Demystifying Azure AD Connect Architecture
In this blog we will delve into the intricacies of Azure AD Connect architecture, understanding its core components, and exploring how it enables a seamless identity management experience across hybrid environments.
Table of Contents
Watch the video
Watch this video and dive into Azure AD Connect Architecture and learn how Azure AD Connect works.
Azure AD Connect Architecture
Azure AD Connect architecture plays a crucial role in establishing a secure and efficient identity management solution for organizations operating in hybrid environments. It involves various components and processes working together to synchronize on-premises Active Directory (AD) with Azure Active Directory (Azure AD). Let’s explore the key elements of the Azure AD Connect architecture.
Azure AD Connect Sync Engine
Azure AD Connect has an important component which helps it to work. You can say this component is the heart of Azure AD Connect. This component is called Sync Engine. Sync Engine has 4 components:
- Connected Data Source or connected directories
- Connectors
- Connector Space
- Metaverse
These 4 components help sync engine to perform all the activities. If you are synchronizing an object from Active Directory to Azure Active Directory, or if passwords are getting synchronized from Azure Active Directory to on-premises, all these activities are performed by these 4 components. So let’s understand each component in detail.
Connected Data Source: In Azure AD Connect, connected data source can be any data repository that organizes data in a database, like Active Directory or SQL server. In a standard Azure AD Connect configuration, connected data sources are Active Directory and Azure Active Directory. If you are using SQL server in your on-premise, you can use SQL server database as a connected data source in Azure AD Connect. So in nutshell, connected data source or connected directories are a storage space where your objects are stored. For example Active Directory, Azure Active Directory or SQL server.
Connectors: The second component of sync engine is connectors. Each connected data source has a dedicated connector. Connectors are a medium through which data flows from connected data sources to connector space, or from connector space to another connected data sources. At one time data can flow in one direction only. That means at one time data can flow either from Active Directory to Azure Active Directory or from Azure Active Directory to on-premises Active Directory.
Connector Space: The next component of sync engine is connector space. Connector space stores a replica of all objects that are present within connected data sources. For example, if we have 2 users in active directory, connector space will store these objects and their attributes. If we make any changes in these 2 users within Active Directory, these changes will be updated within connector space as well. If we add another user in Active Directory, during sync cycle connector space will copy the new object and will store this object and its attributes. With the help of connector space, sync engine evaluates whether the data has already been synchronized.
Metaverse: The fourth component of sync engine is Metaverse. Metaverse is a storage area that provides a global view of both connectors. It shows what changes are picked from Active Directory, and what changes are going to be exported to Azure Active Directory.
Azure AD Connect Sync Cycles
Now let’s understand what happens when you run a Delta or Initial sync cycle. We will talk about both delta and initial sync cycles later but for now just understand that delta and initial are the types of sync cycles. With the help of a sync cycle the changes done within Active Directory are synchronized or updated in Azure Active Directory and vice-versa.
When we run either Delta or Initial sync cycle, Sync Engine runs 6 sync cycles. Import – AD, Import – AAD, Synchronization – AD, Synchronization – AAD, Export – AAD, and Export – AD (where AD is Active Directory and AAD is Azure Active Directory). Let’s understand these Azure AD Connect Sync Cycles in detail.
Import – AD: During this cycle, changes those are done within Active Directory objects are picked by the Sync Engine and are sent to Connector Space through Active Directory connector. For example, if you have created a new user account in Active Directory, during Import cycle that user object will be updated within connector space.
Import – AAD: During this sync cycle, any changes that are made in Azure Active Directory are updated within connector space that is connected with Azure Active Directory. For example, if you have reset password for a user and you have enabled password write-back, then password will be synced from Azure Active Directory to on-premises Active Directory.
Important: In from AD and Out to AAD are the synchronization rules types. In from AD rules decide which objects and attributes will be picked from Active Directory, and Out to AAD rules export the changes to Azure Active Directory as per their conditions.
Synchronization – AD: The 3rd cycle that sync engine runs is Synchronization for Active Directory. During this cycle, the changes that were done in Active Directory are presented within Metaverse, and these changes are updated within Active Directory Connector Space.
Synchronization – AAD: During this cycle, the changes that are going to be exported to Azure Active Directory are presented within Metaverse, and these changes are updated within Azure Active Directory Connector Space.
Export – AAD: During this sync cycle changes that were presented within metaverse, are exported to Azure Active Directory or Microsoft 365.
Export – AD: During this sync cycle, any changes that were picked during import cycle from Azure Active Directory are exported to local Active Directory.
So this is how Azure AD Connect synchronizes the changes from Active Directory to Azure Active Directory or vice-versa.
Delta sync vs Full sync (Initial Sync) cycles in Azure AD Connect
In Azure AD Connect architecture, there are two types of synchronization cycles: the Delta Sync cycle and the Initial Sync (Full sync) cycle. Let’s explore the differences between these cycles:
Initial Sync (Full sync) cycle
The Initial Sync cycle, also known as the Full Sync cycle, is the first synchronization cycle that occurs when Azure AD Connect is initially set up or when a major configuration change is made. During the Initial Sync cycle, all objects and attributes from the on-premises Active Directory (AD) are synchronized to Azure Active Directory (Azure AD) for the first time. This process ensures that the initial state of the directories is consistent.
The Initial Sync cycle is a resource-intensive process and may take a significant amount of time, especially in environments with large numbers of objects or complex directory structures. It is crucial to ensure that the initial synchronization is complete and successful before proceeding with ongoing synchronization.
Delta Sync cycle
After the Initial Sync cycle, subsequent synchronizations are performed using the Delta Sync cycle. The Delta Sync cycle is responsible for synchronizing changes made to objects and attributes in the on-premises AD to Azure AD. Instead of synchronizing the entire directory, the Delta Sync cycle only processes and transmits the changes that have occurred since the last synchronization.
The Delta Sync cycle optimizes the synchronization process by reducing the amount of data transmitted and improving the synchronization speed. It helps keep the on-premises AD and Azure AD consistent by applying incremental updates, including changes to user accounts, group memberships, attributes, and password changes.
Important: By default, the Delta Sync cycle runs every 30 minutes in Azure AD Connect. However, this interval can be modified to meet specific requirements.
Conclusion
In this blog you learnt how Azure AD Connect works and how changes are synchronized from on-premises Active Directory to Azure Active Directory. You might like our other article on What is Azure AD Connect where we have discussed how Azure AD Connect helps organizations to meet their hybrid identity goals.
If you found this article helpful and informative, please share it within your community and do not forget to share your feedback within the comments below. Please join us on our YouTube channel for the latest videos on cloud technology and join our Newsletter for the early access of blogs and updates.
Happy Learning!!