ADSS TSync vs Entra Cross-Tenant Sync: A Comprehensive Comparison
When managing identities across multiple tenants, organizations often face a crucial decision: should they choose ADSS (Active Directory Synchronization Service) Tenant Sync or Entra Native Cross-Tenant Sync to enable collaboration across tenants? The ADSS Tenant Sync service for Tenant-to-Tenant Synchronization is designed to maintain a single unified global address list between tenants. It synchronizes and provisions users or contacts between tenants and provisions guest accounts for Azure B2B sharing of applications and resources. Cross-Tenant synchronization automates creating, updating, and deleting Microsoft Entra B2B collaboration users across tenants in an organization. It enables users to access applications and collaborate across tenants, while still allowing the organization to evolve. Both solutions aim to streamline identity management, but they differ significantly in terms of architecture, control, security, and overall functionality. Here’s a closer look at each solution, presented with relatable examples to help you make an informed decision based on your organization’s needs. Architecture and Core Functionality Imagine you are in charge of a large organization with multiple subsidiaries, each operating under its own Azure AD tenant. You need a solution to synchronize all these identities, but you're unsure where to start. ADSS Tenant Sync is a managed service provided by Microsoft Consulting - IMS team, utilizing a pull-push model. Here, synchronization rules are configured by Microsoft Consulting, and the ADSS server manages identity synchronization. This model is often preferred for larger, complex organizations, as it centralizes control and often includes expert support. It’s akin to outsourcing a specific task to a trusted third-party expert who sets up and manages the solution for you. Entra Cross-Tenant Sync, in contrast, is a native feature of Entra ID (formerly Azure AD) that follows a push-based model using SCIM (System for Cross-domain Identity Management). Synchronization happens directly from your source tenant, offering greater control and integration within your existing Microsoft ecosystem. It’s like managing your internal processes with a powerful tool that’s built into your existing system—no need for third-party involvement. Control, Authentication, and Security The level of control and the security measures between these solutions differ, particularly when it comes to permissions and access management. ADSS Tenant Sync requires permissions through Microsoft Graph and Exchange Online, demanding specific admin rights, like Exchange Recipient Admin rights and Write permissions for each object type you want to sync. This can feel like managing a series of security checkpoints where each part of the system requires specific access credentials to function properly. Entra Cross-Tenant Sync, on the other hand, simplifies authentication by allowing synchronization policies to be configured directly within both the source and target tenants. This reduces complexity and can be managed more easily, especially in organizations that prioritize ease of access and streamlined workflows. It’s more like having a universal access pass for various departments within a company, eliminating the need for multiple levels of clearance. Data Management, Synchronization, and Filtering When it comes to data handling, there are key differences in how each solution approaches storage and filtering. ADSS Tenant Sync utilizes a centralized identity store within Microsoft-owned Azure subscriptions before synchronizing data to target tenants. This approach allows for complex attribute filtering and customization, such as syncing users as guests or contacts with desired attribute flows and even supports distribution list synchronization as contacts. It’s like having a centralized warehouse where all the data is stored and categorized, allowing for flexibility when choosing what data to sync and how to manage it. In contrast, Entra Cross-Tenant Sync ensures that identities remain within their respective tenants, with no external storage of sensitive identity data. This model is beneficial for organizations concerned about data privacy, as the identities are kept within their home base. Additionally, Entra Cross-Tenant Sync supports syncing users as either external members or guests, depending on configuration. However, it does not support distribution list or contacts synchronization. It’s like keeping all documents in their respective departments to ensure that sensitive information stays within the correct boundaries. Both solutions support object filtering and attribute-based scoping, but ADSS offers more customization in terms of attribute management, making it more flexible for organizations with intricate requirements. Cost, API Support, and Suitable Use Cases Cost and extensibility are crucial factors when considering which solution to adopt. ADSS Tenant Sync operates as a third-party managed service through Microsoft, with a monthly fee attached. It’s ideal for businesses requiring extensive customization, external guest management, and broader synchronization capabilities. The use of Microsoft Graph and PowerShell APIs for extensibility also makes ADSS suitable for organizations that need advanced integrations and a highly tailored solution. Entra Cross-Tenant Sync, on the other hand, is natively integrated into the Microsoft ecosystem. It requires a P1 license for each synchronized user, but the overall cost can be lower compared to ADSS, especially for organizations that do not need extensive customization. The solution uses proprietary APIs managed by the Microsoft Entra Product team, offering a more straightforward, integrated experience. Entra Cross-Tenant Sync is typically more suitable for organizations that prefer an easy-to-manage, cost-effective synchronization solution, without requiring the advanced features of ADSS. Choosing the Right Solution Both ADSS Tenant Sync and Entra Native Cross-Tenant Sync have distinct advantages, and the decision between them depends on your organization’s specific needs. ADSS Tenant Sync is a solid choice for businesses that need advanced features, such as the ability to customize attributes, manage external guests, and support complex synchronization requirements, even if it comes with an additional cost. It’s more suitable for multi-tenant organizations or those working with business partners that require a more tailored solution. Entra Cross-Tenant Sync is a cost-effective, native option that seamlessly integrates into your existing Microsoft environment. It's ideal for enterprises looking for a simpler, more integrated way to manage multi-tenant synchronization without needing complex customization. This solution works well for organizations that prioritize streamlined workflows and less technical overhead. In conclusion, whether you choose ADSS Tenant Sync or Entra Native Cross-Tenant Sync depends on your organization’s goals, the level of customization required, and budget considerations. Both solutions offer effective ways to synchronize identities across tenants, and understanding these differences will help you select the one that aligns best with your infrastructure and long-term identity management goals. Learn more about IMS and explore its powerful migration capabilities today! Read our latest insights on the IMS blogs page Watch related videos on our YouTube channel for a seamless, hassle-free migration experience. If you would like to discuss in person, reach out to us at imssales@microsoft.com. Our team will connect with you.IMS Efficient Migration Methods
Efficient IMS Migration Methods The Active Directory Migration Service (ADMS), recently renamed Identity Migration Service (IMS), offers the migration of users and workstations across domains and forests. It offers a variety of migration methods that cater to different organizational needs, enhancing the efficiency and flexibility of the migration process. Here's an overview of the functionalities and usage modes of IMS: IMS provides various migration methods, including a unique self-service option with two types: one for corporate network users and another for remote or VPN users. Additionally, ADMS offers admin-automated migrations, user-only migrations, and migrations for workstations shared by multiple users. This blog post will explore the functionalities and usage modes of different migration methods IMS is offering by providing insights into how it streamlines the migration process. 1. Self-Service Migration Method Self-Service Portal Migration: Empowering Users and Streamlining IT Self-Service Portal Migration is an Active Directory Migration Service (ADMS) mode that allows users to initiate their own migration, minimizing the need for IT intervention. This empowers users, such as CFOs, to choose when they want to migrate, rather than having IT dictate the schedule. This method focuses on migrating a single user and their workstation, offering a streamlined and user-friendly experience The self-service approach is designed to be straightforward, granting users the autonomy to decide when to migrate, thereby minimizing potential disruptions if a user doesn't complete their migration within a specified timeframe. Benefits of Self-Service Reduced IT Dependency: One of the most significant advantages of the self-service method is that it reduces the burden on the IT department. Scalability: Customers have reported migrating up to 6,000 users in a week using this method, demonstrating its effectiveness for large-scale migrations. Profile Translation: During a self-service migration, profiles for other users on the same machine are also translated, even if those users haven't migrated yet. Improved Remote User Experience: Remote users often face a different set of challenges than those on the corporate network and ADMS has developed a unique solution to allow the user to migrate over VPN from any remote location. 2. User-Only Bulk Portal Method Streamlining User Migration with the User-Only Bulk Portal The next migration method ADMS offers is The User-Only Bulk Portal which offers a streamlined, admin-driven process for migrating users without their associated workstations. This method focuses solely on user data migration, omitting the local profile and workstation migration steps. It's particularly useful in virtual client scenarios where user profiles don't exist in a traditional sense. Key aspects of this process: Initiation: Admins add users to a designated security group in the source domain to mark them for migration. User Input: Users can be manually entered into the Bulk Portal browser window or uploaded via a text file. Migration Steps: The process involves migrating the user account, copying the SID history, migrating the password hash, and performing SharePoint and Exchange remediation if necessary. 3.Surrogate Method Admin-Driven Workstation and User Profile Migration via Click Once: In many organizations, migrating workstations and user profiles can be a complex undertaking, especially when dealing with multiple Active Directory (AD) accounts and users sharing a single workstation (many-to-one mapping). This method outlines an approach where IT staff members can efficiently perform these migrations using a Click Once application, streamlining the process and minimizing end-user disruption. Scenario: IT-Led Migration for Shared Workstations Imagine a scenario where an IT staff member needs to migrate a workstation and all associated user profiles (who are approved for migration). In this approach, the IT staff members are not migrating their own profile but acting on behalf of the users who share the workstation. They initiate the migration process directly from the workstation, utilizing a Click Once application that provides a user-friendly interface similar to a self-service portal. Benefits of Surrogate Method Simplified Migration: The Click Once application provides a user-friendly interface, simplifying the migration process for IT staff. Centralized Control: IT staff maintain control over the migration process, ensuring that it is performed consistently and according to organizational policies. Reduced End-User Disruption: The migration is performed by IT staff, minimizing disruption to end-users and ensuring a smooth transition to the new environment. Automated Updates: Click Once ensures that the migration tool is always up to date with the latest features and bug fixes. By leveraging admin-driven approach, organizations can streamline workstations and user profile migrations, especially in complex scenarios involving multiple AD accounts and shared workstations. This approach empowers IT staff to efficiently migrate users to new systems, ensuring minimal disruption and a seamless transition. 4. Auto-Migration Method Understanding Auto-Migration in ADMS: Active Directory Migration Services (ADMS) offers several modes of migration to suit different needs. Among these, Auto-Migration stands out as an administrator-initiated process that doesn't require user interaction. What is Auto-Migration? Auto-Migration is set up by an administrator and doesn't need users to do anything. It can be started with a login script, group policy, or software deployment tool, and it can be aimed at either the user, the computer, or both. Even though Auto-Migration is seen as a "push mode" or forced migration, it uses the same self-service migration engine as the other ADMS migration methods. The Four Usage Modes of Auto-Migration: Auto-Migration in ADMS comes with four distinct usage modes, each designed to cater to specific migration scenarios: All Users: This mode targets all users within a specified scope. It's useful when migrating an entire user base from one domain to another in a systematic way. Logged-On User: This mode focuses on the user who is currently logged into a system. It ensures that migration occurs for active users, minimizing disruption. Explicit User: In this mode, administrators can specify users for migration. This is helpful when dealing with specific accounts or when migrations need to be phased. Workstation Only: This mode targets only the workstation. This is helpful when you only want to migrate the computer and not the user profile. By understanding these different modes, administrators can tailor their migration strategy to meet the unique requirements of their Active Directory environment. Conclusion The Identity Migration Service (IMS), formerly known as ADMS, is expanding its functionality to include cloud services. A tenant-to-tenant migration will be released first, followed by functionality to migrate customers from on-premises Active Directory to the cloud. The self-service, opt-in model is currently leveraged in the ADMS product. Learn more about IMS and explore its powerful migration capabilities today! Read our latest insights on the IMS blog Watch related videos on our YouTube channel for a seamless, hassle-free migration experience. If you would like to discuss in person reach out to us at imssales@microsoft.com, Our team will connect with you.
Converting Active Directory Groups to Cloud-Only with ADGMS
If you find yourself creating and maintaining on-premises groups just so they will synchronize to your Azure tenant, it’s time to free yourself from this time-consuming and potentially risky outdated practice by converting them to cloud only. Converting your groups to cloud-only will eliminate your dependence on legacy Active Directory Domain Services environments and enable you to delegate their management without resorting to custom Active Directory permissions, outdated management interfaces and even VPN or remote access solutions if your administrators are a part of today’s remote workforce. Remember all those distribution groups that your users were able to manage before their mailboxes were migrated to Exchange Online? By converting those groups to cloud-only, your users can once again manage them themselves! This eliminates the need for custom group management tools or for your helpdesk to manage membership on their behalf. So now that we’ve agreed it makes sense to convert your synced groups to cloud-only, what are your options… There are a variety of methods available to convert your groups to cloud-only, however they vary in cost and complexity, ranging from manual re-creation, which can be time-consuming and prone to error, building your own Graph API or PowerShell scripts, which require a significant understanding of Microsoft Exchange, Active Directory, PowerShell as well as rigorous testing to ensure a functional solution, or, worst case, searching the internet and re-using scripts built by others with potentially harmful results. To help simplify and ensure the safety of this process, the IMS team offers a turn-key managed solution called Active Directory Group Modernization Service, or ADGMS. ADGMS is a cloud-based, automated solution that connects to and monitors your Entra tenant, automatically re-creating groups whenever they are moved out of scope of your Entra ID Connect or Entra Cloud Sync solution. ADGMS maintains each group’s membership, including any nesting, as well as it’s email addresses, send and receive restrictions, manager or owner and even extended attributes, and ADGMS uses all this data to instantly re-create the group as cloud-only. Additionally, ADGMS provides reports on all the nested groups in your tenant, helping to identify any cases where you have circular or self-nesting that might otherwise impact mail-flow and management. These reports are then used to create your group modernization strategy by ensuring you re-create your groups in the correct order. The beauty of ADGMS is that it’s 100% automatic and customer-driven. Once ADGMS is enabled, you control the quantity and speed of your group modernizations, and the ADGMS solution handles all the heavy lifting, and because ADGMS maintains all the email routing addresses, your users won’t even realize that the group has been converted to cloud-only. It is important to note, that while ADGMS can help radically change your cloud administration model, it does not support modernization of security groups by default. That said, based on the tens of thousands of groups already modernized with ADGMS, we have found that most legacy mail-enabled security groups primarily exist in Entra for the purposes of email routing and not securing cloud resources. In those cases, the group can be modernized into a cloud-only distribution group, and the on-premises group mail-disabled and left as a security-only group. How to take advantage of ADGMS If you are interested in reducing your administrative burden when it comes to on-premises groups currently synchronizing to Entra and leveraging a proven managed solution for migration of those groups to cloud-only resources, be sure to contact the IMS team for more information about ADGMS. Learn more about IMS and start hassle-free migrations and its capabilities today on our YouTube Channel Want to speak with an expert? Reach out to us at imssales@microsoft.com to connect with a sales representative.IMS Project Success Story
When Complexity Meets Transformation Imagine overseeing both a merger and a divestiture concurrently while also restructuring the internal domain for thousands of users, all without interrupting daily operations. This was the formidable challenge encountered by a prominent manufacturing company in Taiwan. The implications were significant: Ensure continuous application access for employees. Transition only selected user profiles to the target domain. Perform workstation migrations with precision. Adapt to evolving business needs. Given the complexity, it is evident that this was not an ordinary migration project. The challenge was to accomplish these tasks without disrupting the organization’s operations. The Identity Migration Service (IMS) Solution: Addressing User Migration Challenges During a merger and divestiture period, a significant challenge emerged involving the migration of thousands of users, along with their workstations and applications. The environment was complex, with potential disruptions. Microsoft’s Identity Migration Service (IMS) provided a solution to this issue. With its robust set of tools and flexible migration methods Self-service, admin-driven, bulk-mode, and surrogate-method. IMS offered exactly what was needed to tackle the mammoth task as the hero of the story. The self-service method allowed users to manage their own migrations, reducing the workload on IT staff. The admin-driven approach enabled administrators to control critical aspects of the process, ensuring security and oversight. The bulk mode facilitated the simultaneous migration of large groups, enhancing efficiency. The surrogate method ensured assistance for those in need, preventing anyone from being excluded. Managed application remediation effectively without affecting user access. Translated selective user profiles from the source to the target while customizing the solution according to the customer’s requirements. Adapted to the regular azure infrastructure scalability requirements due to high migration flow. Reporting as per the business requirement. Results IMS was crucial in facilitating efficient large-scale migrations of about 61,000 users and their workstations with multiple domain mergers and a divestiture concurrently. Conclusion IMS offers a comprehensive suite of tools and support services that cater to the unique needs of each organization, regardless of size or industry. This robust platform not only simplifies the migration process but also enhances security and minimizes downtime, ensuring that business operations remain uninterrupted. Facing Migration Challenges? Whether it's a merger, divestiture, tenant or domain restructuring, Microsoft’s IMS ensures a smooth transition. Learn more about IMS and start hassle-free migrations and its capabilities today! On our YouTube Channel If you want to contact a sales representative, send an email to imssales@microsoft.comWhat's in a Name?
Recently the ADMS (Active Directory Migration Service) changed its name to IMS (Identity Migration Service). If you’re not familiar with the ADMS offering, it is an orchestration of technologies that allows migration of user and computer objects from one or many on-premises Active Directory domains to another. This can be helpful in many scenarios including mergers, acquisitions and divestitures. ADMS features include: Secure connections to ADMS services for synchronization and migration. Identity synchronization and transformation. Group and User sidHistory Unified migration portal with multiple migration methods App remediation pipeline Many to one/One to many connections Client application flexibility – Customer supplied scripts can be added to meet the needs of the individual customers as migrations occur. Preservation of user profiles The best feature, the crème de la crème if you will, is the self-service model. This means that your busy CFO (don’t forget who pays the bills), can wait until he’s free to opt into a migration rather than someone in IT dictating when he gets migrated. If you prefer the white glove treatment, you can leverage surrogate migration where skilled IT personnel perform the user migration on behalf of a special user. Why Change? Recently we’ve had an opportunity to look at what the service provides and what lies ahead, and the name just doesn’t fully fit what we do and what we’re intending for our products’ road map. Identity Migration Service is more encompassing for the features and functionality we’re targeting across multiple services. Why is this important? We’re using our years of experience, knowledge and expertise to extend our on-premises domain migrations to cloud services. As a first release of IMS we will debut a tenant-to-tenant migration (for customers who have no on-premises footprint). This will fully synchronize your directory from the source tenant into the target and perform the user migration, remediation tasks as well as workstation Entra join to the new Entra tenant (while maintaining the user’s profile). A following release will add functionality to migrate customers who have deployed on premise Active Directory and are ready to step into the cloud. Our on-premises AD to Entra migration will work similarly to both tenant to tenant and AD to AD where the user and group objects are synchronized, activated at migration time and workstations migrated. This will have the option of using our self-service, opt-in model we currently leverage in our ADMS product. Does this mean ADMS functionality is going away? No, we are simply expanding the functionality to include services our customers want and need. We understand that the ADMS feature set is still sought out by our customers and we are committed to enabling customer migrations within every service. Is ADMS/IMS just a migration solution? No, it is a family of solutions. We have many great services and tools that have enabled customers to navigate logical issues with identity transitions (Migrations, modernizations, synchronizations, etc.). Below are some of our other current services: ADGMS - Active Directory Group Modernization Service, for the conversion of on-premises synchronized distribution groups into cloud only groups ADSS - The backbone of migrations is a customizable sync engine that can apply business logic for the objects being synced and transformed between directories. This is leveraged by many of our solutions; however, it can be a standalone sync service as well. Tsync - Tenant synchronization. Using the ADSS synchronization engine we can synchronize and transform objects between tenants. SOA - Source of Authority. Customizable business logic that can be applied to AAD Connect so it can pivot the authoritative source of an object to another directory. This allows AAD Connect to marry the new, authoritative user with the correct identity in Entra. Which IMS solution best fits your needs? Which features would you like to see on our roadmap? Have any questions about an existing service or functionality? Let us know in the comments or reach out to us at IMSSales@microsoft.com
