Understanding Azure AD Connect Cloud Provisioning

Understanding hybrid identity management in the Microsoft identity landscape can be a daunting task. When I’m advising and envisioning identity solutions for our clients, the most common question I get asked is, “When do we get move our identities to be managed in the cloud?” The reasons for this request are clear: The cloud enables organizations to respond with speed, reduce friction from legacy identity footprints, and requires zero on-premises infrastructure.

But we aren’t there yet. We have multiple anchors in our hybrid world. Applications and current product architecture keep us in this current state. This transition state can make people unsure if they are making the right choices in their identity strategy. The good news is that Microsoft’s direction shows us that there is a path forward and we can realize cloud-enabled security and management benefits while existing in our hybrid identity state.

In our journey toward cloud-based identities, the announcement of Azure AD Connect cloud provisioning at Ignite 2019 demonstrates the next revolutionary step toward Microsoft’s cloud identity vision and strategy, providing a new mechanism for synchronizing identities to Azure AD.

What is it?

Azure AD Connect cloud provisioning is an agent-based identity sync tool that is configured and managed from the cloud. While it performs the same basic functions as Azure AD Connect Sync, the architectures are radically different.

In this initial release, Microsoft is looking to solve a use case for disconnected Active Directory that was previously impossible for Azure AD Connect Sync. The term ‘disconnected AD’ refers to an Active Directory that is not reachable on an organization’s network. We see this most commonly in mergers and acquisitions.

Azure AD Connect cloud provisioning can run in a tenant already using Azure AD Connect Sync.  Currently, this is not a replacement for Azure AD Connect Sync. It’s more of a use case enablement feature.

What can’t it do?

There is a big list of feature differences and limitations.  Check here for the full list.


  • Only password hash sync is supported
  • Device objects not supported
  • Custom Active Directory attributes not supported
  • Attribute filtering not supported
  • Password write-back is not supported

Where are we going?

This new feature is targeted at a very specific use case – and we can make an educated guess where Microsoft is headed. Just like Azure Arc for servers, Microsoft’s vision is management from the cloud.  Having an agent-based identity sync tool makes a lot of sense to enable this functionality. While we have no idea what the possible migration path will be, we can look at the ADFS monitoring feature of Azure AD Connect as an example of how Microsoft can import on-premises configurations into its cloud architecture.

If you have a need to quickly enable cloud identity synchronization to Azure AD from a disconnected Active Directory, then this tool is for you. For the rest of us we’ll use this opportunity to envision what the future of Microsoft identity looks like.

How Oxford Computer Group can help

Oxford Computer Group, with our focus on timely and accurate management of user credentials, devices, and permissions, helps companies push the risk parameters back. When properly protected accounts hold only the required permissions at any time, attacks are harder to carry out. Both the initial breach of an account, and the exploitation of a breached account (by lateral movement and privilege escalation) become more difficult. In the event of a breach, timely detection and damage limitation and mitigation are also essential, and automated management tools have an important role to play in this case too.

Want to learn more about how Azure AD Connect cloud provisioning? Register for our Jan 23rd webinar ‘Overcoming Identity Challenges in Merger & Acquisition Scenarios with Azure AD.’

Our expert team can help your organization assess and minimize security risks. Contact us today! Call +1 877 862 1617 or email now.