Identity Synchronization Part 2: Azure AD Connect

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
6 hours 59 minutes
Difficulty
Intermediate
CEU/CPE
7
Video Transcription
00:00
Welcome back to the M s 3 65 Security Administration course.
00:06
I'm your starter, Jim Daniels. And this video we're going to continue on with module to
00:11
identity and access.
00:13
Listen to identity synchronization,
00:16
but we're going to delve into the world of Azure A D connect.
00:21
I'm a big advocate of as Brady Connect. I've been using a sense it was Dar sink. It is the best way.
00:30
And do you recommend away
00:32
to extend your warm premises
00:35
identity and directory services
00:37
into as ready
00:39
In this lesson,
00:41
we're going to specifically learn tips for planning a synchronization
00:45
with as around a directory,
00:47
we're gonna learn pastor authentication or P t A with as radio connect
00:52
some of the different considerations. And gosh is with azure 80 connect
00:56
and monitoring as your a D connects health.
01:00
One of the favorite phrases of my dad, my granddad from my teachers my father mall was do it right the first time
01:10
I even find myself repeatedly saying that my Children,
01:14
when I give them tasks and chores,
01:15
do it right the first time.
01:19
If you tell you the time to plan
01:21
measure twice cut once
01:23
you're gonna have a much better result.
01:26
Consider
01:26
directory synchronisation into as Radi
01:30
as a long term commitment.
01:33
Gus,
01:34
we have a synchronization checklist.
01:37
First thing
01:38
out of directory preparation.
01:41
Second one, we're gonna look at those u P and stuff Exes.
01:45
Yeah,
01:47
we're gonna do some chemistry. 65 readiness checks
01:49
and forth. We're going to run the M s for 65 idee fixe tool.
01:56
Some of the questions that you're gonna want to ask yourself is Well, I was routine.
02:00
And stakeholders
02:02
you wanna have a good idea of how you want things to function in Azure 80
02:07
Also the azure 80 connect
02:09
You wanna know
02:10
what server are you? Install that one
02:14
fell over. Do you need two of them? Do you staging server?
02:17
How are you gonna filter the stuff?
02:20
Are you gonna sink all users?
02:22
Are you going to
02:23
not seeing certain? Oh, use
02:27
How is that gonna work?
02:29
Configuration. Are you gonna do any of the advanced config options?
02:31
Finally. Look at your domain.
02:34
Do you have one force? Multiple forced.
02:37
Do you have multi tenants?
02:38
Do you have more than 13 65 domain?
02:43
All of these questions come into play earlier on when you plan your journey
02:47
into that Dr directory.
02:50
You will also look at how azure a D connect will configure authentication for your users. There are two main options.
02:55
One is password hash.
02:59
This is where hashes or sink
03:00
from on premises out of directory to azure. 80
03:05
users have the same password, both on premises and in azure i d.
03:10
The password is never sent as radi
03:14
or stored in azure. A day in clear text against the hash.
03:17
Authentication takes place in Azure 80
03:22
pass through
03:23
just like it sounds like pass through
03:27
accounts are copied in ST into as right of directory,
03:31
password hashes or not present in as Radi.
03:36
We've passed through authentication you can afford on premise. User account states such as a log one hours
03:43
authentication takes place at a warm premises software agent.
03:47
So think of passed through I d Modern a DFS,
03:52
I said. You can do it with as Radi connect
03:55
again.
03:57
You're not sending a hash of a passport into azure ago,
04:00
just like with a DFS, you put the objects there and then Al Jenks exist. However,
04:06
Death Indication goes back to in one premises Asian
04:11
for multi four scenarios within as Radi. Connect
04:15
all of the forced need to be reachable by the single
04:18
as ready connects over
04:21
the end goal of each user's to represent one time in as raiding
04:28
the as Radi Connect station servers can be deployed for fell over if you want
04:33
requirements for the actual as radi, connect
04:36
in general
04:38
for your warm from 80.
04:40
Need to have a schemo
04:43
and forest functional level of 2000 and three. Force.
04:46
You need to have a domain controller
04:49
of 2008 or two plus if you want to use password right back,
04:55
read only domain control is not supported
04:58
as the source for azar 80 Connect
05:01
as already connect itself
05:03
has to be installed on any domain joint server
05:08
2012. Plus.
05:09
If you're going to use the A T. F s,
05:11
you need to have Server 2012 or two. Plus,
05:15
it's not recommended to install one of the main controller.
05:17
That should be for obvious reasons.
05:19
Sequel server DB 2012 plus
05:23
war Secrets over 2012 Express
05:27
the experiences of local database that supports up to 100,000 objects. So if you're near that 100,000 object threshold or over, you're gonna have to actually get a sequel. Server
05:38
2000 plus database, not express
05:42
to set up and use as ready connect. You're gonna need to be a global admin for the as radi tenant
05:46
as well as a enterprise admin for on premises 80 Glove. Weidman's do not have the right to set up as ready connect. They need to be a enterprise. Admin
05:59
pretty ranks
06:00
don that framework for 51 and beyond power show three and beyond
06:04
and TLS 1.2
06:08
one Caveat.
06:09
Four user objects as they go from your own premises 80 into
06:15
as your 80 is UPM When they're initially ST
06:18
they're sent with a u p n So you're one premise
06:21
a D Objects need a u p N value
06:26
this value wants sink into as Radi
06:29
has to be manually updated in azure a. D. If you have dated in one pre, maybe it will not automatically update the U P in value
06:38
blank values. Sometimes a required attribute is no
06:42
that usually won't want upload. It won't synchronize into the cloud.
06:46
It will care duplicates. You'd only have one user. One display name has to be each this by name has to be unique. Each u p and has to be unique. Each SMTP address has to be unique.
06:59
The I D fix is a
07:01
gov tool
07:02
that searches and remediation your one premises out of directory issues and give us your environment ready for as Radi connect,
07:11
it's recommended to use that tool until you have no more
07:15
issues that need to be fixed
07:16
before you actually run. As Radi Connect, save herself the headache and the time and trouble.
07:24
Use idee fixe to set up As Radi Connect.
07:27
You have a couple different options. You have expressed settings for single 80 force
07:30
and password hash authentication,
07:33
and you have customers settings. If you're using multiple lady force, you got to use customer settings.
07:40
If you're using custom, sign in options such as a DFS or other federation. If you're using a non Microsoft identity provider, if you are using
07:49
anything other than out of directory domain services, you need to use customers settings. If you're using synchronization filtering,
07:58
you got to use custom, not settings.
08:00
If you would go. Oh, we're using express settings and we have the ability to actually set
08:05
with
08:07
domains and no use within the right of the right order. We won't sink or not sink in as Radi
08:13
quit. If
08:13
which,
08:15
as your 80 connect authentication model has authentication take place in Aseritis directory.
08:22
Is it a
08:22
password hash or be passed through?
08:28
Probably already know this. Just think about what passed through means.
08:33
Whenever you see passed through
08:35
one of exam or doing with Microsoft,
08:39
the verb is the Now
08:41
ask your authentication. It passes through to authenticate. So with that being said,
08:46
the answer would be password hash
08:48
that has a half
08:50
of the local one friend
08:52
80 password. Not a password,
08:54
but a hash, and it compares against the two so it does the authentication in as rifle directory.
09:01
If you have passport, hash and your own premises, out of directory goes completely down. Users can still authenticate to M S 3 65 services through as writing a directory
09:13
as your 80 connect. Health is a great and simple monitoring tool
09:18
that basically provides you health update. It gives you a snapshot
09:22
of your as radi environment.
09:24
It's a azure 80 premium feature.
09:28
The agent. There's a health Asian that's installed when domain control was or federation servers
09:35
a global admin account is required to install and configure as radi. Connect health,
09:41
and you need to have TCP Port for 43 open on the far wall to allow communication from the health agent. So the recap This lesson
09:50
when you do as you're 80 connect, you need careful planning, and you need to re mediate your on premises directory issues prior
10:01
to implementing, installing as radio connect
10:05
password hash passed through or to authentication options within. As your 80 connect
10:09
as your 80 connect. Health is a tool that monitors on premises
10:13
and as your 80 synchronization services and infrastructure. Thank you for joining me on this lesson about as your a d connect.
10:22
I would be seeing you for the next video. Thank you.
Up Next
MS-500: Microsoft 365 Security Administration

The Microsoft 365 Security Administration course is designed to prepare students to take and pass the MS-500 certification exam. The course covers the four domains of the exam, providing students with the knowledge and skills they need to earn their credential.

Instructed By