As you will learn in Chapter 4, Implementing and Managing Identity Synchronization with Azure AD, the process of identity synchronization replicates your on-premises identity in Azure AD. Whether you are using Azure AD Connect sync, Azure AD Connect Cloud sync, or a third-party product, the process is largely the same: an on-premises agent or service connects to both Active Directory and Azure Active Directory, reads the objects from Active Directory, and re-creates a corresponding object in Azure AD.
During this provisioning process, the on-premises and cloud objects are linked through a unique, immutable attribute that stays the same throughout the lifecycle of the object.
Exam Tip
Originally, an on-premises object was linked to its corresponding cloud object by converting the on-premise object’s objectGUID attribute value to a base64 string and stored in the cloud object’s ImmutableID attribute. Modern versions of Azure AD Connect change this up a little bit and also make use of the ms-DS -ConsistencyGuid. The ms-DS-ConsistencyGuid attribute in Active Directory is blank by default; after Azure AD Connect is configured to use ms -DS-ConsistencyGuid as the source anchor during setup, an object’s objectGUID value is copied to its corresponding ms-DS- ConsistencyGuid attribute. Since a new objectGUID is generated every time an object is created, a static value like ms-DS-ConsistencyGuid helps organizations maintain the relationship between identities through the Active Directory domain migrations that happen as part of business mergers, acquisitions, and divestitures.
After Azure AD Connect has been deployed, you can create a new synchronized identity by creating a new user in the on-premises Active Directory. See Figure 2.5:
Figure 2.5 – Creating a new user through Active Directory Users and Computers
After synchronization is complete, the new user account is ready to sign into the service. From the Microsoft 365 admin center, it’s simple to visually distinguish between cloud and synchronized accounts. Figure 2.6 shows both a cloud user and a synchronized user:
Figure 2.6 – Displaying cloud and synchronized users
In the Sync status column, a cloud user is represented by a cloud icon, while the synchronized user is represented by a notebook icon.
