News

Microsoft Enables Azure AD Connect To Join Unconnected AD Forests

• By Kurt Mackie
• 12/06/2019

To bridge scattered Active Directory "forests," Microsoft is introducing a preview of a new "Cloud Provisioning" feature for the Azure Active Directory Connect service.

Azure AD Connect is used to synchronize local Active Directory accounts with Microsoft's Azure AD cloud-based identity and access management service. However, Azure AD Connect's synchronization capabilities have lacked the ability to connect multiple premises-based AD forests, as shown in this Microsoft document. An AD forest consists of top-level "domain, users, computers and group policies," per this definition by cybersecurity company Varonis.

Organizations typically might want to connect scattered AD forests when they've merged or acquired another organization, and have a need to centralize the identity and access management structure. The Cloud Provisioning feature of Azure AD Connect, now available as a preview release, opens up this possibility.

Organizations wanting to use the Cloud Provisioning feature have to install a "lightweight" agent in their "on-premises and IaaS-hosted environment," according to Microsoft's document. Prerequisites include having global administrator privileges, Windows Server 2012 R2 or later and a firewall with certain outbound ports available. Organizations need to have .NET Framework 4.7.1 installed, and they'll need to use the Transport Layer Security 1.2 protocol with the Cloud Provisioning feature.

The agent for Cloud Provisioning gets installed on a domain-joined Windows Server using the Azure Portal. Microsoft offers a wizard for carrying out the steps.

Azure AD Domain Services
In other Azure AD news, Microsoft this week announced a preview capability in Azure AD Domain Services that's designed to make it easier for organizations using "classic virtual networks" to move to "Azure Resource Manager virtual networks."

Organizations making this shift to Azure Resource Manager virtual networks will get access to richer capabilities, such as "audit logs, fine-grained password policies and email notifications," per Microsoft's announcement. Three clicks and some PowerShell scripts are involved in making the switch, but Microsoft promised there won't be a need to "rejoin virtual machines" or resynchronize users.

MSAL Shift Explained
There's also Azure AD news of sorts for developers tapping Microsoft's identity and access service. Microsoft this week further explained why it switched from the Azure AD Authentication Library (ADAL) to the Microsoft Authentication Library (MSAL), which is part of its move from Azure AD to the new Microsoft Identity Platform infrastructure, as announced in May.

The Azure AD endpoints, based on Azure AD "version 1," were not wholly compliant with the OAuth 2.0 and OpenID Connect standards, explained Jean-Marc Prieur, a principal program manager on the Microsoft Identity Platform, in this short Microsoft video. Developers should start their new projects using MSAL, he advised.