Azure AD Connect Cloud Sync (Cloud Sync) supports an almost similar set of scenarios as Azure AD Connect, but Cloud Sync has both some additional benefits e.g. support for connecting to multiple disconnected on-premises Active Directory Domain Services (AD DS) forests and some limitations e.g. no support for Pass-through Authentication or the synchronisation of device objects. 
Azure AD Connect Cloud Sync uses a lightweight agent that is deployed on a Windows Server that requires line of sight to a domain controller –Windows Server 2016 or later. Alternatively, the agent can be deployed on a Domain Controller. However, to keep role separation of domain controllers and the cloud sync agent server, it’s recommended to keep the agent separate in production environments. Note, that installing the cloud sync agent on Windows Server Core is not supported currently.
The approach taken by Cloud Sync differs from that of Azure AD Connect, which leverages the provisioning of infrastructure on-premises. There is also the further benefit of not having to deploy Microsoft SQL Server on-premises when you are working with enterprise-scale directories.
Multiple agents can be deployed within your infrastructure to provide high availability. However, only one agent can be active at a time and so there is no load balancing. Failover to an alternative agent only occurs if communication fails. This approach is also different to Azure AD Connect, where you would have to switch the staging mode server into production.
There are several prerequisites for setting up the Azure AD Connect Cloud Sync agent:
- You will need sufficient domain account privileges or Enterprise Administrator credentials to create the Group Managed Service Account (gMSA). The gMSA is used to run the Cloud Sync service. Not that this should be a problem, but you can only create a gMSA if the forest schema has been updated to Windows Server 2012.
- You will also need to be a Hybrid Identity Administrator or Global Administrator to manage the Cloud Sync configuration in the Azure portal.
The above is also another benefit to Azure AD Connect Cloud Sync, in that the configuration is managed centrally and applied to all deployed agents.
- The server where the agent is deployed needs to be Windows Server 2016 or later, have a minimum of 4 GB of RAM and have .NET 4.7.1 or later installed.
The agent communicates outbound over the following ports:
80 – used to download the certificate revocation list (CRLs) while validating the TLS/SSL certificate
443 used to handle all outbound communication with the Azure AD Connect Cloud Sync service.
8080 – optionally used if 443 is unavailable
During agent registration, the following URLs will need to be accessible:
login.windows.net
login.microsoftonline.com
For certificate validation, the following URLs will need to be accessible. However, these URLs are used for certification validation with other Microsoft products and so you may find that these URLs are not blocked:
mscrl.microsoft.com:80
crl.microsoft.com:80
ocsp.msocsp.com:80
Password Hash Sync
Password Hash Sync synchronises Active Directory Domain Services (AD DS) password hashes to Azure AD. Users can use the same password on-premises and in the cloud to sign in to services like Microsoft Azure or Microsoft 365.
Using Password Hash Sync is the most effective method to move from an on-premises AD DS to maintaining an organisations identity in the public Azure.
AD FS Authentication
If you need to have an on-premises managed Multi-Factor Authentication (MFA) based approach, you will need to opt for Active Directory Federated Services (AD FS). With AD FS Authentication, Azure AD transfers the responsibility for authentication to the on-premises AD FS to validate user passwords.
Using AD FS Authentication is the recommended approach when you require single sign-on (SSO) and on-premises password management capabilities.
If you enjoy working with Azure AD, like me, then you might want to consider the following Microsoft training:
Microsoft Security, Compliance, and Identity Fundamentals (exam SC-900)
Identity and Access Administrator Associate (exam SC-300)
For more information on the many ways, we can help you, see https://www.hpe.com/uk/en/services/pointnext.html
Patrick Lownds
Hewlett Packard Enterprise
twitter.com/HPE_TechSvcs
linkedin.com/showcase/hpe-technology-services/
hpe.com/pointnext
