- Article
This article describes various on-premises and Azure Active Directory (Azure AD) topologies that use Azure AD Connect sync as the key integration solution. This article includes both supported and unsupported configurations.
Here's the legend for pictures in the article:
| Description | Symbol |
|---|---|
| On-premises Active Directory forest |  |
| On-premises Active Directory with filtered import |  |
| Azure AD Connect sync server |  |
| Azure AD Connect sync server “staging mode” |  |
| GALSync with Forefront Identity Manager (FIM) 2010 or Microsoft Identity Manager (MIM) 2016 |  |
| Azure AD Connect sync server, detailed |  |
| Azure AD |  |
| Unsupported scenario |  |
Important
Microsoft doesn't support modifying or operating Azure AD Connect sync outside of the configurations or actions that are formally documented. Any of these configurations or actions might result in an inconsistent or unsupported state of Azure AD Connect sync. As a result, Microsoft can't provide technical support for such deployments.
Single forest, single Azure AD tenant
The most common topology is a single on-premises forest, with one or multiple domains, and a single Azure AD tenant. For Azure AD authentication, password hash synchronization is used. The express installation of Azure AD Connect supports only this topology.
Single forest, multiple sync servers to one Azure AD tenant
Having multiple Azure AD Connect sync servers connected to the same Azure AD tenant is not supported, except for a staging server. It's unsupported even if these servers are configured to synchronize with a mutually exclusive set of objects. You might have considered this topology if you can't reach all domains in the forest from a single server, or if you want to distribute load across several servers. (No errors occur when a new Azure AD Sync Server is configured for a new Azure AD forest and a new verified child domain.)
Multiple forests, single Azure AD tenant
Many organizations have environments with multiple on-premises Active Directory forests. There are various reasons for having more than one on-premises Active Directory forest. Typical examples are designs with account-resource forests and the result of a merger or acquisition.
When you have multiple forests, all forests must be reachable by a single Azure AD Connect sync server. The server must be joined to a domain. If necessary to reach all forests, you can place the server in a perimeter network (also known as DMZ, demilitarized zone, and screened subnet).
The Azure AD Connect installation wizard offers several options to consolidate users who are represented in multiple forests. The goal is that a user is represented only once in Azure AD. There are some common topologies that you can configure in the custom installation path in the installation wizard. On the Uniquely identifying your users page, select the corresponding option that represents your topology. The consolidation is configured only for users. Duplicated groups are not consolidated with the default configuration.
Common topologies are discussed in the sections about separate topologies, full mesh, and the account-resource topology.
The default configuration in Azure AD Connect sync assumes:
- Each user has only one enabled account, and the forest where this account is located is used to authenticate the user. This assumption is for password hash sync, pass-through authentication and federation. UserPrincipalName and sourceAnchor/immutableID come from this forest.
- Each user has only one mailbox.
- The forest that hosts the mailbox for a user has the best data quality for attributes visible in the Exchange Global Address List (GAL). If there's no mailbox for the user, any forest can be used to contribute these attribute values.
- If you have a linked mailbox, there's also an account in a different forest used for sign-in.
If your environment does not match these assumptions, the following things happen:
- If you have more than one active account or more than one mailbox, the sync engine picks one and ignores the other.
- A linked mailbox with no other active account is not exported to Azure AD. The user account is not represented as a member in any group. A linked mailbox in DirSync is always represented as a normal mailbox. This change is intentionally a different behavior to better support multiple-forest scenarios.
You can find more details in Understanding the default configuration.
Multiple forests, multiple sync servers to one Azure AD tenant
Having more than one Azure AD Connect sync server connected to a single Azure AD tenant is not supported. The exception is the use of a staging server.
This topology differs from the one below in that multiple sync servers connected to a single Azure AD tenant is not supported. (While not supported, this still works.)
Multiple forests, single sync server, users are represented in only one directory
In this environment, all on-premises forests are treated as separate entities. No user is present in any other forest. Each forest has its own Exchange organization, and there's no GALSync between the forests. This topology might be the situation after a merger/acquisition or in an organization where each business unit operates independently. These forests are in the same organization in Azure AD and appear with a unified GAL. In the preceding picture, each object in every forest is represented once in the metaverse and aggregated in the target Azure AD tenant.
Multiple forests: match users
Common to all these scenarios is that distribution and security groups can contain a mix of users, contacts, and Foreign Security Principals (FSPs). FSPs are used in Active Directory Domain Services (AD DS) to represent members from other forests in a security group. All FSPs are resolved to the real object in Azure AD.
Multiple forests: full mesh with optional GALSync
A full mesh topology allows users and resources to be located in any forest. Commonly, there are two-way trusts between the forests.
If Exchange is present in more than one forest, there might be (optionally) an on-premises GALSync solution. Every user is then represented as a contact in all other forests. GALSync is commonly implemented through FIM 2010 or MIM 2016. Azure AD Connect cannot be used for on-premises GALSync.
In this scenario, identity objects are joined via the mail attribute. A user who has a mailbox in one forest is joined with the contacts in the other forests.
Multiple forests: account-resource forest
In an account-resource forest topology, you have one or more account forests with active user accounts. You also have one or more resource forests with disabled accounts.
In this scenario, one (or more) resource forest trusts all account forests. The resource forest typically has an extended Active Directory schema with Exchange and Lync. All Exchange and Lync services, along with other shared services, are located in this forest. Users have a disabled user account in this forest, and the mailbox is linked to the account forest.
Microsoft 365 and topology considerations
Some Microsoft 365 workloads have certain restrictions on supported topologies:
| Workload | Restrictions |
|---|---|
| Exchange Online | For more information about hybrid topologies supported by Exchange Online, see Hybrid deployments with multiple Active Directory forests. |
| Skype for Business | When you're using multiple on-premises forests, only the account-resource forest topology is supported. For more information, see Environmental requirements for Skype for Business Server 2015. |
If you are a larger organization, then you should consider to use the Microsoft 365 PreferredDataLocation feature. It allows you to define in which datacenter region the user's resources are located.
Staging server
Azure AD Connect supports installing a second server in staging mode. A server in this mode reads data from all connected directories but does not write anything to connected directories. It uses the normal synchronization cycle and therefore has an updated copy of the identity data.
In a disaster where the primary server fails, you can fail over to the staging server. You do this in the Azure AD Connect wizard. This second server can be located in a different datacenter because no infrastructure is shared with the primary server. You must manually copy any configuration change made on the primary server to the second server.
You can use a staging server to test a new custom configuration and the effect that it has on your data. You can preview the changes and adjust the configuration. When you're happy with the new configuration, you can make the staging server the active server and set the old active server to staging mode.
You can also use this method to replace the active sync server. Prepare the new server and set it to staging mode. Make sure it's in a good state, disable staging mode (making it active), and shut down the currently active server.
It's possible to have more than one staging server when you want to have multiple backups in different datacenters.
Multiple Azure AD tenants
We recommend having a single tenant in Azure AD for an organization. Before you plan to use multiple Azure AD tenants, see the article Administrative units management in Azure AD. It covers common scenarios where you can use a single tenant.
Sync AD objects to multiple Azure AD tenants
This topology implements the following use cases:
- AADConnect can synchronize the users, groups, and contacts from a single Active Directory to multiple Azure AD tenants. These tenants can be in different Azure environments, such as the Azure China environment or the Azure Government environment, but they could also be in the same Azure environment, such as two tenants that are both in Azure Commercial. For more details on options, see [Planning identity for Azure Government applications] (/azure/azure-government/documentation-government-plan-identity).
- The same Source Anchor can be used for a single object in separate tenants (but not for multiple objects in the same tenant). (The verified domain can't be the same in two tenants. More details are needed to enable the same object to have two UPNs.)
- You will need to deploy an AADConnect server for every Azure AD tenant you want to synchronize to - one AADConnect server cannot synchronize to more than one Azure AD tenant.
- It is supported to have different sync scopes and different sync rules for different tenants.
- Only one Azure AD tenant sync can be configured to write back to Active Directory for the same object. This includes device and group writeback as well as Hybrid Exchange configurations – these features can only be configured in one tenant. The only exception here is Password Writeback – see below.
- It is supported to configure Password Hash Sync from Active Directory to multiple Azure AD tenants for the same user object. If Password Hash Sync is enabled for a tenant, then Password Writeback may be enabled as well, and this can be done on multiple tenants: if the password is changed on one tenant, then password writeback will update it in Active Directory, and Password Hash Sync will update the password in the other tenants.
- It is not supported to add and verify the same custom domain name in more than one Azure AD tenant, even if these tenants are in different Azure environments.
- It is not supported to configure hybrid experiences that utilize forest level configuration in AD, such as Seamless SSO and Hybrid Azure AD Join (non-targeted approach), with more than one tenant. Doing so would overwrite the configuration of the other tenant, making it no longer usable. You can find additional information in Plan your hybrid Azure Active Directory join deployment.
- You can synchronize device objects to more than one tenant but a device can be Hybrid Azure AD Joined to only one tenant.
- Each Azure AD Connect instance should be running on a domain-joined machine.
Note
Global Address List Synchronization (GalSync) is not done automatically in this topology and requires an additional custom MIM implementation to ensure each tenant has a complete Global Address List (GAL) in Exchange Online and Skype for Business Online.
GALSync by using writeback
GALSync with on-premises sync server
You can use FIM 2010 or MIM 2016 on-premises to sync users (via GALSync) between two Exchange organizations. The users in one organization appear as foreign users/contacts in the other organization. These different on-premises Active Directory instances can then be synchronized with their own Azure AD tenants.
Using unauthorized clients to access the Azure AD Connect backend
The Azure Active Directory Connect server communicates with Azure Active Directory through the Azure Active Directory Connect backend. The only software that can be used to communicate with this backend is Azure Active Directory Connect. It is not supported to communicate with the Azure Active Directory Connect backend using any other software or method.
Next steps
To learn how to install Azure AD Connect for these scenarios, see Custom installation of Azure AD Connect.
Learn more about the Azure AD Connect sync configuration.
Learn more about integrating your on-premises identities with Azure Active Directory.
FAQs
Which of the following Azure AD Connect topologies are supported by Microsoft? ›
The most common topology is a single on-premises forest, with one or multiple domains, and a single Azure AD tenant. For Azure AD authentication, password hash synchronization is used. The express installation of Azure AD Connect supports only this topology.
What is the limitation of Azure AD Connect? ›By default, the number of members in a group that you can synchronize from your on-premises Active Directory to Azure Active Directory by using Azure AD Connect is limited to 50,000 members. If you need to sync a group membership that's over this limit, you must onboard the Azure AD Connect Sync V2 endpoint API.
How many instances of Azure AD Connect are needed? ›Azure AD Connect supports syncing from multiple forests. It supports only one instance of Azure AD Connect syncing to Azure AD. In cases where Azure AD is already installed in one forest, the existing instance of Azure AD Connect must be updated to sync from the other forest.
What are the different types of Azure AD Connect? ›Azure AD Connect has two installation types for new installation: Express and customized. This topic helps you to decide which option to use during installation.
What is entra Microsoft? ›What is Microsoft Entra? Microsoft Entra a family of products that encompasses all identity and access capabilities. Within the Entra family are products such as Microsoft Azure Active Directory (Azure AD), Microsoft Entra Verified ID, and Microsoft Entra Permissions Management.
Which of the following versions of Microsoft SQL Server does Azure AD Connect support? ›Azure AD Connect support all mainstream supported SQL Server versions up to SQL Server 2019.
Is Azure AD Connect outdated? ›As of August 31, 2022, all 1. x versions of Azure AD Connect are retired because they include SQL Server 2012 components that will no longer be supported. Upgrade to the most recent version of Azure AD Connect (2. x version) by that date or evaluate and switch to Azure AD cloud sync.
Does Azure AD Connect work both ways? ›By default, the sync is one way: from on-premises AD to Azure AD. However, you can configure the writeback function to sync changes from Azure AD back to your on-premises AD.
What is the difference between Azure AD Connect and Azure AD Sync? ›Understand your organization's requirements. Azure AD Connect Cloud Sync is the preferred way to synchronize on-premises AD to Azure AD, assuming you can get by with its limitations. Azure AD Connect provides the most feature-rich synchronization capabilities, including Exchange hybrid support.
What are the two primary components Azure AD Connect is made up of? ›The sync service consists of two components, the on-premises Azure AD Connect sync component and the service side in Azure AD called Azure AD Connect sync service.
How frequently does Azure AD Connect sync? ›
How Often? Once every 30 minutes, the Azure AD synchronization is triggered, unless it is still processing the last run. Runs generally take less than 10 minutes, but if we need to replace the tool, it can take 2-3 days to get into synchronicity.
What is the maximum number of joined devices per user in Azure AD? ›The Azure Maximum number of devices per user setting is set to 20.
What are the 3 main identity types used in Azure AD? ›- [Instructor] The exam may test your knowledge of the identity types available in Azure Active Directory. And for the exam, there are four different identity types that you'll want to be familiar with: the user, service principle, managed identity, and device.
What are the three types of Azure AD? ›Azure Active Directory comes in four editions—Free, Office 365 apps, Premium P1, and Premium P2.
What are Azure AD Connect features? ›Azure Active Directory (Azure AD) Connect Health provides robust monitoring of your on-premises identity infrastructure. It enables you to maintain a reliable connection to Microsoft 365 and Microsoft Online Services. This reliability is achieved by providing monitoring capabilities for your key identity components.
What is Microsoft Entra replacing? ›I guess we all knew it was coming (after all, Microsoft published message center notification MC477013 in December 2022), but the news that the Microsoft Entra admin center (Figure 1) will replace the Azure AD admin center from April 1, 2023 is yet another example of the ongoing and constant changes in Microsoft 365.
Is Microsoft Entra free? ›Try Microsoft Entra Permissions Management today
We're offering a free 90-day trial to Permissions Management so that you can run a comprehensive risk assessment and identify the top permission risks across your multicloud infrastructure.
There are two ways to enable a trial or a full product license, self-service and volume licensing. For self-service, navigate to the M365 portal at https://aka.ms/TryPermissionsManagement and purchase licenses or sign up for a free trial. The second way is through Volume Licensing or Enterprise agreements.
Can I install Azure AD Connect on multiple domain controllers? ›It's possible to install AD Connect on domain controllers, and that's what we had done with our initial, on-prem AD Connect server, Server A. But in most cases, it's best practice to use a dedicated server to avoid conflicts between the two roles.
Can Azure AD support multiple domains? ›Multiple top-level domain support. Federating multiple, top-level domains with Azure AD requires some extra configuration that is not required when federating with one top-level domain. When a domain is federated with Azure AD, several properties are set on the domain in Azure. One important one is IssuerUri.
Can Azure AD Connect be installed on domain controller? ›
Ideally, Azure AD Connect should be installed on a dedicated domain-joined server, but you can also install it on your domain controller (Windows Server 2016 or later with Desktop Experience is required for Azure AD Connect V2)
Does Azure AD Connect use LDAP? ›To communicate with your Azure Active Directory Domain Services (Azure AD DS) managed domain, the Lightweight Directory Access Protocol (LDAP) is used. By default, the LDAP traffic isn't encrypted, which is a security concern for many environments.
Can Azure AD replace domain controller? ›Azure Active Directory is not designed to be the cloud version of Active Directory. It is not a domain controller or a directory in the cloud that will provide the exact same capabilities with AD. It actually provides many more capabilities in a different way.
Is Azure AD discontinued? ›As of December 2022, Microsoft has discontinued security updates for Azure Active Directory Authentication Library (ADAL) and deprecated the use of common endpoints. If Microsoft Azure AD is your identity provider (IdP), the discontinuation of ADAL will require changes to your Jamf Connect configuration.
Is Azure AD sync one way or two way? ›In a one-way configuration changes to an object on-premise updates the corresponding object in Azure AD. Two-way or bidirectional synchronization configurations allow for object changes to be made either on-premise or within Azure AD/Microsoft 365 and update the corresponding object on the opposite end.
Does AD connect need global admin? ›If you're upgrading from DirSync, the AD DS Enterprise Administrator credentials are used to reset the password for the account that DirSync used. Azure AD Global Administrator credentials also are required.
Does Azure AD Connect sync computer objects? ›The tool triggers ADConnect to start a differential sync if a computer object is new or updated after the last 30 minutes. To avoid the sync being triggered for the same computer object multiple times, already detected computer objects are ignored for the next 30 minutes.
What are the benefits of Azure AD Connect? ›- Great user experience. Users use the same passwords to sign into both on-premises and cloud-based applications. ...
- Easy to deploy & administer. No need for complex on-premises deployments or network configuration. ...
- Secure. ...
- Highly available.
What about licensing? No licensing is needed to install AAD Connect and get all your AD users and groups syncing with AAD. If you include other connectors there is still no licensing required. But if you want to write anything back to AD from Azure AD that requires AAD Premium licensing.
Which account is used by Azure AD Connect? ›If you install Azure AD Connect on a Domain Controller, a standalone Managed Service Account is created by the installation wizard (unless you specify the account to use in custom settings). The account is prefixed ADSyncMSA_ and used for the actual sync service to run as.
What is the difference between inbound and outbound Azure AD Connect? ›
An inbound rule is from a connector space to the metaverse and an outbound rule is from the metaverse to a connector space. The pipeline has several different modules. Each one is responsible for one concept in object synchronization.
Which are the two types of Azure AD groups? ›Specifically, the group types that originate from these other sources, but which can appear in Azure AD include the following types: Security (synced from AD) Mail enabled Security (from AD/Exchange or Exchange Online)
Which two features are supported by Azure AD free edition? ›- Sync Active Directory via Azure AD Connect.
- Sync with up to 500,000 directory objects.
- Leverage SSO for many external SaaS applications using your Microsoft identities.
- Enact self-service password change for cloud users only (this does not include password resets that flow back to on-prem AD)
The precedence for Synchronization Rules is set in groups by the installation wizard. All rules in a group have the same name, but they are connected to different connected directories. The installation wizard gives the rule In from AD – User Join highest precedence and it iterates over all connected AD directories.
What is the difference between initial sync and Delta Sync? ›Delta sync is faster than the initial sync, but it checks the whole data of the protected disk. Time may vary depending on the size of the protected volume and sites bandwidth.
Does Azure AD Connect update automatically? ›Azure AD Connect automatic upgrade is a feature that regularly checks for newer versions of Azure AD Connect. If your server is enabled for automatic upgrade and a newer version is found for which your server is eligible, it will perform an automatic upgrade to that newer version.
How many co administrators are allowed in Azure? ›| Classic subscription administrator | Limit |
|---|---|
| Account Administrator | 1 per Azure account |
| Service Administrator | 1 per Azure subscription |
| Co-Administrator | 200 per subscription |
When it comes to your specific scenario - Tenant 1: Production and Tenant 2: Development , you'll need one subscription per tenant, since an Azure Subscription can only have a one to one (1:1) relationship with an Azure AD Tenant.
What is the difference between Azure AD devices and Intune? ›AADDS and Intune are completely unrelated. AADDS, like on-prem AD, is a directory service like provides identity and authentication services. GPOs exist as well but I'd never call GPOs true management or administration of devices. Intune is a management system to configure and control the state of a device.
What are the 4 types of Azure AD? ›- Active Directory (AD) ...
- Azure Active Directory (AAD) ...
- Hybrid Azure AD (Hybrid AAD) ...
- Azure Active Directory Domain Services (AAD DS)
What are the 4 types of Azure? ›
- Azure Blob Storage. Blob is one of the most common Azure storage types. ...
- Azure Files. Azure Files is Microsoft's managed file storage in the cloud. ...
- Azure Queue Storage. ...
- Azure Table. ...
- Azure Managed Disks.
The difference between Azure AD and IAM
According to Microsoft documentation, Azure AD is an identity management service, and IAM is used for access control. This means that Azure AD is responsible for authentication, and Azure IAM is responsible for authorization.
What is Microsoft Entra? Microsoft Entra a family of products that encompasses all identity and access capabilities. Within the Entra family are products such as Microsoft Azure Active Directory (Azure AD), Microsoft Entra Verified ID, and Microsoft Entra Permissions Management.
What are the different types of AD connect? ›Azure AD Connect has two installation types for new installation: Express and customized. This topic helps you to decide which option to use during installation.
How would you explain the 3 types of services offered by Azure? ›This gives users the flexibility to use their preferred tools and technologies. In addition, Azure offers four different forms of cloud computing: infrastructure as a service (IaaS), platform as a service (PaaS), software as a service (SaaS) and serverless functions.
What is the newest version of Azure AD Connect? ›14.2. This release is an update release of Azure AD Connect. This version is intended to be used by customers who are running an older version of Windows Server and can't upgrade their server to Windows Server 2016 or newer at this time.
How do I manage Azure AD Connect? ›- Double-click on the Azure AD Connect desktop shortcut to start the wizard.
- Click Configure.
- On the tasks screen, select the Customize synchronization options and click Next.
- Enter your Azure AD credentials.
- Click Next.
Azure AD supports many standardized protocols for authentication and authorization, such as SAML 2.0, OpenID Connect, OAuth 2.0, and WS-Federation. Azure AD also supports password vaulting and automated sign-in capabilities for apps that only support forms-based authentication.
Which of the following are Azure AD Connect features? ›- Password Hash Synchronization. Password hash synchronization is a sign-in method that supports hybrid identity. ...
- Pass-through Authentication. ...
- Federation Integration. ...
- Synchronization. ...
- Azure AD Connect Health.
- Password-based Hash sync.
- Pass-through authentication.
- Synchronization.
- Federation integration.
- Health-based monitoring.
Which type of cloud computing models is supported by Microsoft Azure? ›
Azure supports three approaches to deploying cloud resources - public, private, and the hybrid cloud. Selecting between them will change several factors of the services you move into Azure including cost, maintenance requirements, and security.
Which of the following protocols are not supported by Azure AD? ›Azure AD uses protocols such as SAML and OAuth. 2.0. It does not support NTLM, Kerberos or LDAP (Lightweight Directory Access Protocol).
Which protocol is commonly used in Microsoft Active Directory? ›Active Directory is a directory server that uses the LDAP protocol.
What two protocols does Microsoft's Active Directory use for structure? ›Active Directory uses Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Microsoft's version of Kerberos, and DNS.
What are the two primary components of Azure AD Connect? ›The sync service consists of two components, the on-premises Azure AD Connect sync component and the service side in Azure AD called Azure AD Connect sync service.
What is Microsoft Azure AD Connect? ›Azure AD Connect (now referred to also as Azure AD Connect “Classic”) is a Microsoft brand that is mostly about presenting on-premises Active Directory and Azure Active Directory in a seamless way, in particular giving users the experience of single sign-on, or at least same sign on.
How many Azure AD Connect servers are there? ›There should only be one active Azure AD Connect sync server at any time.
What are the four parts of Microsoft Azure platform? ›- Provision Windows and Linux VMs in seconds.
- Virtual Machine Scale Sets. ...
- Deploy and scale containers on managed Kubernetes.
- Azure Spring Apps. ...
- Quickly create powerful cloud apps for web and mobile.
- Execute event-driven serverless code functions with an end-to-end development experience.
- Azure Dedicated Host.
It has three major components: Compute, Storage and the Fabric Controller. As depicted in Figure 3.16, Windows Azure runs on a large number of machines, all maintained in Microsoft data centers. The hosting environment of Azure is called the Fabric Controller.
What are the 4 types of cloud computing? ›There are four main types of cloud computing: private clouds, public clouds, hybrid clouds, and multiclouds.
Can Microsoft Azure Active Directory be integrated with on-premises Active Directory? ›
Azure provides two solutions for implementing directory and identity services in Azure: Use Azure AD to create an Active Directory domain in the cloud and connect it to your on-premises Active Directory domain. Azure AD Connect integrates your on-premises directories with Azure AD.