- Article
- 10 minutes to read
This article describes various on-premises and Azure Active Directory (Azure AD) topologies that use Azure AD Connect sync as the key integration solution. This article includes both supported and unsupported configurations.
Here's the legend for pictures in the article:
| Description | Symbol |
|---|---|
| On-premises Active Directory forest |  |
| On-premises Active Directory with filtered import |  |
| Azure AD Connect sync server |  |
| Azure AD Connect sync server “staging mode” |  |
| GALSync with Forefront Identity Manager (FIM) 2010 or Microsoft Identity Manager (MIM) 2016 |  |
| Azure AD Connect sync server, detailed |  |
| Azure AD |  |
| Unsupported scenario |  |
Important
Microsoft doesn't support modifying or operating Azure AD Connect sync outside of the configurations or actions that are formally documented. Any of these configurations or actions might result in an inconsistent or unsupported state of Azure AD Connect sync. As a result, Microsoft can't provide technical support for such deployments.
Single forest, single Azure AD tenant
The most common topology is a single on-premises forest, with one or multiple domains, and a single Azure AD tenant. For Azure AD authentication, password hash synchronization is used. The express installation of Azure AD Connect supports only this topology.
Single forest, multiple sync servers to one Azure AD tenant
Having multiple Azure AD Connect sync servers connected to the same Azure AD tenant is not supported, except for a staging server. It's unsupported even if these servers are configured to synchronize with a mutually exclusive set of objects. You might have considered this topology if you can't reach all domains in the forest from a single server, or if you want to distribute load across several servers. (No errors occur when a new Azure AD Sync Server is configured for a new Azure AD forest and a new verified child domain.)
Multiple forests, single Azure AD tenant
Many organizations have environments with multiple on-premises Active Directory forests. There are various reasons for having more than one on-premises Active Directory forest. Typical examples are designs with account-resource forests and the result of a merger or acquisition.
When you have multiple forests, all forests must be reachable by a single Azure AD Connect sync server. The server must be joined to a domain. If necessary to reach all forests, you can place the server in a perimeter network (also known as DMZ, demilitarized zone, and screened subnet).
The Azure AD Connect installation wizard offers several options to consolidate users who are represented in multiple forests. The goal is that a user is represented only once in Azure AD. There are some common topologies that you can configure in the custom installation path in the installation wizard. On the Uniquely identifying your users page, select the corresponding option that represents your topology. The consolidation is configured only for users. Duplicated groups are not consolidated with the default configuration.
Common topologies are discussed in the sections about separate topologies, full mesh, and the account-resource topology.
The default configuration in Azure AD Connect sync assumes:
- Each user has only one enabled account, and the forest where this account is located is used to authenticate the user. This assumption is for password hash sync, pass-through authentication and federation. UserPrincipalName and sourceAnchor/immutableID come from this forest.
- Each user has only one mailbox.
- The forest that hosts the mailbox for a user has the best data quality for attributes visible in the Exchange Global Address List (GAL). If there's no mailbox for the user, any forest can be used to contribute these attribute values.
- If you have a linked mailbox, there's also an account in a different forest used for sign-in.
If your environment does not match these assumptions, the following things happen:
- If you have more than one active account or more than one mailbox, the sync engine picks one and ignores the other.
- A linked mailbox with no other active account is not exported to Azure AD. The user account is not represented as a member in any group. A linked mailbox in DirSync is always represented as a normal mailbox. This change is intentionally a different behavior to better support multiple-forest scenarios.
You can find more details in Understanding the default configuration.
Multiple forests, multiple sync servers to one Azure AD tenant
Having more than one Azure AD Connect sync server connected to a single Azure AD tenant is not supported. The exception is the use of a staging server.
This topology differs from the one below in that multiple sync servers connected to a single Azure AD tenant is not supported. (While not supported, this still works.)
Multiple forests, single sync server, users are represented in only one directory
In this environment, all on-premises forests are treated as separate entities. No user is present in any other forest. Each forest has its own Exchange organization, and there's no GALSync between the forests. This topology might be the situation after a merger/acquisition or in an organization where each business unit operates independently. These forests are in the same organization in Azure AD and appear with a unified GAL. In the preceding picture, each object in every forest is represented once in the metaverse and aggregated in the target Azure AD tenant.
Multiple forests: match users
Common to all these scenarios is that distribution and security groups can contain a mix of users, contacts, and Foreign Security Principals (FSPs). FSPs are used in Active Directory Domain Services (AD DS) to represent members from other forests in a security group. All FSPs are resolved to the real object in Azure AD.
Multiple forests: full mesh with optional GALSync
A full mesh topology allows users and resources to be located in any forest. Commonly, there are two-way trusts between the forests.
If Exchange is present in more than one forest, there might be (optionally) an on-premises GALSync solution. Every user is then represented as a contact in all other forests. GALSync is commonly implemented through FIM 2010 or MIM 2016. Azure AD Connect cannot be used for on-premises GALSync.
In this scenario, identity objects are joined via the mail attribute. A user who has a mailbox in one forest is joined with the contacts in the other forests.
Multiple forests: account-resource forest
In an account-resource forest topology, you have one or more account forests with active user accounts. You also have one or more resource forests with disabled accounts.
In this scenario, one (or more) resource forest trusts all account forests. The resource forest typically has an extended Active Directory schema with Exchange and Lync. All Exchange and Lync services, along with other shared services, are located in this forest. Users have a disabled user account in this forest, and the mailbox is linked to the account forest.
Microsoft 365 and topology considerations
Some Microsoft 365 workloads have certain restrictions on supported topologies:
| Workload | Restrictions |
|---|---|
| Exchange Online | For more information about hybrid topologies supported by Exchange Online, see Hybrid deployments with multiple Active Directory forests. |
| Skype for Business | When you're using multiple on-premises forests, only the account-resource forest topology is supported. For more information, see Environmental requirements for Skype for Business Server 2015. |
If you are a larger organization, then you should consider to use the Microsoft 365 PreferredDataLocation feature. It allows you to define in which datacenter region the user's resources are located.
Staging server
Azure AD Connect supports installing a second server in staging mode. A server in this mode reads data from all connected directories but does not write anything to connected directories. It uses the normal synchronization cycle and therefore has an updated copy of the identity data.
In a disaster where the primary server fails, you can fail over to the staging server. You do this in the Azure AD Connect wizard. This second server can be located in a different datacenter because no infrastructure is shared with the primary server. You must manually copy any configuration change made on the primary server to the second server.
You can use a staging server to test a new custom configuration and the effect that it has on your data. You can preview the changes and adjust the configuration. When you're happy with the new configuration, you can make the staging server the active server and set the old active server to staging mode.
You can also use this method to replace the active sync server. Prepare the new server and set it to staging mode. Make sure it's in a good state, disable staging mode (making it active), and shut down the currently active server.
It's possible to have more than one staging server when you want to have multiple backups in different datacenters.
Multiple Azure AD tenants
We recommend having a single tenant in Azure AD for an organization. Before you plan to use multiple Azure AD tenants, see the article Administrative units management in Azure AD. It covers common scenarios where you can use a single tenant.
Sync AD objects to multiple Azure AD tenants
This topology implements the following use cases:
- AADConnect can synchronize the users, groups, and contacts from a single Active Directory to multiple Azure AD tenants. These tenants can be in different Azure environments, such as the Azure China environment or the Azure Government environment, but they could also be in the same Azure environment, such as two tenants that are both in Azure Commercial. For more details on options, see [Planning identity for Azure Government applications] (/azure/azure-government/documentation-government-plan-identity).
- The same Source Anchor can be used for a single object in separate tenants (but not for multiple objects in the same tenant). (The verified domain can't be the same in two tenants. More details are needed to enable the same object to have two UPNs.)
- You will need to deploy an AADConnect server for every Azure AD tenant you want to synchronize to - one AADConnect server cannot synchronize to more than one Azure AD tenant.
- It is supported to have different sync scopes and different sync rules for different tenants.
- Only one Azure AD tenant sync can be configured to write back to Active Directory for the same object. This includes device and group writeback as well as Hybrid Exchange configurations – these features can only be configured in one tenant. The only exception here is Password Writeback – see below.
- It is supported to configure Password Hash Sync from Active Directory to multiple Azure AD tenants for the same user object. If Password Hash Sync is enabled for a tenant, then Password Writeback may be enabled as well, and this can be done on multiple tenants: if the password is changed on one tenant, then password writeback will update it in Active Directory, and Password Hash Sync will update the password in the other tenants.
- It is not supported to add and verify the same custom domain name in more than one Azure AD tenant, even if these tenants are in different Azure environments.
- It is not supported to configure hybrid experiences that utilize forest level configuration in AD, such as Seamless SSO and Hybrid Azure AD Join (non-targeted approach), with more than one tenant. Doing so would overwrite the configuration of the other tenant, making it no longer usable. You can find additional information in Plan your hybrid Azure Active Directory join deployment.
- You can synchronize device objects to more than one tenant but a device can be Hybrid Azure AD Joined to only one tenant.
- Each Azure AD Connect instance should be running on a domain-joined machine.
Note
Global Address List Synchronization (GalSync) is not done automatically in this topology and requires an additional custom MIM implementation to ensure each tenant has a complete Global Address List (GAL) in Exchange Online and Skype for Business Online.
GALSync by using writeback
GALSync with on-premises sync server
You can use FIM 2010 or MIM 2016 on-premises to sync users (via GALSync) between two Exchange organizations. The users in one organization appear as foreign users/contacts in the other organization. These different on-premises Active Directory instances can then be synchronized with their own Azure AD tenants.
Using unauthorized clients to access the Azure AD Connect backend
The Azure Active Directory Connect server communicates with Azure Active Directory through the Azure Active Directory Connect backend. The only software that can be used to communicate with this backend is Azure Active Directory Connect. It is not supported to communicate with the Azure Active Directory Connect backend using any other software or method.
Next steps
To learn how to install Azure AD Connect for these scenarios, see Custom installation of Azure AD Connect.
Learn more about the Azure AD Connect sync configuration.
Learn more about integrating your on-premises identities with Azure Active Directory.
FAQs
What topologies are supported by Azure Active Directory? ›
Azure Active Directory
The following identity topologies are supported: Multiple on-premises Active Directory forests. One or more resource forests trust all account forests. A full mesh topology allows users and resources to be in any forest.
Azure AD Connect has two installation types for new installation: Express and customized. This topic helps you to decide which option to use during installation.
How many instances of Azure AD Connect are needed? ›Azure AD Connect supports syncing from multiple forests. However, it supports only one instance of Azure AD Connect syncing to AAD. Therefore, in cases where Azure AD is already installed in one forest, the existing instance of AAD Connect must be updated to sync from the additional forest.
Which three components are included with Microsoft Azure Active Directory Connect? ›- Active Directory Federation service.
- Sync.
- All the options.
- Health.
Virtual WAN network topology (Microsoft-managed) explores the option of implementing a Virtual WAN network topology. Plan for IP addressing provides guidance on planning IP addressing for a hybrid implementation. Your organization's IP address space shouldn't overlap across on-premises locations and Azure regions.
What is entra Microsoft? ›Microsoft Entra is the vision for identity and access that expands beyond identity and access management with new product categories such as cloud infrastructure entitlement management (CIEM) and decentralized identity.
What are the 3 main identity types used in Azure AD? ›- [Instructor] The exam may test your knowledge of the identity types available in Azure Active Directory. And for the exam, there are four different identity types that you'll want to be familiar with: the user, service principle, managed identity, and device.
What is the difference between Azure Active Directory and Azure AD Connect? ›Azure AD is a multi-tenant cloud-based identity and access management solution for the Azure platform. Active Directory (AD) is great at managing traditional on-premise infrastructure and applications. Azure AD is great at managing user access to cloud applications.
What is the difference between Azure AD Connect and Azure AD Sync? ›Azure AD Connect Cloud Sync has many of the same features and capabilities as Azure AD Connect with the following differences: Lightweight agent installation model. Adds high availability using multiple agents. Synchronizes directory changes more frequently than Azure AD Connect.
Is Azure AD Connect high availability? ›Azure AD Connect can be set up in an Active-Passive High Availability setup, where one server will actively push changes to the synced AD objects to Azure AD and the passive server will stage these changes in the event it will need to take over. You cannot set up Azure AD Connect in an Active-Active setup.
How many types of authentication methods are there in Azure AD Connect? ›
Microsoft Authenticator app. FIDO2 security key. Certificate-based authentication. OATH hardware tokens (preview)
How many devices can a user join to Azure AD? ›The Azure Maximum number of devices per user setting is set to 20.
What are the 4 service categories provided by Microsoft Azure? ›- Limitless analytics with unmatched time to insight.
- Design AI with Apache Spark™-based analytics.
- Microsoft Purview. ...
- Hybrid data integration at enterprise scale, made easy.
- Provision cloud Hadoop, Spark, R Server, HBase, and Storm clusters.
- Azure Stream Analytics. ...
- Azure Machine Learning.
AD has three main tiers: domains, trees and forests. A domain is a group of related users, computers and other AD objects, such as all the AD objects for your company's head office. Multiple domains can be combined into a tree, and multiple trees can be grouped into a forest.
What are the four types of services included in Microsoft Azure Media Services? ›Encode, store, and stream video and audio at scale
Azure Media Services lets you deliver any media, on virtually any device, to anywhere in the world using the cloud. The collection of services provide encoding, live or on-demand streaming, content protection and indexing for video and audio content.
The topology capability of Azure Network Watcher enables you to view all of the resources in a virtual network, the resources associated to resources in a virtual network, and the relationships between the resources. You can use the Azure portal, the Azure CLI, or PowerShell to view a topology.
Which topology is most commonly used? ›Star topology is by far the most common. Within this framework, each node is independently connected to a central hub via a physical cable—thus creating a star-like shape. All data must travel through the central node before it reaches its destination.
What is the most suitable network topology? ›Star topology: Star topology is the most commonly used topology system. Every node connects to a central network device in this layout, like a hub, switch or computer. Star topology is centralized in nature, making it user-friendly, reliable, and easy to manage.
What is Azure AD Entra? ›Safeguard your organization with a cloud identity and access management solution that connects employees, customers and partners to their apps, devices, and data.
Is Microsoft Entra part of E5? ›Microsoft Entra Identity Governance Preview
Azure AD Premium P2 is included with Microsoft 365 E5 and offers a free 30-day trial.
How do I enable Microsoft Entra? ›
Go to Entra services and use your credentials to sign in to Azure Active Directory. If you aren't already authenticated, sign in as a global administrator user. If needed, activate the global administrator role in your Azure AD tenant.
What are the 3 types of data that can be stored in Azure? ›Microsoft Azure and most other cloud providers offer several different types of storage, each with its own unique pricing structure and preferred use. Azure storage types include objects, managed files and managed disks.
What type of SSO is Azure AD? ›Azure Active Directory Seamless single sign-on (Azure AD Seamless SSO) automatically signs users in when they are on their corporate devices connected to your corporate network. When enabled, users don't need to type in their passwords to sign in to Azure AD, and usually, even type in their usernames.
What are the three types of role Basic Access Control in Microsoft Azure? ›The way you control access to resources using Azure RBAC is to assign Azure roles. This is a key concept to understand – it's how permissions are enforced. A role assignment consists of three elements: security principal, role definition, and scope.
Does Azure AD Connect use LDAP? ›To communicate with your Azure Active Directory Domain Services (Azure AD DS) managed domain, the Lightweight Directory Access Protocol (LDAP) is used. By default, the LDAP traffic isn't encrypted, which is a security concern for many environments.
Is it OK to install Azure AD Connect on domain controller? ›"Azure AD Connect must be installed on Windows Server 2008 or later. This server may be a domain controller or a member server when using express settings. If you use custom settings, then the server can also be stand-alone and does not have to be joined to a domain."
What are the limitations of Azure Active Directory domain Services? ›Here are the usage constraints and other service limits for the Azure AD service. A single user can belong to a maximum of 500 Azure AD tenants as a member or a guest. A single user can create a maximum of 200 directories. You can add no more than 5,000 managed domain names.
Does Azure AD Connect work both ways? ›The password hashes are needed to successfully authenticate a user in Azure AD DS. The synchronization process is one way / unidirectional by design.
Can you have 2 Azure AD Connect servers? ›Having multiple Azure AD Connect sync servers connected to the same Azure AD tenant is not supported, except for a staging server. It's unsupported even if these servers are configured to synchronize with a mutually exclusive set of objects.
Which are the two types of Azure AD groups? ›Membership types:
Assigned: Lets you add specific users as members of a group and have unique permissions. Dynamic user: Lets you use dynamic membership rules to automatically add and remove members.
What is the difference between Azure AD join and hybrid Azure AD join? ›
Hybrid Azure AD Joined – The Windows 365 Cloud PC Joined to on-premises AD, and Azure AD requires an organizational account to sign in to the Cloud PCs. Azure AD joined – The Windows 365 Cloud PC Joined only to Azure AD requiring an organizational account to sign in to the Cloud PCs.
Can Azure AD support multiple domains? ›Yes, you can sync users from multiple domains, in multiple forests to single Azure AD tenant. When you have multiple forests, all forests must be reachable by a single Azure AD Connect sync server. The server must be joined to a domain.
What are those 4 commonly authentication methods *? ›The most common authentication methods are Password Authentication Protocol (PAP), Authentication Token, Symmetric-Key Authentication, and Biometric Authentication.
What are the 6 methods available for user authentication? ›- Password-based authentication. Passwords are the most common network authentication method. ...
- Two-factor authentication. ...
- Multi-factor authentication. ...
- CAPTCHAs. ...
- Biometrics authentication. ...
- Certificate-based authentication.
Authentication factors can be classified into three groups: something you know: a password or personal identification number (PIN); something you have: a token, such as bank card; something you are: biometrics, such as fingerprints and voice recognition.
What is the difference between Azure AD devices and Intune devices? ›Azure Active Directory (Azure AD) is a universal identity management platform that incorporates user credentials and strong authentication policies to safeguard your company's data, while Microsoft Intune provides cloud-based mobile device management (MDM) and mobile application management (MAM).
Can a device be domain joined and Azure AD joined? ›Handling devices with Azure AD registered state
If your Windows 10 or newer domain joined devices are Azure AD registered to your tenant, it could lead to a dual state of hybrid Azure AD joined and Azure AD registered device.
To join an already configured Windows 10 device
Open Settings, and then select Accounts. Select Access work or school, and then select Connect. On the Set up a work or school account screen, select Join this device to Azure Active Directory.
Azure Active Directory Domain Services (Azure AD DS), part of Microsoft Entra, enables you to use managed domain services—such as Windows Domain Join, group policy, LDAP, and Kerberos authentication—without having to deploy, manage, or patch domain controllers.
What are the four service categories? ›- Poor, rude or simply no-interest to help.
- Robotic, rote, reading from a manual “help.”
- Over-the-top and insincere “help.”
- Sincere, caring, and expert help – invaluable!
What are the three primary components of Azure Active Directory AD connect? ›
Azure Active Directory Connect is made up of three primary components: the synchronization services, the optional Active Directory Federation Services component, and the monitoring component named Azure AD Connect Health.
What are the 4 components of Active Directory? ›The Active Directory structure is comprised of three main components: domains, trees, and forests. Several objects, like users or devices that use the same AD database, can be grouped into a single domain. Domains have a domain name system (DNS) structure.
What are the two basic types of Active Directory objects? ›Once defined, data is stored within the active directory as individual objects. Every object must be unique and represent a single thing, such as a user, computer, or a unique group of things (e.g. user group). The two primary types of objects are resources and security principals.
Which three Microsoft Azure services are part of the Power platform? ›- Limitless analytics with unmatched time to insight.
- Microsoft Purview. Govern, protect, and manage your data estate.
- Azure Stream Analytics.
An Azure subscription is tied to a single account, the one that was used to create it and is also used for billing. Resources can be supplied as instances of the many Azure products and services under the subscription. Free, pay-as-you-go, and member offers are the three primary types of subscriptions accessible.
What types of services are support by Azure service fabric? ›Service Fabric is an open source project and it powers core Azure infrastructure as well as other Microsoft services such as Skype for Business, Intune, Azure Event Hubs, Azure Data Factory, Azure Cosmos DB, Azure SQL Database, Dynamics 365, and Cortana.
Which of the following protocols are supported by Azure AD? ›Azure AD supports many standardized protocols for authentication and authorization, such as SAML 2.0, OpenID Connect, OAuth 2.0, and WS-Federation. Azure AD also supports password vaulting and automated sign-in capabilities for apps that only support forms-based authentication.
What is site topology in Active Directory? ›A directory service site topology is a logical representation of your physical network.
What are the 3 types of network topology? ›- Bus topology. As the simplest design, a bus topology requires nodes to be in a linear order. ...
- Ring topology. Another simple design is the ring topology. ...
- Star topology. Unsurprisingly, a star topology's setup resembles, well, a star. ...
- Mesh topology. ...
- Tree topology.
Network Topology combines configuration information with real-time operational data in a single view. This view makes it easier to understand networking relationships between various workloads on Google Cloud and their current state, such as the traffic paths and throughput between virtual machine (VM) instances.
Which two types of topologies are provided by network visualize? ›
- Regional Network Topology: You can see a high-level layout and routing topology of your entire virtual network configuration within a region. ...
- Virtual Cloud Network Topology: You can see the organization of a single VCN including its subnets and routing configuration.
Microsoft Authenticator app. FIDO2 security key. Certificate-based authentication. OATH hardware tokens (preview)
What are the two types of authentication Microsoft Azure Active Directory uses? ›- Microsoft Authenticator app.
- Windows Hello for Business.
- FIDO2 security key.
- OATH hardware token (preview)
- OATH software token.
- SMS.
- Voice call.
How Does Authentication Work in Active Directory? Active Directory authentication is a process that supports two standards: Kerberos and Lightweight Directory Access Protocol (LDAP).
Is LDAP supported for Azure AD? ›Enterprise applications such as email, customer relationship managers (CRMs), and Human Resources (HR) software can use LDAP to authenticate, access, and find information. Azure Active Directory (Azure AD) supports this pattern via Azure AD Domain Services (AD DS).
Which Access protocol Azure does not support? ›Azure file shares don't support accessing an individual Azure file share with both the SMB and NFS protocols, although you can create SMB and NFS file shares within the same storage account.
What are the two types of topology *? ›There are two types of network topology: physical and logical.
Which topology is active topology? ›Active topology describes a network topology where the signal is amplified at each step as it passes from one computer to the next.
What is topology list its types? ›There are two kinds of computer network topologies: physical and logical. Physical topology: This is one of the types of network topology that provides the layout of computer cables and other network devices. Logical topology: This topology provides information about the physical design of a network.