Hundreds of people attended our recent AAD Connect webinar, and there were so many questions for our expert speakers that there wasn’t time to answer them all!
“No, please don’t finish!” said one attendee
- View the webinar recording to hear 30+ questions about AAD connect answered by Andreas Kjellman (formerly MIM and Azure AD Connect Program Manager for Microsoft), Jimmy Andersson (MVP Enterprise Mobility), James Cowling (CTO, Oxford Computer Group) and me, Hugh Simpson-Wells (CEO, Oxford Computer Group and OCG Learning).
- See below for answers to questions about AAD Connect that we didn’t have time to cover during the webinar.
- If you’d like to continue the discussion, why not join the new AAD Connect group on Linkedin?
- Want to learn more about what’s beyond the AAD Connect wizard? Find out more about our latest training course, the NEW Azure AD Connect Masterclass.
Question: We currently use ADFS for authentication but pass-through authentication (PTA) seems to be the new preferred method. Should I change over? How would I do that?
Answer: PTA is newer, and is a great choice where no ADFS infrastructure exists – exactly because it requires so little infrastructure. And it may make sense to change if this is the only job being done by ADFS, as you can retire a bunch of servers. To change it over, you use PowerShell to change the AAD domain to Managed, and use the AAD Connect setup wizard and enable password sync and PTA and make changes. Domain Change and password sync take time, so be sure to build this into your plan.
Question: Is there a supported method to transition only certain user accounts and mailboxes from federated to cloud accounts?
Answer: If this is asking “can I transition just some users from being sync’ed users to cloud-only users”? The answer is no, you can’t. The only way is to completely stop sync’ing and that will transition all accounts to being cloud-users (and subsequently you could sync some of the accounts again by using appropriate filtering). The process of stopping sync’ing is not a fast one (only 1000s of objects per hour), so you will to plan for this if you have a lot of users.
Question: For Office 365 groups, when will they sync to onPrem as mail-enabled Security groups?
Answer: Group write-back (which is still in preview) syncs to distribution groups. You can write a custom rule to sync with mail-enabled security groups (or security groups, for that matter).
Question: Any reason not to move from dirsync to AAD Connect? We have a hybrid Exchange but just to push up groups (may be replaced w/O365 groups). Possibly attributes not passing or other limitations?
Answer: We take the view that this is long overdue and you should move. As documented here https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-dirsync-deprecated after 31 December 2017 Microsoft can at any time turn off the endpoints used by DirSync, and then it would just stop working!
Question: Is MIM the only way to make the Azure AD SSPR available on W10 machines pre-logon? Can this be done using AADConnect?
Answer: See: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-login for how to configure this scenario. It should be noted that at present it is only for Azure AD joined machines, but we expect that it will be supported by domain joined machines as well in the future.
Question: Is there any way to use Azure AD Connect to synchronize one ADDS to multiple Azure AD environments? (Prod and Test environments, for example)
Answer: See: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-topologies#multiple-azure-ad-tenants – you can do it with multiple sync engines and with the limitations documented in this topic.
Question: In introducing a staging server into a live environment, what changes happen to ADFS? We use ADFS for authentication.
Answer: This was partially answered when answering other questions in the webinar – but, for clarity, nothing changes.
Question: Can you operate with some users using password hash sync and some using ADFS? For example, in a phased migration to allow for sufficient testing before moving all users and apps together?
Answer: This was partially answered elsewhere in the webinar. It’s a domain-wide setting. However, you can implement ADFS and sync password hashes as a fall-back – this doesn’t avoid the “big bang” issue, but it does provide a quick path of retreat if required.