As you already know Azure Active Directory Connect (AAD Connect) is the easiest and quickest way to provision identities in Azure AD, especially for large organization, while providing simple authentication method to cloud services (password hash sync, Seamless SSO…).
That being said, you may find yourself in position you have to quickly provide cloud identities for other ‘independent’ entities (due to merger or historical disconnected environment) in your organization while you do not have the ability or the time to setup trust relationship.
This challenge now has a response with a new cloud provisioning feature of Azure AD Connect, providing a lightweight synchronization solution to onboard disconnected Active Directory.
Another advantage of this capability is you can deploy multiple agents, providing high availability for the service (opposite to the ‘full’ Azure AD Connect which does not provide such capability, unless you deploy a standby instance).
Before starting digging into this new feature (in preview), you need to ensure the following prerequisites are matched:
- you have a global administrator account on your Azure AD tenant
- at least one Windows Server 2012 R2 or later domain joined (to the disconnected domain) is available to run the provisioning agent
- with the .Net Framework 4.7.1
- TLS 1.2 enabled
- NOTE I have tested installing the agent on the domain controller itself and while this is not clearly documented, it works; the agent can be installed, configured and syncing with Azure AD successfully
- the firewall allows outbound traffic from this/these server(s) on port 80, 443 and 8080 (optional and being used if 443 can not be used)
- firewall/proxy exception for:
- *.msappproxy.net
- *.servicebus.windows.net
- login.windows.net
- login.microsoftonline.com
- mscrl.microsoft.com
- crl.microsoft.com
- ocsp.msocsp.com
- www.microsoft.com
- or if you can;t manage URL you need to allow the Azure IP address (see https://www.microsoft.com/download/details.aspx?id=41653)
You can test access using the test portal https://aadap-portcheck.connectorporttest.msappproxy.net/
Once all of these prereqes are matched, you can start using the Cloud Identity provisioning for disconnected AD features by connecting to your Azure portal (https://portal.azure.com/) or Azure AD portal (https://aad.portal.azure.com/) to reach the Azure Active Directory\Azure AD Connect blade
There you will see the new feature Manage provisioning (preview) to download he lightweight and manage the agent
Once the agent is downloaded, the installation steps are pretty simple and straightforward: accept the license terms (as always 
) and that’s it
Then the configuration wizard will popup (if not a shortcut is available on the Desktop) and will ask you to connect to your Azure AD tenant
Then (as for the ‘classic’ Azure AD Connect), you will have to connect to the disconnected domain
You can even select the order domain controllers to connect to using the Select domain controller priority option
That’s is for the configuration; you do not have to configure the synchronization or authentication options. All the management capability is available only through the Azure AD/Azure portal
Once the agent(s) is/are registered, when you refresh the Azure AD Provisioning blade, you can confirm the
agent(s) is/are up and running and successfully connected using the Review all agents
You can also check the services state:
- Microsoft Azure AD Connect Agent Updater (in charge of updating to the latest agent version)
- Microsoft Azure AD Connect Provisioning Agent (in charge of the synchronization)
Then New Configuration option becoming available; use this option to configure the agent and define the various synchronization options
Same as with Azure AD Connect, you can select if you are syncing the full directory, or just members of a security group or a selected OU’s (you can add multiple OU’s)
If you want to sync selected OU’s, you have to enter the OU path using the Distinguished Name (you can not browse)
It is recommended to keep the password hash sync option enabled, even if your are not planning to use it
An email address is then required to get notified if the agent(s) is/are getting unhealthy
When you go back to the main Azure AD Provisioning blade, the disconnected domain is now showing up with his status and associated agents
Configuration changes are synced every 2 minutes while the provisioning interval is every 40 minutes
All agent activities are logged into the Applications and Services Logs\AzureADConnect log
- either AgentUpdater for any agent updated activities (you will see there if there has been an update)
- or ProvisioningAgent for any provisioning activities
Important events for the ProvisioningAgent will be:
- Event 14000 when the agent has been starting
- Event 14003 when a synchronization configuration has been applied/updated
You can access the provisioning logs and other settings for the domain by accessing the Enterprise Applications\All Applications blade and then searching for the synced domain using the All Applications type filter
Then go to the Provisioning blade for the application
This application will be automatically deleted when you delete the configuration you have created above
Users and groups from the disconnected AD should now show up in your Azure AD
In addition an new synchronization account (ADToAADSyncServiceAccount) should also show up in your Azure AD
You can provide feedbacks using the ULR https://go.microsoft.com/fwlink/?linkid=2033943