Introducing our improved Azure Active Directory sync

Today, we finished releasing an updated version of our Azure Active Directory (AAD) sync functionality. This update contains a number of long-requested features, including support for custom attributes and significant performance improvements for both single user and full synchronizations.

Let’s take a look at what this update adds.

Performance improvements for single user and full synchronizations

The speed at which single user and full synchronizations run have been greatly increased with this new implementation. For particularly large directories, the time for a single user sync has dropped from over 20 minutes to 2 to 3 seconds.

Custom attributes

For directory syncs, Duo selects default mappings for attributes. However, customers sometimes have unique directory structures and may need to use different attributes for username (including aliases), email, or telephone. This could be due to legacy decisions from local Active Directory mirroring up to Azure Active Directory in hybrid mode. To accommodate the unique structures of our customers’ directories, our goal is to allow customers to configure which field they will use for username (including aliases), email, phone number, and bring on additional fields from Active Directory.

Sync logging

Additional information will be made available to administrators in the logs regarding user metrics:

  • Users seen: Total number of users that were processed in the sync
  • Users added: Total number of new users
  • Users removed: Total number of users removed
  • Users modified: Total number of changed users

Error reporting

Clearer error messaging that helps provide direction on how to manage an error appropriately.

More consistency between Azure AD and on-premises Active Directory

For customers who use both on-prem AD and AAD, there will be greater parity in the experience.

Updating to the new AAD sync

All customers on a paid edition of Duo have access to this new version. If you are currently using AAD sync, you will need to reauthorize your sync after opting in to the new version.

To utilize the new functionality and reauthorize your synchronization:

  1. Log in to the Duo Admin Panel and navigate to Users > Directory Sync.
  2. Select your AAD sync configuration.
  3. Check the box labeled “Use new sync” and then click Save Directory.
  4. After the page reloads, click the Reauthorize button.
  5. Complete authentication with the designated Azure service administrator account that has the global administrator role for the Azure Active Directory.
  6. Click Accept in the prompt that appears.
  7. Repeat this process for each of your AAD synchronizations.

If you set up a new Azure Active Directory sync, it will have the “Use new sync” box checked by default.

We hope you find these new features helpful. Please let us know if you have any questions about these updates.

1 Like