If you are using Active Directory in your corporate network, Azure AD Connect is the tool that you need in order to replicate your Users and groups to your Azure Active Directory tenant. It is important to mention that Office/Microsoft 365, Azure and Dynamics online use Azure Active Directory as the identity backbone.
Nowadays, all of us are using a variety of usernames and passwords, for work as well as personal use. What would happen if you can use only one identity for most of the services that you will need for the daily work? It would be so helpful, right?
Azure AD Connect allows users of your organization to have one identity for their Microsoft services, Local identity (Active Directory Domain Services) + Cloud Identity (Azure Active Directory). In other words, users will use the same username and password to access their local resources such as to log in to one domain computer but also for cloud services like Office 365 email.
The prerequisites to use Azure AD Connect are the following:
- Have an Azure AD Tenant.
- Add and verify the domain you plan to use in Azure AD.
- The AD schema version and forest functional level must be Windows Server 2003 or later.
- If you plan to use the feature password writeback, then the Domain Controllers must be on Windows Server 2008 R2 or later.
- It is recommended to enable the Active Directory recycle bin.
- The Azure AD Connect server must have a full GUI installed. It is not supported to install on server core.
Microsoft understands that your company can use complicated environments with multi-forest or simple environments with a single forest. Here are some extra details that allow you to know if you can start to use Azure AD Connect in your company right now with your current scenario:
- Multi-forest, single Azure AD tenant.
- Existing forest with Azure AD Connect, new forest with cloud provisioning.
- Piloting Azure AD Connect cloud provisioning in an existing hybrid AD forest.
- Single forest, single Azure AD tenant.
One of the more important things to select when you are setting up Azure AD connect is which Azure authentication method you would like to have implemented. Every authentication method comes with some advantages or disadvantages depending on your environment, and what you want to implement for your hybrid environment.
Authentication methods are Password Hash Synchronization, Pass-through authentication, and Federation.
1) Password Hash Synchronization is an excellent option to implement with the help of Azure AD/Office 365. It helps you simplify the existing architecture without changing the user experience. Azure AD Connect synchronizes a hash of user’s password from an on-premises Active Directory instance to a cloud-based Azure AD instance.
Enabling Password Hash Synchronization in your organization provides significant advantages; you can start using services like Smart Lockout, IP Lockout, and the ability to discover leaked credentials, just to name a few. All these services use Microsoft’s telemetry which empowers organizations with Microsoft’s intelligence.
2) Pass-through authentication is common for organizations that have strict security and compliance policies. It provides the same benefit as cloud authentication to organizations that use Password Hash Synchronization.
The major difference between Pass-through authentication and Password Hash Synchronization is that on-premises passwords are never stored in the cloud in any form. To allow Microsoft cloud services to communicate with your on-premise server, you must ensure that the server where it is installed, the authentication agents can make outbound requests to Azure AD.
3) Federation: Federating an on-premises AD environment with Azure Active Directory allows an organization to use federation for authentication and authorization. Using the Federation, the organization can ensure that all user authentication is performed on-premises. This method needs more on-premises infrastructure to work. It is strongly recommended to have at least two ADFS servers and two web application proxies (WAP) redundantly for these environments.
Azure AD SSO:
Using any of the authentication methods above, users in an organization can use the same username and password to access locally as well as Microsoft online services. However, as an administrator, you can make their life a little easier. Enabling Azure Active Directory Seamless Single Sign-On, users do not have to type their passwords, not even their username, to sign in to Azure Active Directory after they log in locally to Active directory. This feature provides your users with easy access to your cloud-based applications without requiring any additional on-premises components.
Seamless SSO is not applicable if you are using Active Directory Federation Services (ADFS). It only works with Password Hash Synchronization or Pass-through Authentication.
There are also benefits of the above mentioned, such as:
- No additional infrastructure required to set up and configure SSO
- Can be controlled via Group Policy to specify who can use SSO
- No requirement for additional licensing to enable Seamless SSO
- Simply enabled via AD Connect
Azure AD Connect Health:
To monitor the identity infrastructure, Azure AD provides a service named Azure AD Connect Health. It provides insights checking every hour the sync and performance of the connections between on-premises environments and Azure AD. This is the best place to find errors related to synchronization and performance.
It is important to mention that you can only have one on-premise agent that synchronizes with your Azure AD Tenant. However, you can configure Azure AD Connect in a second server with the staging mode. It will provide a high availability scenario in case the primary Azure AD Connect agent fails. All you need to do in case of a failure is to disable the staging mode in your second server and it will start to synchronize your AD environment to Azure AD.
AD Recycle Bin:
To avoid accidental deletion using hybrid environments, it is strongly recommended that you enable the AD Recycle Bin feature in the on-premises Active Directory. If a user object is deleted from the on-premises Active Directory, the user object will also be deleted from Azure AD the next time an Azure AD Connect sync runs (every 30 minutes by default). AD Recycle Bin provides a way to restore deleted users.
Another important point is that if your Active Directory environment is too big (more than 100,000 objects) you will need to provide access to your Azure AD Connect to a SQL Server instance. To install Azure AD Connect in your infrastructure, you will need the following user permissions locally and in the cloud:
- AD DS Enterprise Administrator account
- Azure AD Global Administrator account
The versatility that Azure AD connect provides to the organizations that use hybrid environments is excellent. Depending on the needs of every company, there is a solution for them. It is a good time to start taking advantage of hybrid clouds.
Let us know in comments how you liked this post and if you would like to know more about implementing a hybrid environment in your organization. Feel free to contact as firstname.lastname@example.org with any question you might have about Azure AD Connect.