Azure AD Hybrid Identity Demo

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
14 hours 28 minutes
Difficulty
Intermediate
CEU/CPE
15
Video Transcription
00:00
>> Hello Cybrarians.
00:00
Welcome to lesson 1.8 of this course titled AZ-301,
00:00
Microsoft Azure Architect Design.
00:00
Here's what we'll be covering in this demonstration.
00:00
I'll start by showing you how to prepare
00:00
an on-premises Active Directory
00:00
infrastructure for synchronization
00:00
to Azure AD using the IDFix tool.
00:00
Then I'll show you how to download and
00:00
install the Azure AD connect tool.
00:00
Then finally, I'll show you how to configure
00:00
the Azure AD Connect options for
00:00
synchronizing your identities to Azure AD.
00:00
Let's get into this.
00:00
The first thing, let me show you how to prepare
00:00
an on-premises Active Directory infrastructure for
00:00
synchronization to Azure AD using IDFix.
00:00
Here's the environment that I have.
00:00
I have an on-premises environments,
00:00
where I have a domain controller called a adVM,
00:00
and I have a member server called member server,
00:00
and I have some identities on-premises.
00:00
On the right-hand side,
00:00
I have my Azure AD tenant
00:00
superclouds.xyz that I created
00:00
in previous lessons of this course.
00:00
What I'll do now is, I'll go to
00:00
my domain controller, the adVM machine,
00:00
and I'll go ahead and download
00:00
the IDFix tool to it and run it
00:00
against my on-premises Active Directory.
00:00
If I bring up, this is
00:00
my on-premises Active Directory environment,
00:00
you can see what the structure looks like.
00:00
Here you can see that I have just
00:00
an OU called OGUsers
00:00
where I have certain identities in that OU.
00:00
What I'll do is I'll bring up Internet Explorer,
00:00
and I will just type in IDFix download.
00:00
I will search in Bing,
00:00
and one of the options that I will have is the option to
00:00
download and install the IDFix tool.
00:00
The very first option over here,
00:00
if I click on that option,
00:00
that loads up the page,
00:00
and I can click on "Download".
00:00
That's going to give me the option to save the file.
00:00
If I go ahead and click on "Save",
00:00
that's going to save it in my downloads folder.
00:00
If I click on "Open Folder",
00:00
I should be able to see that's there.
00:00
If I go ahead and extract the zip file,
00:00
that's the tool that I need.
00:00
What I'll do is, I'll right-click on the tool and
00:00
I'll click on "Run as Administrator",
00:00
I'll go a head and accept the privacy statements,
00:00
and you can see that it opens this application.
00:00
Right at the very top here you have the Query option.
00:00
Now because I'm doing this on
00:00
my domain controller and I'm logged in with
00:00
the credential that has permission
00:00
to my Active Directory environment,
00:00
if I click on "Query",
00:00
it does the query against
00:00
my on-premises Active Directory
00:00
infrastructure using held up,
00:00
and it lets me know that I have certain users
00:00
where I've configured attributes that are invalid,
00:00
so these attributes cannot be synchronized to Azure AD,
00:00
and I can go ahead and fix them if I wanted to.
00:00
What I'll go over here is,
00:00
it's considered on the right-hand side
00:00
under the update column,
00:00
it's given me suggestions of
00:00
what to replace this invalid values and wait.
00:00
What I can also do, I can modify this suggestions,
00:00
so rather than using that,
00:00
I can remove that option,
00:00
so the suggestion fits well
00:00
into what I really want it to be.
00:00
Once I've configured the update section
00:00
to what I want it to be,
00:00
I can go ahead under the ACTION and click on "Edit".
00:00
Once I've done edit for all of them, what I can do,
00:00
I can go ahead and click on "Apply", over here.
00:00
Says, are you sure you wish to apply the update values?
00:00
If I go ahead and click "Yes",
00:00
it goes ahead and changes everything to complete.
00:00
If I click on the query option again,
00:00
I get the little error,
00:00
I can click on "Close".
00:00
But you can see that I'm no longer getting any objects
00:00
that identified to say they have
00:00
incorrect values because they've now been fixed.
00:00
The next part of preparing
00:00
my on-premises AD infrastructure for synchronization to
00:00
Azure AD will be to ensure that
00:00
the UPN suffix match for on-premises and for Azure AD.
00:00
In Azure AD, I'm using superclouds.xyz,
00:00
on-premises, I'm using on-prem.superclouds.xyz.
00:00
What I want to ensure is that both match so that
00:00
my user have consistency across both environments.
00:00
What I'll do is, if I go to Server Manager,
00:00
and if I click on "Tools" and I go to
00:00
Active Directory domains and trust,
00:00
I can right-click on "Active
00:00
Directory domains and trust",
00:00
to cross and go on the properties,
00:00
and I can specify a new UPN suffix.
00:00
In this case, superclouds.xyz,
00:00
and if I go ahead and add that.
00:00
If I click "Apply" to that, and if I click "Okay".
00:00
I've added that,
00:00
but now I need to ensure that
00:00
my users are using that UPN when they're signing in.
00:00
Because at the moment, they're still going
00:00
to be using on-prime.superclouds.xyz.
00:00
I want to change that to superclouds.xyz.
00:00
Now I could do that individually
00:00
but I have a lot of users here,
00:00
because I have them in one OU it
00:00
makes it easier for me to use
00:00
a grid 2 like Active Directory Users and Computers.
00:00
But if you have your users spread across
00:00
multiple OU's within your environment,
00:00
there's a partial scripts that you can download
00:00
online that make it very
00:00
easy for you to do that tasks and just change
00:00
the UPN suffix for
00:00
all your users using the partial scripts.
00:00
I'll put the link, we didn't discuss.
00:00
What I'll do is, I'll go ahead and select all my users,
00:00
I'll go a head and go to Properties,
00:00
click on "Account", "UPN suffix",
00:00
and then I'll just modify that.
00:00
If I click on "Apply",
00:00
and I click "Okay", that's applied it now,
00:00
I can verify by going to one of my users
00:00
and I can see that we're using superclouds.xyz.
00:00
The next part of the demo,
00:00
I will show you how to download and install
00:00
the Azure AD connects tool.
00:00
The visual representation of what I'll be doing is,
00:00
I have this member server over here,
00:00
and I'll be downloading and installing
00:00
these two on this server.
00:00
Let's go ahead and do that now.
00:00
In this case I won't be using my domain controller,
00:00
we're going over to my member server,
00:00
and on my member server,
00:00
I just need to ensure that I have
00:00
Internet Explorer Enhanced
00:00
Security Configuration disabled.
00:00
I can bring up Internet Explorer and I
00:00
can just simply search using
00:00
any search engine for Azure AD Connect download.
00:00
That takes me to one of the options that I will get is
00:00
the option to download Microsoft
00:00
Azure Active Directory Connect.
00:00
If I go ahead and click on that option,
00:00
it takes me to
00:00
the download page and I can go and click on "Download".
00:00
You can see the download here,
00:00
if I go ahead and click on "Save",
00:00
it finish downloading,
00:00
I'll click on "Run".
00:00
>> The execution process begins
00:00
or the installation process,
00:00
so if I go ahead and agree to the terms and
00:00
conditions and click on "Continue",
00:00
so I'm not going to be easily express settings because I
00:00
want to show you
00:00
the different options that are available,
00:00
so I'll go ahead and click on "Customize",
00:00
which I'll be able to do that afterwards,
00:00
but for the initial installation,
00:00
you can see that I have the option
00:00
to use an existing SQL server,
00:00
so what this tool is actually going to do,
00:00
this is going to install SQL Server Express,
00:00
which has a maximum storage capability of 10 gigabytes,
00:00
so the recommendation is if the objects
00:00
in your Active Directory infrastructure
00:00
is less than 500,000 object,
00:00
you can go ahead and use that,
00:00
so that should be sufficient.
00:00
But if it's more than 500,000 objects,
00:00
you probably wants to use the stand-alone SQL server,
00:00
so in that case, you can select that option.
00:00
This tool is also going to set in service accounts,
00:00
and set in local groups on this local machine,
00:00
in which case what I can do is I can customize
00:00
those groups so I can use existing service accounts.
00:00
But for now I'll just leave the default,
00:00
and I will just go ahead and click on "Install".
00:00
One of the things that you'll notice
00:00
during the installation is that
00:00
it's setting up SQL Server Express edition,
00:00
as I mentioned.
00:00
The installation completed and
00:00
now I can go through the configuration.
00:00
Let's go back to the slides to see the next demo.
00:00
In the next demo, I will show you how to
00:00
configure Azure AD Connect options,
00:00
and give you a visual representation.
00:00
I have the Azure AD Connect tool already installed.
00:00
I'll go ahead and configure
00:00
the synchronization between my On-premises
00:00
Active Directory infrastructure and Azure AD,
00:00
and that will cost the synchronization of
00:00
my identity this one On-premises over to Azure AD.
00:00
Let's go ahead and see that.
00:00
Now that the installation of
00:00
Azure AD Connect has finished,
00:00
now it's time for configuration.
00:00
You can see the configuration options
00:00
that we discussed in the last lesson.
00:00
For password hash synchronization,
00:00
pass-through authentication,
00:00
federation with either ADFS or pingFederate,
00:00
and you can also see
00:00
this little tick box over here to
00:00
>> enable single sign-on.
00:00
>> I talked about this a little bit in the past lesson.
00:00
We talked about being able to enable single
00:00
sign-on families and password hash synchronization.
00:00
Allow my users to be able to sign in
00:00
once On-premises and use the
00:00
same sign-in to authenticate against
00:00
>> Cloud applications.
00:00
>> You just simply select
00:00
that option and it
00:00
will allow you to configure that later.
00:00
I'll go ahead and leave it as
00:00
password hash synchronization for now,
00:00
and that's also good practice for Microsoft.
00:00
Microsoft recommends that option.
00:00
I'll go ahead and click "Next".
00:00
I'll need to put in an
00:00
Azure AD Global Admin credential there,
00:00
so I'll go ahead and put in david@supercloud.xyz,
00:00
and I'll put in my password.
00:00
I go ahead and click "Next".
00:00
It's going to validate that.
00:00
Excellent. Once that validated,
00:00
I can have my directory,
00:00
so I'll go ahead and hide my On-premises directory.
00:00
I'll need to put in an enterprise admin credentials,
00:00
so if I go ahead and put
00:00
On-preM\azureadmin and I'll put in my credentials.
00:00
If I go ahead and click "Okay" to that,
00:00
so it validated that, that's good.
00:00
If I go ahead and click "Next".
00:00
You can see that it's detected that I have
00:00
a verified UPN suffix that
00:00
matches On-premises and Azure AD, which is great.
00:00
I'll go ahead and use UPN suffix,
00:00
and I will continue
00:00
without matching UPN suffix
00:00
for the initial one. That's fine.
00:00
I'll go ahead and click "Next",
00:00
so now what objects do I want to synchronize to Azure AD?
00:00
Obviously, not all objects that I have
00:00
On-premises need access to Cloud applications.
00:00
If I have service account,
00:00
so I may not want to synchronize too.
00:00
In this case I can use things like directory based
00:00
filtering or OU based filtering.
00:00
In this case I will say do not synchronize everything,
00:00
just synchronize selected domains and OU,
00:00
and I have all my users already
00:00
organized into this OU called OrgUsers,
00:00
so I'll go ahead and deselect
00:00
everything and select only OrgUsers,
00:00
and I will go ahead and just click "Next",
00:00
and I'll go ahead and just
00:00
click "Next" in this other option,
00:00
so when it comes to filtering,
00:00
here's where we can do more filtering by specifying
00:00
on the members of a particular group
00:00
should be synchronized,
00:00
but I'll go ahead and leave that option not configured,
00:00
and I'll go ahead and click "Next", optional feature,
00:00
so I showed you in the earlier lesson where you
00:00
could use something like federation,
00:00
but then use password hash synchronization as backup.
00:00
Let's say I selected federation
00:00
or password authentication earlier,
00:00
this is where I can go ahead and select
00:00
password hash synchronization that allows me for that.
00:00
It's also something that you may want to do when
00:00
you're transitioning from one option to another.
00:00
If I go ahead and leave that,
00:00
so you see the option where we can configure
00:00
password write-back if we're
00:00
using self-service password reset,
00:00
and then we can go ahead and enable
00:00
password writeback if we want that option.
00:00
I'll leave the options and I'll
00:00
go ahead and just click "Next",
00:00
and it gives me the option to start
00:00
the synchronization process immediately
00:00
when the configuration completes,
00:00
I'll go ahead and leave that selected and go
00:00
ahead and click "Install",
00:00
and then it begins the configuration process,
00:00
and at the end of that,
00:00
the synchronization is going to
00:00
commence to synchronize my identity.
00:00
One of the other things that it
00:00
also doing it's installing
00:00
Azure AD Connect Health agents
00:00
already on this machine also.
00:00
The configuration completed and
00:00
the synchronization has been initiated also.
00:00
I can go ahead and click on "Exit".
00:00
Then if I go back to my Microsoft Azure Portal,
00:00
and if I click on "Azure Active Directory",
00:00
and if I click on the "Users",
00:00
I can see that it synchronized
00:00
>> my users over to Azure AD.
00:00
>> I can see that they have the same UPN,
00:00
supercloud.xyz, which I've
00:00
also configured them to use that On-premises.
00:00
I can see the source as
00:00
Windows Server AD, which is great,
00:00
and the credential that it's
00:00
using for the synchronization is
00:00
a credential called On-prem.
00:00
On-premises Directory Synchronization,
00:00
so that's the credential that it's using,
00:00
so that's essentially the process
00:00
of configuring Azure AD Connect.
00:00
In summary, here are the items that
00:00
we covered in this demonstration.
00:00
We started by seeing
00:00
how to prepare a On-premises directory for
00:00
synchronization to Azure AD using the IDFix tool,
00:00
but I also went ahead and showed you how to
00:00
ensure that the UPN suffix matches.
00:00
Then went ahead and downloaded and installed
00:00
Azure AD Connect on
00:00
a member server that's
00:00
changed to our On-premises Active Directory domain,
00:00
and then finally, I showed you how to configure
00:00
the Azure AD Connect options and to make
00:00
sure that the synchronization is working,
00:00
so that concludes this lesson.
00:00
I'll see you in the next lesson
00:00
where we'll begin to talk about
00:00
architectural decisions for Azure AD. Thank you.
Up Next