How Azure AD Connect Works

Azure AD Connect is the upgraded version of DirSync which is used to provision the On-Premise Objects into Azure Active Directory. There are many ways that can be used to provision the Objects to Azure AD for Office 365 like,

  • Directory Synchronization (DirSync), Office 365 Portal, Windows PowerShell, or API
  • Microsoft Azure AD Connector for FIM 2010 R2
  • Microsoft Azure Active Directory Sync tool (Azure AD Sync Tool)
  • The New Microsoft Azure AD Connect

We will see how the Azure AD Connect works on this post. Directory Sync or the Azure AD Connect is mainly required for Identity Federation and Exchange Hybrid Deployment. Below the flow diagram of how the Azure AD Connect works

Azure Connect support the below features

How Azure AD Connect works?

Azure AD Connect by default is a one-way Sync which synchronize the On-Premise AD objects to Azure AD. Before looking at the Synchronization Data Flow, we will see what are Management Agents and where AD Connect stores the information

Management Agents

Management Agents in Azure AD Connect control the data flow between a connected data source and the meta directory. DirSync or Azure AD Connect uses two managements agents.

  • Active Directory Connector management agent
  • Microsoft Azure Active Directory management agent

DirSync or Azure AD Connect stores the information in two places:

  1. Connector Space

Connect Space has the Replica of the managed objects in the AD DS and each management agent or connector has its own connector space

  1. Metaverse

Aggregate information about a managed object (that is, User, Group, etc.)

Azure AD Connect Synchronization data flow:

  1. User is imported from On-Premise AD into the Active Directory Connector space
  2. User is projected to the Metaverse
  3. User is provisioned to the Microsoft Azure Active Directory Connector space
  4. User is exported to the Office 365 Admin Web Service

Above explains how the Azure AD Connect synchronize the objects from On-Premise AD to Azure AD. If Exchange Hybrid option is selected which installing/configuring the Azure AD Connect, then below 7 attributed will be written back to On-Premise AD. (Exchange Federation is must for below Objects to write back to On-Premise AD).


Online Archive: Enables customers to archive mail.


Enable Unified Messaging (UM) – Online voice mail: This new attribute is used only for UM-Microsoft Lync Server 2010 integration to indicate to Lync Server 2010 on-premises that the user has voice mail in online services.


Litigation Hold: Enables cloud services to determine which users are under Litigation Hold.

(LegacyExchangeDN as X500)

Enable Mailbox: Offboards an online mailbox back to on-premises Exchange.


Filtering: Writes back on-premises filtering and online safe and blocked sender data from clients.


Forward Sync and Back Sync in Azure AD Connect

It is important to know what is forward sync and back sync in Azure AD Connect.

Forward Sync

It is sync from Azure AD to the Online Application directory services

  • Once the AD Objects from On-Premise synced to Azure AD, Azure AD won’t be directly referred by office 365 online application.
  • Each online application in Office 365 has their own directory service. After an object is changed in Azure AD, further synchronization are constantly running that parse relevant changes and ship them to these services’ directory partitions.
  • Since the Application directory are updating the information from Azure AD, it can cause delay in applications becoming available to newly commissioned accounts or users

Back Sync or write Back

When Exchange Hybrid Configuration feature is enabled while configuring AD Connect, there are certain attributes for the Microsoft Exchange Online service that require reverse propagation to the on-premises environment for Exchange co-existence features to work which is referred as Back Sync.

  • Back-Sync: Data is changed in the Exchange Online partition and then synced back to Azure AD using daemons similar to those used for Forward-sync
  • Write-back: Data is shipped from Azure AD directory, back through Admin Web Service, to DirSync service using bi-directional FIM functionality
  • DirSync updates the local AD DS objects with these updated attributes

I hope this post is informative, please leave your comments if any additional information required.

Leave a Reply