A common requirement of many companies who have an established on-premises Active Directory environment is the ability to leverage their existing on-premises user and group accounts. Leveraging already existing on-premises user and group accounts enables you to significantly reduce your operational costs and it provides easier end user access to the Microsoft cloud services they have subscribed to.
Directory sync is a foundational and critical scenario of the identity and access management solution used for integrating with Azure Active Directory. With directory sync, you can manage the entire lifecycle of your cloud user and group accounts using your on-premises Active Directory management tools. Implementing this scenario enables you to automatically provision and de-provision user and group accounts in the cloud based on information found in your on-premises Active Directory.
Directory sync works on a scheduled basis. This means, changes made to objects or to their various attributes in your on-premises Active Directory are periodically synced to your Azure AD tenant, as shown in the following diagram.
You can continue to manage in the cloud the objects that are created in the cloud and are not linked to objects in your on-premises directory.
Implementing directory sync in your environment introduces a variety of impactful benefits to your environment:
- Reduced administration costs – Leveraging your already existing on-premises user and group accounts, eliminates the need to manually manage them in your Azure AD, which removes a costly manual operation from your budget.
- Improved productivity – By automating the process of synchronizing user and group accounts, you can significantly reduce the amount of time it takes to make cloud based services accessible for your employees.
- Increased security – Automated provisioning and deprovisioning of user and group accounts ensures that only those physical entities have access to your corporate assets that really require it as long as they need it.