In the case you need to work with Microsoft Cloud services like Office 365, Intune, Azure, you will have to synchronize your on-premises Active Directory objects (users, contacts, and groups) to Microsoft cloud services (Azure Active Directory). In order to accomplish this, you will have to choose between Same Sign On or Single Sign On.
- Same Sign-On, will use synchronization tools (DirSync, AADSync and FIM) to synchronize your on-premises Active Directory objects and their associated password (requires Password Sync). It means that authentication requests and access rights will only be handled by Azure Active Directory without contacting your on-premises domain controllers.
- Single Sign On, will also use synchronization tools but authentication requests and access right will be redirected to your on-premises AD FS infrastructure connected to local Active Directory. This scenario will be used if your organization requires SSO, MFA and other features. In addition, in term of infrastructure, you will need to implement high availability AD FS service on your DMZ with redundant links to avoid service interruption.
Since the beginning of Microsoft Azure services, we have to use DirSync to accomplish this synchronization (without Password Sync), and when Microsoft released a bunch of new tools to improve this process that bring a lot of confusion…
But rejoice yourself because there is a new product called Azure Active Directory Connect that replaces AADSync and DirSync. Azure AD Connect incorporates the components and functionality previously released as DirSync and AADSync. At some point in the future, support for DirSync and AADSync will end. Moreover, Azure Active Directory Sync will allow you to do the following:
- Synchronize multi-forest Active Directory environments without needing the complete feature set of Forefront Identity Manager 2012 R2
- Advanced provisioning, mapping and filtering rules for objects and attributes, including support for syncing and a very minimal set of user attributes (only 7)
- Configuring multiple on-premises Exchange organizations to map to a single Active Directory tenant