How To Upgrade Azure Synchronization Service Manager

This post is a commencement in a serial well-nigh Azure Agile Directory Synchronization, covering part 1 of the introduction. Follow up posts will comprehend:

Introduction Role 2
Filtering Role 1
Filtering Part 2
Object Matching
Alternate Logon ID

Why you desire have synchronization

For those who don't work regularly with Office 365 or other Microsoft cloud services (like Azure, Exchange Online Protection), information technology can exist a complex myriad of information to work through in guild to observe out what you exactly need. In all cases you want or are required to synchronize your on-bounds Active Directory objects (users, contacts and groups) to Microsoft cloud services; Azure Active Directory to be precise which all of those services utilize. For case, for Same Sign On (also requires Password Sync) or Unmarried-Sign On (requires Agile Directory Federation Services, ADFS) scenarios in Function 365 and specific filtering options in Substitution Online Protection, synchronization is required.

Sync vs. Ad FS

To be articulate, the mentioned synchronization products (DirSync, AADSync and FIM) are different than Active Directory Federation Services (Ad FS).

If you require synchronization, it does not require AD FS. Notwithstanding, if your organisation requires Advertizement FS for Single Sign On, or additional features like Azure Multi-Factor Authentication (MFA), you always require a synchronization tool; in these scenarios AD FS is used for authentication, then within the context of Office 365 the services knows which user has admission to specific services. If that user connects to that online service, it will redirect the customer or browser to your on-bounds Advertisement FS infrastructure and you will take to cosign on your ain servers. The browser or client will receive an authentication token that (if valid) will be accepted past Function 365.

How to Sync

There are multiple tools to reach a synced directory. This postal service is an introduction to several solutions. There are several tools:

DirSync or Azure Active Directory Sync Tool
AADSync or Azure Active Directory Synchronization Services
AAD Connect or Azure Agile Directory Connect Tool
FIM or ForeFront Identity Manager 2012 R2

Notation that the names accept a great similarity, a source of much confusion in my experience. Under the hood, of course, they are completely different.

DirSync

The first tool, DirSync, is the current standard and a download location for this tool tin be establish in the Office 365 portal, when you walk through the wizard to setup Directory Synchronization. It's a slimmed down version of ForeFront Identity Manager (FIM), specifically designed for use with Microsoft cloud services. It'south currently deprecated, which means no new features are to be expected. However, for a lot of scenarios this is the tool to go with. The successor to DirSync is or volition be AADSync. For more information, click here.

AADSync

If y'all require more advanced features, like synchronization from multiple Active Directory Forests, Countersign Write-back etc. y'all will have to use AADSync. Although this tool is already General Available (GA) for a while, non all scenario's are currently supported, such equally the scenario with multiple Active Directory forests, each with Microsoft Exchange (note: multiple Advertizing forests with but ane Exchange environment in ane woods is supported). This is why for now yous should use DirSync unless you require boosted features that are currently explicitly supported. An in-place upgrade from DirSync to AADSync is (currently) not supported. You will require to fully uninstall DirSync, install AADSync and configure all settings once again. However, that will change in the time to come. For more information, see AAD Connect.

AAD Connect

AAD Connect is not a synchronization tool in itself, it'south a installation and configuration tool that helps you install prerequisites, DirSync/AADSync (installation files will be downloaded), configure AD FS (if necessary) and additional features and checks. It's currently in Public Preview, and so it's non yet supported for product environments. Information technology will be possible to in-place upgrade from DirSync to AADSync, with the assist of this tool. In fourth dimension this will be the only tool bachelor.

FIM

ForeFront Identity Director 2012 R2 is the big blood brother of DirSync/AADSync. Much of the logic is the same, some interfaces are very reminiscent of FIM. It is used to synchronize objects between different Active Directory Forests and other sources like SQL Servers. For instance, if yous take a merger and crave specific resources from other forests, information technology might exist necessary to synchronize certain objects. But information technology can as well be used to synchronize objects to Office 365. If you lot already take a FIM installation, you could use this instead of DirSync/AADSync in specific scenarios.

Note that Microsoft Identity Managing director (MIM) is the successor of FIM and recently the public preview was released. More information here. A cheers to Lync MVP Michael LaMontagne for this tip.

Final

At that place are currently several tools available to synchronize objects from your on-premises Active Directory to Role 365/Azure Active Directory. DirSync is the starting time choice, in sure supported scenarios AADSync, and if already nowadays FIM can exist used in certain situations instead of either sync tools. DirSync and AADsync will be incorporated in (and in effect replaced by) the not yet Generally Available AAD Connect tool, which tin install, help with configuration and test your implementation including AD FS.