Overview of current Azure AD sync tools and which to choose.

Because I was not on Microsoft TechEd 2014 in Barcelona, I watched a lot of the videos regarding Identity Management and Azure AD. Seems to me Hybrid Identity is the great keyword in future.

A lot of slides and videos has sync service from on-premise to Azure AD on their topic, there were also a preview of the next release of AAD Sync / AAD Connector.

Thinking about all the current Sync Tools I thought it was a good idea to write a short explanation on all this tools and which to choose. In addition what to use FIM/MIM for.

Currently you can use the following four tools:


  • Support single forest scenarios only
  • Support password sync and password write-back
  • Very limited in customizing attribute flow and scope
  • Will be deprecated in near future


Windows Azure AD Connector for FIM (WAAD)

  • Support multi forest scenarios
  • No password sync and no password write-back support
  • Only usable with ADFS SSO
  • Highly customizable (it’s all up to you)
  • No new development on the connector (no new features or updates)


Azure AD Sync Service

  • Support multi-forest scenarios
  • Support password sync and password write-back (since 1.0.470.1023)
  • Attribute flow templates for Azure applications
  • Can be customized easier (Sync Rule Editor)


Azure AD Connect (Beta currently on Microsoft Connect)

  • Support for multi-forest scenarios (current beta only single-forest)
  • Support for password sync and write-back
  • Attribute flow templates for Azure applications
  • Highly customizable and easy deploy mode (Sync Rule Editor and Wizard)
  • Support for user, group and device write-back
  • Wizards for installing ADFS and WAP over remote PowerShell


You can watch a video demonstration of the next release of AAD Connect from TechEd 2014 Europe at channel9 here.

Since there will be no new updates on the FIM WAAD connector in future and when looking at the new strategy from Microsoft regarding FIM connectors for cloud services (there won’t be any) and what should be used for “perimeter” sync to Azure we have the following facts:

  1. Use Azure AD Connect/Sync for cloud sync, even you have FIM deployed in your company.
  2. Use FIM for all on-premise synchronization incl. changes that come from the cloud.

I find that this way is pretty good, as a separate sync service for the cloud can get faster and more updates in future to better reflect rapid changes and new feature of Microsoft Azure and other Cloud services.

If you are going to channel9 website don’t miss the Overview of Microsoft Identity Manager vNext.


About Peter Stapf
Senior Consultant Identity and Access MVP (Enterprise Mobility)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: