain Admins to this group so more than one account can manage directory synchronization. Remove the individual user account that was used to install Azure AD Connect from this group.

The account used for configuration requires specific rights and is only used for installation or configuration. Directory synchronization will not be impacted if the account is disabled or deleted.

Both synchronization solutions use the highest TLS available in Windows Server. To ensure that Azure AD Connect and Azure AD Connect Cloud Sync use TLS 1.2 set the following registry keys, then restart the server:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] “SchUseStrongCrypto”=dword:00000001


Both Azure AD Connect and Azure AD Connect Cloud Sync provide ways for organizations to synchronize AD with Azure AD. Both solutions are easy to deploy and provide the features that organizations need to provide a unified sign-in experience to Microsoft 365.

Understand your organization’s requirements. Azure AD Connect Cloud Sync is the preferred way to synchronize on-premises AD to Azure AD, assuming you can get by with its limitations. Azure AD Connect provides the most feature-rich synchronization capabilities, including Exchange hybrid support.

From a security perspective, treat your organization’s Azure AD Connect server or agent the same as a domain controller and other Tier 0 resources.

Source Practical 365

read more
1 2 3 5
Page 1 of 5