Azure AD Hybrid Identity Part 1

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
14 hours 28 minutes
Difficulty
Intermediate
CEU/CPE
15
Video Transcription
00:00
>> Hello Cyberians.
00:00
Welcome to Lesson 1.5 of Module 1 of this course
00:00
titled AZ-301: Microsoft Azure Architect Design.
00:00
Some quick information on
00:00
>> what we'll be covering in this series of lessons.
00:00
>> In the first part of the series,
00:00
we'll start out by covering what Azure AD Connect is.
00:00
We'll then cover some information on how to prepare
00:00
your on-premises AD infrastructure,
00:00
if you're planning to synchronize
00:00
your identities to Azure AD.
00:00
Then we'll start to cover
00:00
the synchronization options that are
00:00
available and the use cases of each option.
00:00
This will give you the information needed to select
00:00
the right synchronization option
00:00
based on your design scenario.
00:00
In Part 2,
00:00
we'll conclude our lesson on synchronization options.
00:00
We'll then cover Azure AD Connect Health,
00:00
which is a tool that can help with them monitoring
00:00
of our on-premises identity infrastructure.
00:00
We'll then give some information on
00:00
the self-service password reset feature of Azure AD.
00:00
Finally, in Part 3,
00:00
we'll go through some quiz questions
00:00
>> and share supplementary material references with you
00:00
>> for further studies of the concepts
00:00
>> that we've discussed.
00:00
>> Let's get into this.
00:00
Let's go ahead and talk about Azure AD Connect
00:00
>> and what exactly this tool is.
00:00
>> For many organizations, they're not going to be
00:00
starting from scratch when they
00:00
start adopting Microsoft Azure.
00:00
Many organizations already have
00:00
the identity infrastructure and
00:00
business critical application setup
00:00
in local data centers or on-premises.
00:00
For those organizations, it will
00:00
be beneficial for them to have
00:00
a way to synchronize
00:00
their existing identities from
00:00
on-premises AD to Azure AD.
00:00
The way to do that is Azure AD Connect.
00:00
It's the tool that
00:00
provide synchronization capabilities between
00:00
our on-premises identity infrastructure in
00:00
terms of Active Directory to Azure AD.
00:00
Let's delve deeper into Azure AD Connect.
00:00
First of all, it's a wizard-based tool.
00:00
This is a tool that we can go to download either from
00:00
the Azure portal or we can go straight
00:00
>> to the Microsoft websites to download this tool.
00:00
>> Some of you may be familiar
00:00
>> with the whole DirSync tool.
00:00
>> This is like an improvement
00:00
>> or an evolution of that software.
00:00
>> It's actually been redesigned
00:00
>> and it's way much more robust
00:00
>> than the old DirSync tool.
00:00
>> This tool, once you've installed it on a machine
00:00
>> that's joined to an on-premises domain infrastructure,
00:00
>> it enables connectivity between
00:00
your on-premises identity and Azure AD,
00:00
so it's like a bridge between
00:00
those two identity environment.
00:00
For you to be able to install this tool,
00:00
the requirement is a domain-joined computer,
00:00
so you do not have to install
00:00
this tool on your domain controller.
00:00
Actually, that's not good practice to do that
00:00
>> so the recommended practice is
00:00
>> get a machine that's joined
00:00
>> to your on-premises domain
00:00
>> and that's where you install this tool.
00:00
>> Before we even start talking about synchronizing
00:00
our identities from on-premises to Azure AD,
00:00
there are certain things that we need to do
00:00
>> and it has a quick list about some useful tasks for you
00:00
>> to go through before you begin this process.
00:00
>> Number 1 is you want to clean up
00:00
your existing AD objects.
00:00
This is a very good time to clean up your hierarchy,
00:00
clean up stale objects in Active Directory
00:00
>> and just get rid of unnecessary stuff.
00:00
>> Also, you want to fix object
00:00
attributes issues with a tool called IDFIX.
00:00
What it is talking about is
00:00
>> when you download the Azure AD Connects tool
00:00
>> and you're using the synchronize your identities
00:00
>> to Azure AD,
00:00
>> one of the things to keep in mind is
00:00
>> if your objects on-premises have incorrect values
00:00
>> or have values that are not allowed in Azure AD,
00:00
>> that will cause the synchronization
00:00
of the objects to fail.
00:00
What we can do is we have
00:00
a free tool provided by Microsoft called
00:00
IDFIX that we can download
00:00
and we can run that against
00:00
our on-premises Active Directory.
00:00
What this tool would do is it will run
00:00
>> through our objects on-premises and identify
00:00
>> any objects that have attribute values that will
00:00
not be synchronized to
00:00
Azure AD so that we can go ahead and fix that.
00:00
I'll show you a demo of this
00:00
when we get to the demonstration section.
00:00
The third thing that we want to do is we want to match
00:00
our on-premises AD DS UPN with Azure AD UPN.
00:00
What this is referring to is, for example,
00:00
the environment that I showed you in the last lesson,
00:00
I have my Azure AD tenant,
00:00
which is now super Clouds.XYZ.
00:00
For many organization,
00:00
that's probably not what stages in on-premises.
00:00
Maybe you're using something
00:00
>> that's not even publicly routable or routable,
00:00
>> however you pronounce that,
00:00
maybe you're using something like
00:00
a subdomain of your main domain.
00:00
But for single sign-on purposes
00:00
>> and other useful reasons,
00:00
>> you don't want your users to get confused,
00:00
you want to make that to match
00:00
>> so that your on-premises UPN that your users
00:00
>> are using to sign in is the same as what they use
00:00
>> when they try to access Cloud applications.
00:00
>> Then finally, you want to predetermine
00:00
>> what filtering options that you use.
00:00
>> What that means is you want to avenge
00:00
your identity infrastructure on-premises
00:00
>> in such a way that it matches to
00:00
>> whether you're going to be using to filter
00:00
>> or to synchronize to Azure AD.
00:00
>> What that means is, for example,
00:00
let's say you decide to use OU-based filtering,
00:00
that means you want to move
00:00
your objects around so that the objects
00:00
>> that you want to synchronize into Azure AD
00:00
>> are in the OUs that you want them to be.
00:00
That will make it easy for you
00:00
>> to be able to select the right OUs
00:00
>> when you're configuring your synchronization.
00:00
>> Or if you want to use groups,
00:00
you have to make sure that account
00:00
>> are in the right groups
00:00
>> or if you want to use domain-based
00:00
>> or attribute-based filtering.
00:00
>> After we've installed the Azure AD Connect tool
00:00
and when we begin to configure the synchronization,
00:00
it's going to allow us to select
00:00
from one of three options.
00:00
The first option that we have is
00:00
something called password hash synchronization.
00:00
What password synchronization allows us to do
00:00
>> from what you can see in the diagram
00:00
>> that I'm showing you,
00:00
>> I have an on-premises AD infrastructure
00:00
>> on the left-hand side
00:00
>> and my Azure AD tenant on the right-hand side.
00:00
>> First I install my Azure AD Connect tool
00:00
on my on-premises infrastructure,
00:00
which enables the synchronization between
00:00
Azure AD and on-premises Active Directory.
00:00
Now if I select,
00:00
password hash synchronization
00:00
>> its going to synchronize my user objects
00:00
>> and the attribute of the user object,
00:00
included the hashes of the password.
00:00
What this means is if I have users
00:00
>> that needs to access Cloud application
00:00
>> that uses Azure AD
00:00
>> as the identity provider,
00:00
>> they're going to be redirected to Azure AD,
00:00
which will be able to authenticate them
00:00
>> because Azure AD actually has
00:00
>> the password hash synchronized to it.
00:00
>> Quick summary of what
00:00
password hash synchronization option is.
00:00
It's going to synchronize user objects
00:00
>> and the password hashes
00:00
>> from on-premises AD to Azure AD.
00:00
>> Users sign in to Azure AD services
00:00
>> using the simple password that they use on-premises.
00:00
>> Again, Azure AD has the password
00:00
as synchronized to it, so that's good.
00:00
This option actually support seamless single sign-on
00:00
>> so that once users have authenticated on-premises,
00:00
>> they don't need to reauthenticate to be
00:00
able to access Cloud applications
00:00
>> and it also support functionalities like
00:00
>> Cloud MFA and self-service password reset.
00:00
Moving on to option number 2,
00:00
that we can select
00:00
>> when we're configuring this synchronization
00:00
>> using the Azure AD Connect tool.
00:00
>> On the left-hand side, again,
00:00
we have the on-premises infrastructure
00:00
and on the right-hand side we have Azure AD tenant.
00:00
We start out by downloading and
00:00
installing the Azure AD connect tool.
00:00
But in this case,
00:00
after the connection is made,
00:00
only the user objects and
00:00
attributes will be synchronized to Azure AD,
00:00
not the password hashes in this case.
00:00
You say why would somebody want to do that?
00:00
Some organizations are very careful about synchronizing
00:00
their password hashes outside
00:00
something that's within their control so in that case,
00:00
this is an option that they can use.
00:00
What that means is whenever users goes to access
00:00
Cloud applications they use Azure AD
00:00
>> as the identity provider,
00:00
>> the situation is a bit different because
00:00
>> how are they going to be able to authenticate?
00:00
>> We're going to introduce a new component,
00:00
which is an ADFS server,
00:00
Active Directory Federation server, into that.
00:00
That ADFS server will have a trust relationship
00:00
between Azure AD and the ADFS server
00:00
so that when users goes to access Cloud applications,
00:00
they get redirected to Azure AD,
00:00
which recognizes the user and then redirects them
00:00
>> to their on-premises ADFS environment,
00:00
>> which will now authenticate them against
00:00
the on-premises AD,
00:00
which means authentication always happens on-premises,
00:00
if you select this use case or this scenario.
00:00
What I'll do is I'll go ahead
00:00
and I'll pause the video from here
00:00
>> and in the very next part
00:00
>> or in Part 2 of this lesson,
00:00
I'll go ahead and talk about
00:00
the third option that we have in this case.
Up Next