Azure Active Directory Connect: Technical Deep Dive - EU Collab Summit 2018

Office 365; Azure AD Connect: Technical Deep Dive Michael Noel, CCO

Michael Noel @ Michael T Noel Authored 20 books including the best selling SharePoint, Exchange, and Windows Unleashed series Presented at over 220 events in over 80 countries around the world Microsoft MVP, first awarded in 2007 Partner at Convergent Computing in the San Francisco Bay Area (cco.com)

Architectural Best Practices

Why Azure AD Connect? Quite simply, the most effective and supported method of synching On-Premises Active Directory with Azure Active Directory (Office 365’s Directory.) Simplifies Single Sign On (SSO) to SAAS applications Released by Microsoft in 2015, AADC combines functionality provided by multiple tools previously DirSync Active Directory Federation Services (though services still required) AADSync Runs on a Domain/Workgroup Member Server, easy to configure

Design and Planning – AADC Consoles For most organizations, single console session will suffice (snapshot backup config) For larger organizations or orgs with high SLAs, consider deploying secondary Azure AD Connect console, but run second console in staging mode. In the event of an outage, turn off staging mode on secondary server Recommended to run on domain-joined system inside the network, with restrictions placed on traffic to MS-defined IP ranges. Alternatively, if policy dictates, it can be installed on a Workgroup member in the DMZ, though note that there are a large number of ports required to be open to domain controllers inside the network.

Supported Configurations Single Domain/Forest/Tenant (Express Mode Default) Multiple Forests / Single AADC / Single Tenant Multiple Forests / Multiple AADC / Multiple Tenants (Only one AADC per tenant!)

Advanced Supported Configurations Multiple forests, separate topologies Multiple forests: full mesh with optional GALSync Each object only once in an Azure AD tenant

Staging Server Configuring a dedicated server as a ‘Staging Server’ is the preferred failover and DR option for AADC A server in ‘Staging Mode’ won’t actually export any changes to Azure AD, but will keep information up to date Failover simply involves turning off staging mode and running a full sync

Installation Best Practices

Install – Prerequisites and Software Hardware 2GB RAM (4GB for 5000+ users) 1 CPU (2CPU for 5000+ users) Typically virtual server session Software Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, or Windows Server 2016 (preferred) Download link: http://is.gd/azureadconnect

Install – SQL Options Most organizations install simple SQL Server Express instance for AADC (SQL 2008 R2+) Full SQL Server can be used if needing to utilize an existing farm AlwaysOn Availability Groups are now supported for AADC Database failover

Express Settings vs. Custom Small organizations with a single domain/forest may choose Express Settings This does not allow for much advanced customization, such as OU filtering, custom service account, or many other things you may need Recommended to choose a custom install in most cases

Install – Custom Service Account If you don’t choose a custom service account, MS will create one for you – This account will start with MSOL_ and will contain a long GUID name in it. In addition, MS will attempt to configure security settings for this account within the forest, adding root level permissions Most organizations will likely prefer to control the creation of this account and assign it permissions to only those OUs necessary. Subsequently, a custom service account that is pre-created is advised Rights Required: http://is.gd/aadcsvc

Install – Choose SSO Option Password Hash Synchronization – copies the internal AD password hashes to the cloud, allowing for SSO using the same username/password combo Pass-through authentication – option where hash is NOT stored in cloud. Requires an on-prem agent Federation with AD FS – Utilizes MS AD FS for SSO, requires AD FS setup Federation with PingFederate – New option, direct integration with Ping Do not configure – Used if you are using other 3 rd party such as Okta

Azure AD Username Most organizations will use the User Principal Name (UPN) to create usernames in AADC (highly recommended) Options exist to choose other attributes for usernames, but only use for fringe scenarios

OU Filtering Highly recommended to restrict AADC to only sync users within specific Ous This will keep Azure AD from being overpopulated with service accounts and other accounts which may never need to login to cloud services This option also allows you to move objects to non-synched OUs for testing, migration, or other options.

Identifying Users Source Anchor is a critical concept in AD Consider changing the defaults only in specific fringe scenarios ObjectGUID is not longer the default, MS now defaults to using Ms -Ds- ConsistencyGUID as source anchor

Group Filtering Option exists to filter out objects from sync based on membership in a group Not a recommended option except for with initial testing

Optional Features MS provides for multiple additional options when configuring AADC These options can be added at a later time as needed (such as when enabling Exchange hybrid) Options include: Exchange hybrid deployment Exchange Mail Public Folders Azure AD app and attribute filtering Password writeback Group writeback Device writeback Directory extension attribute sync

Recommendation: Wait to Sync Until All Changes Made and Validated At the end of the steps to the wizard, the default setting is to immediately start the synchronization process Recommended to wait to sync until all additional configuration has been done and you have tested in staging mode

Advanced Configuration

Advanced – Restrict by Attribute For attribute level synching restrictions, create an inbound sync rule from within the Synchronization Rules Editor Be sure that your syntax is accurate. In this example, it means that we are EXCLUDING all accounts that have their employeeID field set to NULL NOTE: These settings are overwritten during upgrades, ensure that you re-apply settings after you update AADC.

Synchronize Custom Extensions You may want to add additional fields from Active Directory to Azure AD. For example, you may desire to have user mobile phone numbers synched from AD DS to Azure AD to allow them to be used as part of SharePoint Online profiles Select which attributes to sync in the ‘Directory Extensions’ portion of the Azure AD Connect wizard to sync

Multi-Geo (Tenants with >5000 Users) – Preferred Data Location Allows tenants with greater than 5000 users to store mailboxes in a preferred MS Datacenter: Asia Pacific (APC) Australia (AUS) Canada (CAN) European Union (EUR) India (IND) Japan (JPN) Korea (KOR) United Kingdom (GBR) United States (NAM) Must configure sync rules to join custom internal attribute (i.e. extensionAttribute5 with preferredDataLocation attribute in AAD.) See https://is.gd/o365multigeo for details

Self-Service Password Reset and Writeback Allow your users to reset their password directly in Office 365 and have the password synched back to AD DS AADC Service Account must be granted the following rights in AD DS: Reset password Change password Write permissions on lockoutTime Write permissions on pwdLastSet Extended rights on either: The root object of each domain in that forest The user organizational units (OUs) you want to be in scope for SSPR

Accidental Delete Prevention and Overrides By default, AADC will not allow you to delete more than 500 objects during any one sync cycle. You may need to change this temporarily, though it is recommended to leave it on during normal operations. PowerShell commands: Disable- ADSyncExportDeletionThreshold (Turns off Accidental Delete prevention) Enable- ADSyncExportDeletionThreshold - DeletionThreshold 500 (Enables Accidental Delete prevention)

GDPR Considerations: Azure AD Connect Azure AD Connect Server stores the following user privacy data: Data about a person in the Azure AD Connect database – This is removed automatically when deleting user from the database. Ensure you are synching at least every 48 hours. Data in the Windows Event log files that may contain information about a person – Flush event logs on the AADC Server on a scheduled basis Data in the Azure AD Connect installation log files that may contain about a person – Script a process to remove the Azure AD Connect installation logs every 48 hours NOTE: Do NOT delete the PersistedState.Xml file. It is used for upgrades and does not contain personal data Sample PowerShell script to delete installation log files: $Files = ((Get- childitem -Path "$ env:programdata \ aadconnect " -Recurse). VersionInfo ). FileName Foreach ($file in $files) { If ($ File.ToUpper () -ne "$ env:programdata \ aadconnect \PERSISTEDSTATE.XML". toupper ()) # Do not delete this file {Remove-Item -Path $File -Force} }

Useful PowerShell Commands Start- ADSyncSyncCycle - PolicyType Delta – Start a manual sync immediately Start- ADSyncSyncCycle - PolicyType Initial – Perform a full sync…only needed if changing filtering options, made changes to rule, or added attributes to sync) Stop- ADSyncSyncCycle – Stop a running AD Sync in order to make changes to config Get- ADSyncScheduler – View current configuration Set- ADSyncScheduler - SyncCycleEnabled $false – Turn off sync (set to true to turn back on) Set- ADSyncScheduler - CustomizedSyncCycleInterval 02:00:00 – Change Sync Schedule to synchronize every two hours Add- ADSyncAADServiceAccount – Used to reset the AADC service account’s password

mS-DS- ConsistencyGuid – A Warning Azure AD Connect defaults to using MS-DS- ConsistencyGuid as the Source Anchor object This needs to be unique across ALL of Microsoft Office 365 tenancies This means that if you are performing migrations or synching accounts from one forest to another, be sure to EXCLUDE that attribute from the sync, or your migrated users will NOT be able to access their accounts!

Azure AD Connect Health

Azure AD Connect Health Azure AD Premium Feature (Requires additional licensing) Monitor the following: Azure AD Connect Azure AD DS Domain Controllers AD FS Servers NOTE: Not available in the Microsoft Germany cloud

Install Azure AD Connect Health Agents on AD DS Domain Controllers Install AD DS Health Agents on all domain controllers to monitor them from the Azure AD Health Service Pay special attention to the prerequisites, particularly which websites need to be allowed Agents for AD FS servers can also be downloaded

Thank you! Questions? Michael Noel CCO.com @ Michael T Noel Facebook.com/ MichaelNoel Linkedin.com/in/ Michael T noel SharingTheGlobe.com Slideshare.net/ Michael T noel

Azure Active Directory Connect: Technical Deep Dive - EU Collab Summit 2018

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Azure Active Directory Connect: Technical Deep Dive - EU Collab Summit 2018

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Pray For The Peace Of Jerusalem and You Will Prosper

Don_t_Waste_Your_Life_God.....powerpoint

VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf

Fertility awareness methods for women in the society

Chapter 5 Arithmetic Functions Computer Organisation and Architecture

syakira bhasa inggris (1) (1).pptx.......