Design for cloud/hybrid identity
- 9/19/2016
- Skill 1.1: Plan for Azure Active Directory identities
- Skill 1.2: Design for Active Directory synchronization with Azure AD Connect
- Thought experiment
- Thought experiment answer
Skill 1.2: Design for Active Directory synchronization with Azure AD Connect
Now that you have reviewed many of the technologies around Azure AD identities, you should next look at synchronizing an on-premises AD DS environment with Azure AD. Synchronization is required for some features, such as single sign-on. It also enhances users’ experiences when they access applications. Few users enjoy working with multiple usernames and passwords. You also need to review the design factors for single sign-on and work through some real-world integration scenarios. Then, look at the available tools, and discuss synchronization services and a feature named Connect Health, which monitors your environment for health when you are using Active Directory Federation Services (AD FS) as part of your environment.
Design single sign-on, Active Directory Integration scenarios, and Active Directory synchronization tools
In the previous section, you focused on identities at a high level. While you looked at SSO for applications, integration, and tools, you have yet to get into the details of the integration (especially the syncing). In this section, you are going to look at the details of SSO, integration scenarios that you can use for each of the cloud identities, and the synchronization tools that you can use to integrate AD DS and Azure AD. By the end of this section, you should be comfortable with all of the design considerations and high-level implementation steps required to integrate AD DS and Azure AD.
Single sign-on
SSO enables users to use a single username and password to access resources. It also enables users to sign into applications with their existing credentials. For example, if a user signs into a device with their AD DS credentials, they can gain access to a company SharePoint site without having to enter their name and password again. With Azure AD, there are a couple of ways to achieve SSO, as follows:
- Directory synchronization and federation with AD FS This option is the most complex, as noted earlier in the chapter when discussing federated identities.
- Directory synchronization and password synchronization This option is easy to set up and configure and provides a good user experience.
Take a look at some design considerations and requirements to see when SSO is needed and when to use each SSO method.
- An organization is moving everything to the cloud In this scenario, a company is opting to put everything in the cloud and not have anything beyond computing devices on-premises. In this scenario, users have only a cloud identity. By default, users have SSO throughout the Microsoft. You can integrate apps with Azure AD to expand SSO to SaaS apps, too.
- An organization is going to use Office 365 In this scenario, the company has on-premises technologies such as AD DS, file and print servers, and web servers. The company is going to use Office 365 for email, SharePoint, and Skype for Business. You can use cloud identities for Office 365 (thus, no SSO). However, the user experience is degraded. Users have to remember another password and user account management requires more IT administrative overhead. In this scenario, you can achieve a better user experience by using synced identities or federated identities. The user experience improves and you reduce IT administrative overhead in some areas.
- An organization has a security requirement mandate that AD DS password hashes not be transmitted outside of the company network In this scenario, you only have one way to achieve SSO through federation, where all authentication is validated by the internal AD DS environment.
- An organization wants SSO but with minimal IT administrative overhead In this scenario, you should look at the options for SSO and compare the administrative overhead of each. For synced identities, the administrative overhead is lower than it is for federated identities. Thus, in this scenario, you should use synced identities.
Active Directory integration scenarios
You’ve looked at integration scenarios so far in this chapter. These scenarios are the cloud identity, synced identity, and federated identity. You also reviewed these in detail earlier in this chapter while reviewing identities.
Active Directory synchronization tools
Not too long ago, you could use several tools to sync AD DS to Azure AD. The supported tools included DirSync, Azure AD Connect, Azure AD Sync, and Forefront Identity Manager (FIM). Microsoft has opted to build up the functionality in Azure AD Connect and make it the single tool for all directory synchronization needs. It is recommended that Azure AD Connect be the only tool to perform AD DS to Azure AD Synchronizations as it is the only one being actively developed and enhanced for AD DS to Azure AD Syncs. All of the other tools are still supported, but DirSync is going to be deprecated soon and eventually unsupported. It is likely that Azure AD Sync and FIM are going to be deprecated and unsupported eventually as well.
For the exam, you need to be intimately familiar with Azure AD Connect. You need to understand what its capabilities are, when you should use it (which was covered previously in this chapter), and how to install and configure Azure AD Connect with syncing. In addition to reading this book, you should spend a little time installing Azure AD Connect and configuring an AD DS to Azure AD Sync. It will help you on the exam.
Capabilities
Take a look at some of the capabilities of Azure AD Connect:
- Synchronize single forest and multi-forest AD DS environments to Azure AD As previously discussed, Azure AD Connect’s primary job is to sync AD DS to Azure AD.
- Synchronize specified app attributes (shown as “Azure AD app and attribute filtering” in Azure AD Connect) By default, Azure AD Connect synchronizes a specific set of attributes that are required for functionality of apps and SSO. But, if needed, you can filter out some of these. For example, if you have a security policy that mandates that email be stored on-premises, you could filter out Exchange Online Attributes from the sync.
- Writeback of devices This feature enables you to sync devices registered in Azure AD with your on-premises AD DS. The purpose of the device registration in AD DS is to use the devices for conditional access (access based on credentials and other factors, such as the device being used to gain access). There are two key things to know about this feature. One, you must prepare AD DS for device writeback. Two, you must configure the sync to support device writeback. On the Azure AD side, if you are not currently configured to enable users to join devices to Azure AD, you need to configure it.
- Writeback of attributes This feature, shown as Exchange Hybrid Deployment in Azure AD Connect, enables you to write attribute updates from Azure AD to AD DS. You need to use this option for some Exchange hybrid scenarios.
- Writeback of groups This feature enables you to sync Office 365 groups from Azure AD to your on-premises AD DS. This is used for hybrid Exchange environments. The groups synced from Azure AD to AD DS become distribution groups for on-premises use.
- Writeback of users This feature was in Azure AD Connect but was temporarily removed in the August 2015 update. This feature was in early preview (one stage before the Preview stage). It will likely be coming back soon. The feature enables you to sync Azure AD users to an on-premises AD DS environment. The key limitation of this feature is that the AD DS environment has to be unused at the time and Azure AD must be the source for all user objects.
- Writeback of passwords This feature enables password changes that originate in Azure AD to be written back to your on-premises AD DS environment. This enables users to change their password in their on-premises environment (by using AD DS) or in the cloud environment (using the Azure Access Panel and password writeback feature).
- Synchronize specified attributes (shown as Directory extension attribute sync in Azure AD Connect) If you need to sync additional attributes from AD DS to Azure AD, this feature is what you use. For example, if you store employee nicknames in an attribute that is not synced, you can configure the attribute to be synced.
- Synchronize password hashes for single or multi-forest AD DS environments to Azure AD When thinking about synchronizing password hashes, it is important to remember that passwords are not synced. Only password hashes are synced. And they are synced securely.
- Provide SSO. One of the primary features of Azure AD Connect, besides synchronization, is SSO (a byproduct of synchronization) SSO is often the reason why companies implement a sync to Azure AD.
Installing and Configuring Azure AD Connect
Now, review the initial installation and configuration process because there are some important key points for you to remember for the exam. In the following walk-through, you are going to install Azure AD Connect and configure it to sync the alpineskihouse.com domain. Alpine Ski House is going to use synced identities and wants password hashes to be synced from AD DS to Azure AD and from Azure AD to AD DS. Alpine Ski House has two AD DS forests in their on-premises environment. This walk-through explains the options that you select for this sync as well as other options that you don’t use for the sync.
- To begin, download Azure AD Connect from https://www.microsoft.com/download/details.aspx?id=47594.
- While signed in as a local Administrator on the server where you perform the installation, double-click AzureADConnect.msi.
On the Welcome To Azure AD Connect page, as shown in Figure 1-28, read the license terms and privacy notice that are linked to. Then, if you agree to the terms and privacy notice, select the I Agree To The License Terms And Privacy Notice check box. Then, click Continue.
FIGURE 1-28 The Welcome page during the Azure AD Connect installation and configuration
On the Express Settings page, as shown in Figure 1-29, you can opt to use the express settings (sync current AD forest, sync password hashes, start syncing, and sync all attributes). Or, you can opt to customize the sync configuration. For this example, you customize the sync configuration because you need to enable the password writeback feature, which isn’t part of the express settings. Click Customize to continue.
FIGURE 1-29 The Express Settings page where you can opt to customize the settings or continue with the default settings
On the Install Required Components page, shown in Figure 1-30, you can choose to use the optional configuration options. For your configuration, you do not opt for any of these features. Click Install to continue.
FIGURE 1-30 The Install Required Components page enables you to customize Azure AD Connect
- Specify a custom installation location This option enables you to install Azure AD Connect in a different location than the default location (C:\Program Files\Microsoft Azure Active Directory Connect).
- Use an existing SQL server This option enables you to use an existing SQL server in your environment. If you do not opt to use this option, Azure AD Connect installs SQL Server 2012 Express locally.
- Use an existing service account By default, Azure AD Connect will create an AD DS user account to use to run the Microsoft Azure AD Sync service. However, you can opt to create your own service account instead. If you do, you must use this option to specify the account. If your company has service account naming conventions or other security policies that cannot be met by having Azure AD Connect create the service account, then you should use this option.
Specify custom sync groups At the time of this writing, this feature functions only if Azure AD Connect is installed on a domain controller. The feature enables you to choose specific AD DS groups that will be included in the sync. Azure AD Connect will support AD DS groups from member servers in the near future.
On the User Sign-In page, shown in Figure 1-31, you can choose to use password synchronization or federation with AD FS. Choose password synchronization if you plan to use synced identities. If you plan to use federation, choose the federation with AD FS option. Optionally, if you have a third-party SSO solution, such as OKTA, you can opt to not configure SSO as part of Azure AD Connect. For this walk-through, you should use the default option of password synchronization. Click Next to continue.
FIGURE 1-31 The User Sign-In page displays the SSO options that you can use for Azure AD Connect
On the Connect To Azure AD page, shown in Figure 1-32, specify the Azure AD credentials to configure the sync. You must specify an Azure global administrator account. Click Next to continue.
FIGURE 1-32 The Connect To Azure AD page prompts you for credentials to connect to Azure AD
On the Connect Your Directories page (first page of 2 pages), shown in Figure 1-33, you need to specify a user account that is a member of the Enterprise Admins group. Then, click Add Directory to add the forest to the sync.
FIGURE 1-33 The Connect Your Directories page prompts you for credentials to your on-premises forest
On the Connect Your Directories page (second page of 2 pages), shown in Figure 1-34, the alpineskihouse.com forest is shown as configured. Click Next to continue.
FIGURE 1-34 The Connect Your Directories page prompts you for credentials to your on-premises forest
On the Uniquely Identifying Your Users page, shown in Figure 1-35, you can select from a couple of different options. For our walk-through, click the User Identities Exist Across Multiple Directories option, click the SAMAaccountNAME And MailNickName Attributes option, and then click Next. This is because our example organization has multiple forests.
FIGURE 1-35 The Uniquely Identifying Your Users page enables you to account for users that have accounts in multiple synced forests, if applicable
- Users are represented only once across all directories In a singled-domain forest, or in a multi-domain forest where all users only have a user account in one forest, you would use this option. Azure AD Connect doesn’t have to take any custom actions to account for users that have accounts in multiple forests.
- User identities exist across multiple directories In a multi-forest environment, where users might have accounts in more than one forest, you need to use this option to ensure that users are only represented in Azure AD once. For example, if a user named Bob Kelly has an account in three forests, he will have only a single account in Azure AD. You need to select the method to match users so that Azure AD Connect can match up the user’s accounts across the forests. For this walk-through, you are syncing alpineskihouse.com and already syncing tailspintoys.com. Thus, you are going to match users using the SAMAccountName and MailNickName attributes.
On the Filter Users And Devices page, shown in Figure 1-36, you can choose to synchronize all users and devices or only those that are members of a specified AD DS group. If you are testing, then you should synchronize a subset of users to reduce risk and complexity. In some cases, you might also want to synchronize a subset of users to easily control which accounts get synchronized. For this walk-through, maintain the default to synchronize all users and click Next.
FIGURE 1-36 The Filter Users And Devices page enables you to synchronize all users and devices or a defined subset of them
On the Optional Features page, shown in Figure 1-37, you can choose to enable optional features. By default, only the Password Hash Synchronization is selected. For our example, Alpine Ski House wants to sync password changes in both directions (password change from AD DS syncs to Azure AD and password change from Azure AD Syncs to AD DS). Select the Password Writeback check box and then click Next. Note that some of the optional features require configuration before configuring the sync option. When your environment is not configured for optional features, they appear dimmed (unavailable).
FIGURE 1-37 The Optional Features page enables you to choose optional features that enable additional functionality for your sync
On the Ready To Configure page, shown in Figure 1-38, you have two options. For this walk-through, you start the sync after the configuration completes. Click Install.
FIGURE 1-38 The Ready To Configure page enables you to set the staging mode for the server, if desired, and begins the installation
- Start the synchronization process as soon as the configuration completes (selected by default) You normally should use this option so that the sync begins as soon as possible. This way you know if the sync is working as expected, or if you need to change the configuration.
- Enable Staging mode: When selected, synchronization does not export any data to AD or Azure AD Thinking of Staging mode as a read-only mode. This is a key option and it might come up on the exam. Staging mode is a way for you to have a second sync server with the same configuration as your primary server, which you could use in the event of a failure. For example, if your primary sync server is in datacenter #1, you could create a staging sync server in datacenter #2 and the staging server could be made the active server if datacenter #1 has a catastrophic failure.
On the Configuration Complete page, shown in Figure 1-39, a completion message is displayed. Click Exit to finish.
FIGURE 1-39 The Configuration Complete page displays the installation status
Once Azure AD Connect is installed and configured, the syncing process runs as a scheduled task (using a dedicated user account created during the installation). You should check Azure AD to verify that user and group objects are syncing. Optionally, you can manipulate the scheduled task to have the sync run more often or less often, depending on your company’s requirements.
If you need to make changes to your sync configuration, you can run Azure AD Connect and customize the sync options.
Plan for Azure AD Synchronization services
Before Microsoft standardized on Azure AD Connect, the primary sync tool was Azure Active Directory Sync (Azure AD Sync). Azure AD Sync replaced DirSync. Now Azure AD Connect has replaced Azure AD Sync. Both tools share the same core functionality. In fact, the look and feel of the tools is very similar and they support the same integration scenarios. However, Azure AD Sync doesn’t support all of the newest optional features that Azure AD Connect supports. Figure 1-40 shows the optional features that are supported by Azure AD Sync.
FIGURE 1-40 Azure AD Sync’s optional features
This ER 70-398 exam measures specific skills that are listed at https://www.microsoft.com/learning/exam-70-398.aspx. The skills measured are defined in advance of the exam item development. Thus, sometimes a technology or term is listed as a measured skill but by the time the exam items are developed, a new name is being used or a new technology has taken over as the primary product. This is especially true with fast developing technologies such as Azure. For the exam, the skills you need to know are covered in the previous section, which discusses Azure AD Connect.
Design for Connect Health
Azure Active Directory Connect Health (Azure AD Connect Health) is a new feature in Azure that enables you to view the health and operations of your hybrid directory environment. It provides the following health information about your environment:
- AD FS health status If you have AD FS in your hybrid identity environment, you can quickly see if the environment is healthy or unhealthy.
- Azure AD Connect health status The health of your Azure AD Connect environment is displayed as health or unhealthy.
- AD DS health status This displays the health status of your on-premises AD DS environment. Note: The feature is not available at the time of this writing.
Look at some of the health information in the Azure portal. In Figure 1-41, the overview of two Azure AD Connect servers is shown, along with the operational alerts, and the status of the last export to Azure AD.
FIGURE 1-41 The overview, operations, and last export date of two servers in the Azure portal
In Figure 1-41, you can see two sync servers. One server, ASH-DC-01, is healthy and is shown with a green check mark. The other server, SERVER33, is unhealthy and is shown with a red exclamation point. You can click SERVER33 to find out more information about the problem. By doing so, the operational alerts for SERVER33 are displayed. You can then click the active alerts to display the alerts, as shown in Figure 1-42.
FIGURE 1-42 The Azure AD Connect Health alerts for an unhealthy server
By clicking the individual alerts, you can display more information about the alerts and view information about fixing any issues. In Figure 1-43, the information about the password synchronization issue is displayed.
FIGURE 1-43 Azure AD Connect Health displays potential fixes to health issues
Whether you are working with AD FS, Azure AD Connect, or your internal AD DS environment, or even all of them, you can perform the same tasks in Azure AD Connect Health to view health status, view operational alerts, and view detailed issue resolution steps.
Review the following additional information on this subject, which you need to know for the exam:
- Installing Azure AD Connect and configuring it to sync automatically provides health information to Azure AD Connect Health Included with Azure AD Connect is the Azure AD Connect Health agent.
- You need to download Azure AD Connect Health agents for monitoring AD FS This is applicable if you have AD FS and you want to add it to the monitoring. Without the agents, Azure AD Connect Health cannot monitor your AD FS environment.
- You can enable or disable automatic updating of your Azure AD Connect Health agent in the portal By default, automatic updating is enabled.
- You can enable Microsoft to access your health information This is used for troubleshooting, especially when on a support call with Microsoft.
- You need to open TCP port 80, 443, and 5671 in your firewalls The agent requires those ports to communicate with the Azure AD Connect Health service.
Summary
Azure AD Connect is the synchronization tool that you use to sync your on-premises AD DS environment with Azure AD. It offers several optional features to enhance the functionality of the sync including writeback of groups, writeback of passwords, writeback of attributes, and writeback of devices.
- While there have been other synchronization tools such as Azure AD Sync and DirSync, Microsoft is moving forward with a single sync solution with Azure AD Connect. The other tools are deprecated and no longer being updated. Eventually, support for the older sync tools will also expire.
- Azure AD Connect Health is a service that enables you to view the health and operations of your directory services environment including the health of AD FS, the health of your Azure AD Connect, and the status of your on-premises AD DS environment. Know what the system prerequisites are for Microsoft Intune, like assigning Intune as your MDM authority.