AAD Connect

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
2 hours 42 minutes
Difficulty
Beginner
CEU/CPE
3
Video Transcription
00:00
Hello and welcome back to the office. 3 65 Migration primer. Course I'm gonna shorter Jim Daniels. And for this lesson, we're on Model three. Identity Lesson five. Azure Active Directory connects
00:16
In this lesson. We're gonna cover some of the pros and cons of Azure A D Connect
00:20
as well as some of the features
00:23
as your A D Connect or a D Connect
00:27
is the directories synchronization tool that copies or on premise accounts into Azure A. D.
00:34
You can also filter which accounts sinking as radi
00:39
cloud based accounts that originate in the cloud do not copy to on premise.
00:44
Remember earlier we discussed Azure 80
00:48
is what office 3 65 uses toe. Authenticate
00:52
your users
00:54
so as you're 80 connect is the bridge from your Own Premise. Active directory
01:00
to populating those values in those fields. In Azure 80
01:04
there are two main authentication methods within Azure 80 connect.
01:08
The 1st 1 is password hash
01:11
in this authentication method, password hashes or sink
01:15
from your local 80 into azure. 80
01:19
users have the same password on premise, and in Azure 80
01:23
password is never sent to Azure 80 or stored in Azure A D. in clear text.
01:30
Authentication takes place in Azure a d.
01:34
It seems the hash. Instead of the password
01:38
passed through authentication.
01:40
All the counts are still competency in Azure a D
01:44
password hashes or not present
01:47
in Azure 80
01:49
and forces or on premises, user account states on log one Hours and authentication takes place at a one premise software agent.
01:59
All right, so past the room.
02:00
It's sort of a hybrid between a DFS and password hash as Radi connect.
02:08
It's a fairly new authentication method, but a lot of people are moving toward this because it doesn't require the same infrastructure investment that a DFS does.
02:20
So let's take a look at password hash, synchronization and this diagram your on premise organizations. On the left hand side, you have your own premise. Users. You have a server running as your 80. Connect
02:31
the user accounts or present
02:34
because remember your local out of directory
02:38
feeds into as Radi Connect and Mass. How it gets into Azure i d.
02:43
When a user goes to authenticate,
02:46
they authenticate straight to Azure 80.
02:50
As Ready has a copy of the accounts and the hash passports from your own premise user.
02:55
So in this model,
02:58
nothing comes back home from
03:00
now. It'll get passed through authentication
03:04
with this one. Your user
03:07
tries access, and I happened. Will use office 3 60 Follow, for example.
03:12
After they try access the app the users redirected to Azure A D to sign in.
03:20
All right, so we're still in the cloud.
03:23
At that point, the user enters user name and password information.
03:28
The user name and encrypted
03:30
password is placed in a queue and as radi,
03:32
then it goes to the one premise agent
03:36
that takes a request from the queue.
03:38
The agent then decrypt the password. Using the private key
03:44
validates the user name and passport against
03:46
one premise. Active directory
03:50
that a director returns. A result to the agent
03:53
agent returns. The result to azure A. D as a radi then completes a sign and process if the result of successful user has access.
04:03
This looks very similar to a DFS,
04:06
except that utilizes as your a D
04:10
and a one prim agent.
04:13
As far as azure a D connect. Their requirements are pretty simple.
04:17
You have to have in as your 80 10
04:19
again. Everyone has one. As soon as you sign up for officer in 65.
04:25
You have to Adam verify the domain Using Azure Active directory
04:30
on premise. You have to have a 2003 plus 80 scheme and force functional level.
04:35
Your D C. That is used by Azure 80 Connect cannot be a read only domain control.
04:42
You have to have it installed on a Windows Server 2008 or two plus,
04:47
which shouldn't be that bad, because that is even doing end of life here soon in 2020
04:54
for your
04:55
as your active directory 80 Connect server, you need to have dot net 451 or above and Power shell three or above.
05:03
All right, So here's a quiz
05:05
Cloud created user accounts seemed to own premise Active directory When using
05:13
as Radi Connect,
05:15
we talked briefly about this toward the opening.
05:18
The answer that is false.
05:21
It does not run back the whole entire object.
05:26
Let's look at some of the options within. As Radi connect,
05:30
you have the ability to select which domains and oh used to sink. If you have a certain OU that contains user objects that will never have a cloud presence,
05:41
I don't think it
05:43
password right back.
05:45
You can enable self service password reset in Officer 65
05:48
that allows a user to reset their credentials
05:53
in Officers 65. And it writes that password value back into your own premise. Active directory.
06:00
So the update, the password. It also reflects him with azure A D, and it goes in and replace him with your local out of directory,
06:09
you have exchanged hybrid options.
06:12
You have passwords, sink versus password hash.
06:15
You also get a choose which active directory attributes You want to think
06:19
you can map attributes into custom attributes, and I drive a directory custom sink rules as well. It's very flexible
06:28
for daily management. For those users.
06:30
These are objects or manage one premise out of the right jury. The daily Management for Azure 80 connect
06:36
for your users is exactly the same as your A DFS.
06:41
You're going to manage all of the out of directory. Ashby's confrim,
06:45
um, with a duck or any of you. Other 80 tools office 3 65 specific attributes such as licensing and other cloud attributes. You manage those either in the 3 65 admin center or in the azure 80 at in center
07:00
So, to recap,
07:01
as your 80 connect is a tool that sinks on Premise 80 data into as your active directory
07:10
as your 80 Connect supports both passed through and password hash authentication models.
07:15
Password Right back is a feature supported by as your 80 connect
07:19
and allows users to reset their passwords and unlock their accounts from the cloud.
07:27
Thank you for taking time to joining me in this lesson. I hope to see you for the next one. Thank you.
Up Next