Key Differences between Essentials Dashboard Azure AD Integration and Azure AD ConnectAlex Fields
Windows Server Essentials Dashboard allows you to connect your on-premises domain to Azure Active Directory and Office 365. Arguably the best feature of this mechanism is similar to the primary benefit provided by Azure AD Connect or DirSync–the ability to sync local passwords into the Microsoft Cloud.*
But we need to understand something–the Essentials Dashboard integration is not the same as Azure AD Connect or DirSync. They are altogether different technologies, and they should not be blended together. In the screenshots below, you can see that from the point of view of the Office 365 Admin portal, Active Directory synchronization is not enabled, but the Essentials Dashboard integration is.
Let us explain a few key differences here briefly.
The Essentials Azure AD integration is not a Directory Synchronization
By default, Azure AD Connect will synchronize everything from your local Active Directory into an Azure Active Directory tenant in the cloud. And I mean everything. All of your accounts, and the attributes associated with those accounts (you can even sync extended/custom attributes if you want to). By contrast, Windows Server Essentials will not sync all of your attributes. Only certain types of information can be written into the cloud from the Dashboard: simple properties like account names, aliases, group memberships, passwords and account status (active, disabled, removed).
In a true Directory Synchronization scenario, if you make any changes to in-scope AD accounts that reside on-premises, then those changes will be reflected in the cloud upon the next sync (configurable down to 30 minutes currently). It doesn’t work that way in Windows Server Essentials. Sync is not performed on a schedule–instead information is written into the cloud only when you explicitly tell the Essentials Dashboard to do something.
For example, if you add an alias address to a mail-enabled account, Essentials does not update the proxyAddresses attribute in your local Active Directory and then perform a sync from there; instead, it simply writes these addresses directly into Exchange Online right when you edit them through the Essentials Dashboard.
Similarly when you add user accounts, deactivate them, change passwords and so on–the changes happen immediately, because there is no scheduled sync like you might expect with Azure AD Connect; instead it is just writing the information live into your Microsoft Online tenancy. Therefore, changes you make on-premises are going to be reflected instantly in the cloud.
With Azure AD Connect, you can also choose to enable OU or attribute filtering in order to control which accounts you decide to sync, or indeed, whether to sync certain attributes at all. Therefore, it is important to remember that the Windows Server Essentials Dashboard does not give you the ability to filter by attributes or OU–instead you enable Microsoft Cloud accounts on a per-user basis. Basically, if the integration is enabled, then you either have a Microsoft Cloud account associated with your on-premises account, or you do not. You will notice that it is still possible to create an on-premises account that does not have an associated cloud account, and vice-versa.
So… what are the drawbacks of the Essentials Experience integration?
For most SMB’s, there won’t really be any. In fact, it is rather nice to be able to make a change through the Dashboard and know that it will just take effect immediately both on-premises and in the cloud. Whereas with Azure AD Connect, you may find yourself waiting for a replication to happen, or forcing a manual sync with PowerShell after making certain changes.
Here I must highlight something that could be annoying, or at least confusing, to first-time Essentials administrators. Certain changes that you need to have reflected in both on-premises and cloud-enabled accounts can be made either in the Dashboard, or through traditional tools such Active Directory Users & Computers, while others can only be done successfully through the Dashboard. For example, I can change a password through either method, and the change will be available immediately on-premises and online. But deactivating an account, if I want the deactivation to take place for both, will require using the Essentials Dashboard.
For this reason, I usually just recommend that admins make all changes through the Essentials Dashboard, and avoid using the legacy tools, unless they they know what they are doing, and have good reason to do so.
Why you might want to use Azure AD Connect
If you plan to implement ADFS for single sign-on, for example, or enable password write-back, then you’ll want to disable the Microsoft Cloud services integration in the Essentials Dashboard, and just use Azure AD Connect instead. This will also allow you to utilize attribute filtering, and sync extended and custom attributes into the cloud, instead of just the most common ones, exposed through the Dashboard interface.
It is important to choose the tool which best aligns with your business objectives. For most of my clients, I usually recommend forgoing the Essentials Dashboard integration in favor of the more robust Azure AD Connect tool, but if all you’re looking for is ease of management and reliable password synchronization, then the Essentials Dashboard is a great option to have.
*If you want to peek under the hood a little more to see how Windows Server Essentials password synchronization works, open the Group Policy Management console from Administrative Tools and check out the GPO that it put in place. No such mechanism is necessary with Azure AD Connect, which uses a background service to sync directory information instead.