Can you use Azure AD Connect write-back to manage on-premises AD from Office 365?

Introduction

Azure AD Connect is a new Directory Sync tool from Microsoft that aims to replace the legacy Windows Azure AD Sync tool (commonly known as DirSync) and Azure AD Sync Services. In addition it provides the ability to auto-configure Active Directory Federation Services (AD FS) and has some new features not found in the older products.

New features in Azure AD Connect for Exchange Admins

At the time of writing, August 2015, new features in Azure AD connect don’t directly benefit Exchange admins currently using DirSync.

However, there are new features in preview that will make a big difference once they are completed and move out of preview.

clip_image002

Figure 1: Configuring write-back features in Azure AD Connect

Lets take a look at the relevant features, User write back and Group write back.

User write back to on-premises

It has always been a one-way relationship with on-premises AD and Azure AD, as Azure AD has for those with DirSync in place been the read-only version of the local AD.

User write back to on-premises changes this somewhat, and as a preview feature allows you to define an Organizational Unit in the on-premises AD to write-back new user objects that have been mastered in Azure AD.

At the moment this feature doesn’t write back all attributes, and crucially for Exchange administrators, it doesn’t write back the equivalent Exchange attributes.

For example, if you have a mailbox in Exchange Online that remains a cloud-only account, whilst Azure AD connect will allow you to create a basic AD account to represent the mailbox, it will not enable it as a Remote Mailbox, nor will it write-back Exchange attributes like the Email Addresses (proxyAddresses).

Nor does it allow you to edit synced AD objects and write back those changes to the local AD. Mailboxes that are already mastered on-premises will not, for example, have editable email addresses in the cloud. These must still be managed on-premises.

Group write back to on-premises

The big new concept across Office 365, as a service, is Unified Groups. Always mastered in Azure AD, the concept of Unified Groups is different from the traditional security or distribution group used with Exchange or Active Directory on-premises. A group in the cloud not only contains the list of those who can access it, but also across the service contain the data. In Exchange a Group has a mailbox associated with it in the cloud, and allows for threaded topics and even buttons to express whether a reader likes the post.

Groups also span non-Exchange services, including integration into OneDrive for Business and PowerBI, with planned integration with Skype for Business and Yammer coming in the future.

The relevance to Exchange on-premises comes with preview group write back features. These focus on the unified groups rather than security and distribution groups.

With on-premises versions of Exchange 2013 CU8 and above, including the up-coming Exchange 2016, the unified group object is supported, however at the time of writing these do not show up in on-premises Global Address List, Exchange Admin Center nor is access to the Unified Group available in the Outlook clients; the group itself shows as a Universal Security group, as shown in figure 2:

clip_image004

Figure 2: A Unified Group from Azure AD in the local AD

Why write back matters

Although we are seeing just the beginning of write-back from Azure AD to on-premises AD, you should start paying attention now. In the near future it enables access from on-premises to cloud-only features. With Windows 10, you’ll also expect to start using the workplace join functionality to register a device with Azure AD and see it written back to on-premises AD, rather than a standard domain join. Azure AD is becoming as important to an organizations identity as Active Directory, rather than just a mirror of it in the cloud.

Future considerations for write back

Although we don’t know exactly where Microsoft will improve write back functionality next, the biggest ask we hear from Microsoft customers is to remove the requirement to implement an Exchange Hybrid server on premises. At present, if you use DirSync, Azure AD Sync or Azure AD Connect and use Exchange Online, then you need to implement an Exchange Hybrid server to remain supported.

Improvements to to allow administrators to edit Exchange Online attributes for synced mailboxes and then writeback to on-premises Active Directory would be a welcome improvement and help remove the requirement to maintain any Hybrid server. For now, if you want to remove Exchange from on-premises but still be supported by Microsoft, you’ll need to place the Hybrid management server in Azure.

Summary

Azure AD Connect brings some new functionality for write-back that provides the foundation of some very interesting technologies that provide for a much richer Hybrid experience. These are in early preview at the moment, but provide a very promising outlook.