Retake Control of Attribute Sync to Azure AD
Keeping directory sync in sync with security best practices
With Azure AD Connect, synchronizing directory data from on-premises Active Directory to Azure AD is both easy and efficient. But is it possible to have too much of a good thing?
Security best practices limit sharing to a strict need-to-know basis. However, Azure AD Connect synchronizes 151 attributes by default. You read that right: 151 attributes.
So, if you perform the “Express Settings” installation of Azure AD Connect, Azure AD will include a total of 151 attributes (excluding attributes that are null or not present) for every object synched from your on-premises Active Directory to Azure AD.
And depending on where your Azure AD is hosted (e.g. outside of the U.S.), some of these attributes – including five user-related attributes – may be further replicated to datacenters in the U.S.
Important to notice is that the current version of Azure AD Connect is rather unforgiving: once an attribute has been synchronized, you can turn off updates but the attribute remains (in an outdated state) in Azure AD. Therefore, it’s extremely important to get Azure AD Connect right the first time.
Limit your exposure
Default settings and express setups can be a busy IT admin’s best friend, and I often recommend them. After all, these settings and setups typically embody the vendor’s own recommendations and product best practices.
However, for many (or even most) organizations, the default level of synchronization in Azure AD Connect is not necessary from an operational perspective, nor is it desirable from a security perspective.
Remember that Azure AD is not just an extension of your on-premises Active Directory – rather, Azure AD is its own identity store with its own set of vulnerabilities. And when it comes to storing sensitive data in the cloud, less is best.
Therefore, I encourage you to consider customizing your installation of Azure AD Connect with the built-in and easy-to-use app and attribute filtering functionality.
App and attribute filtering – along with domain and OU filtering – give you considerable control over what gets synchronized from your on-premises Active Directory to Azure AD. While synchronization rules provide additional capabilities, filtering is sufficient in most cases and is the best place to start in any case.
And to help you get started, Semperis has published a white paper that you can download here.
I strongly encourage you to download the white paper: unnecessary synchronization of data undermines security and is difficult to undo. The white paper provides further explanation, additional limitations, and valuable usage tips.
Strike a balance
While synchronizing 151 attributes “just in case” may be overkill, bare-minimum synchronization of only required attributes may be unnecessarily stingy and cause operational issues. Like many things in life, it’s important to strike a balance. Since it’s easier to add attributes to synchronization than remove them, I recommend that you start conservatively with a limited set of attributes, actively monitor, and add attributes as needed.