Microsoft recently announced older versions of Azure AD Connect will be “deprecated” as of November 1, 2020 – putting many businesses at risk of not receiving security updates, support and new features of the widely-used identity synch tool.

However, as enterprises increasingly rely on hybrid identity solutions, this deprecation deadline raises a much more strategic question for them to address. Do you plug the gap today using a temporary approach – or do you make the move to a more future-proof, cloud native solution?
The path you take, as always, depends on your unique situation and goals. So, let’s explore.

What does this news mean? The risks and impact
First, a little more detail on the announcement. According to Microsoft, as of November 1, 2020, all versions of Azure AD Connect that are more than 18 months old will be deprecated. It will affect all organizations that run Azure AD Connect sync versions 1.3.20.0 and older. Microsoft will be evaluating the deprecation of older version of Azure AD connect every time a new version is released.

With more enterprises than ever using Azure AD Connect to bridge on-premise and cloud identity, this deadline affects enterprises everywhere, especially those relying on highly customized solutions which they avoid upgrading too often, or who haven’t been able to turn on auto-updates.

If you fail to upgrade to a newer, supported solution, this could be extremely troublesome and costly. For example, if you suffer some kind of outage or downtime issue, Microsoft could refuse support once they realize your version is out of date. It also means your solution will stop benefiting from ongoing updates, security fixes and new features being rolled out to Azure AD Connect.

Fixing it the old fashioned way: A tactical response
The most natural and obvious way to prevent this issue is to simply upgrade your Azure AD Connect sync to the right version. Microsoft has shared resources outlining three basic ways to do this, namely: Automatic, In Place and Swing. Choosing the right path here depends largely on how complex and customized your Azure AD Connect sync solution is, and if you are able to turn on-auto updates.

The upside of these approaches is that for many businesses, doing so will be quick and straightforward. And beyond the time it takes to actually make the shift, you will likely not have to come up with any additional budget or purchase new licenses.

The downside is, it’s a process you are likely going to have to repeat, again and again, in the future. Furthermore, if your hybrid identity has a complex or customized configuration this may require additional time and resources to plan and implement Azure AD Connect sync upgrade project. Which brings us to the more strategic approach, which Avanade recommends.

The strategic approach: Cloud provisioning
The future-proof approach is to migrate your Azure AD Connect “sync” to “cloud provisioning”. Cloud provisioning will reduce the need for constant upgrading of the Azure AD Connect servers and simplify identity provisioning in the long run, as more of your applications move to the cloud. With cloud provisioning, all the identity provisioning and synchronization moves to the cloud. This also reduces on-premises infrastructure footprint, requiring only the installation light-weight provisioning agents for your legacy data center applications, to act as a bridge to the cloud.

In addition, clients who migrate from Azure AD Connect sync to Azure AD Connect cloud provisioning will receive the following benefits:

• Support for synchronizing to an Azure AD tenant from a multi-forest disconnected Active Directory forest environment. This can be helpful to the clients who do merger and acquisitions.
• Multiple provisioning agents can be deployed to ensure resilient deployments.
• You won’t have to re-do the upgrading process all over again in another 18 months the next time Microsoft “deprecates” older versions.

At the time of writing, Azure AD Connect cloud provisioning supports 61% of the features that are available in Azure AD connect sync and Microsoft is working hard to ensure parity in features between both products.

Next steps
We recommend organizations with up to 50,000 objects per AD domain and without requirements for customization of attribute flows and writeback (Exchange, devices, password etc.) to migrate to Azure AD Connect cloud provisioning as early as possible. To the clients that require these features and support for non-AD LDAP directories, Azure AD Domain Services, Pass-Through Authentication, synchronization of customer-defined AD attributes we recommend piloting Azure AD Connect cloud provisioning in their environment.

Piloting allows running Azure AD Connect sync side-by-side with Azure AD cloud provisioning. This will help with the adoption of the next generation of the Azure AD Connect while keeping the features which are not yet supported by the Azure AD Connect cloud provisioning. Furthermore, it will allow smoother migration to the Azure AD Connect cloud provisioning once the parity of features is achieved. Check out this tutorial by Microsoft on the prerequisites for pilot cloud provisioning and its configuration in the existing hybrid AD environment.

Learn more about Avanade's security expertise and services, or to get help with your upgrade.