Time
6 hours 59 minutes
Difficulty
Intermediate
CEU/CPE
7

Video Transcription

00:00
Welcome back to the M s 3 65 Security Administration course.
00:06
I'm your starter, Jim Daniels. And this video we're going to continue on with module to
00:11
identity and access.
00:13
Listen to identity synchronization,
00:16
but we're going to delve into the world of Azure A D connect.
00:21
I'm a big advocate of as Brady Connect. I've been using a sense it was Dar sink. It is the best way.
00:30
And do you recommend away
00:32
to extend your warm premises
00:35
identity and directory services
00:37
into as ready
00:39
In this lesson,
00:41
we're going to specifically learn tips for planning a synchronization
00:45
with as around a directory,
00:47
we're gonna learn pastor authentication or P t A with as radio connect
00:52
some of the different considerations. And gosh is with azure 80 connect
00:56
and monitoring as your a D connects health.
01:00
One of the favorite phrases of my dad, my granddad from my teachers my father mall was do it right the first time
01:10
I even find myself repeatedly saying that my Children,
01:14
when I give them tasks and chores,
01:15
do it right the first time.
01:19
If you tell you the time to plan
01:21
measure twice cut once
01:23
you're gonna have a much better result.
01:26
Consider
01:26
directory synchronisation into as Radi
01:30
as a long term commitment.
01:33
Gus,
01:34
we have a synchronization checklist.
01:37
First thing
01:38
out of directory preparation.
01:41
Second one, we're gonna look at those u P and stuff Exes.
01:45
Yeah,
01:47
we're gonna do some chemistry. 65 readiness checks
01:49
and forth. We're going to run the M s for 65 idee fixe tool.
01:56
Some of the questions that you're gonna want to ask yourself is Well, I was routine.
02:00
And stakeholders
02:02
you wanna have a good idea of how you want things to function in Azure 80
02:07
Also the azure 80 connect
02:09
You wanna know
02:10
what server are you? Install that one
02:14
fell over. Do you need two of them? Do you staging server?
02:17
How are you gonna filter the stuff?
02:20
Are you gonna sink all users?
02:22
Are you going to
02:23
not seeing certain? Oh, use
02:27
How is that gonna work?
02:29
Configuration. Are you gonna do any of the advanced config options?
02:31
Finally. Look at your domain.
02:34
Do you have one force? Multiple forced.
02:37
Do you have multi tenants?
02:38
Do you have more than 13 65 domain?
02:43
All of these questions come into play earlier on when you plan your journey
02:47
into that Dr directory.
02:50
You will also look at how azure a D connect will configure authentication for your users. There are two main options.
02:55
One is password hash.
02:59
This is where hashes or sink
03:00
from on premises out of directory to azure. 80
03:05
users have the same password, both on premises and in azure i d.
03:10
The password is never sent as radi
03:14
or stored in azure. A day in clear text against the hash.
03:17
Authentication takes place in Azure 80
03:22
pass through
03:23
just like it sounds like pass through
03:27
accounts are copied in ST into as right of directory,
03:31
password hashes or not present in as Radi.
03:36
We've passed through authentication you can afford on premise. User account states such as a log one hours
03:43
authentication takes place at a warm premises software agent.
03:47
So think of passed through I d Modern a DFS,
03:52
I said. You can do it with as Radi connect
03:55
again.
03:57
You're not sending a hash of a passport into azure ago,
04:00
just like with a DFS, you put the objects there and then Al Jenks exist. However,
04:06
Death Indication goes back to in one premises Asian
04:11
for multi four scenarios within as Radi. Connect
04:15
all of the forced need to be reachable by the single
04:18
as ready connects over
04:21
the end goal of each user's to represent one time in as raiding
04:28
the as Radi Connect station servers can be deployed for fell over if you want
04:33
requirements for the actual as radi, connect
04:36
in general
04:38
for your warm from 80.
04:40
Need to have a schemo
04:43
and forest functional level of 2000 and three. Force.
04:46
You need to have a domain controller
04:49
of 2008 or two plus if you want to use password right back,
04:55
read only domain control is not supported
04:58
as the source for azar 80 Connect
05:01
as already connect itself
05:03
has to be installed on any domain joint server
05:08
2012. Plus.
05:09
If you're going to use the A T. F s,
05:11
you need to have Server 2012 or two. Plus,
05:15
it's not recommended to install one of the main controller.
05:17
That should be for obvious reasons.
05:19
Sequel server DB 2012 plus
05:23
war Secrets over 2012 Express
05:27
the experiences of local database that supports up to 100,000 objects. So if you're near that 100,000 object threshold or over, you're gonna have to actually get a sequel. Server
05:38
2000 plus database, not express
05:42
to set up and use as ready connect. You're gonna need to be a global admin for the as radi tenant
05:46
as well as a enterprise admin for on premises 80 Glove. Weidman's do not have the right to set up as ready connect. They need to be a enterprise. Admin
05:59
pretty ranks
06:00
don that framework for 51 and beyond power show three and beyond
06:04
and TLS 1.2
06:08
one Caveat.
06:09
Four user objects as they go from your own premises 80 into
06:15
as your 80 is UPM When they're initially ST
06:18
they're sent with a u p n So you're one premise
06:21
a D Objects need a u p N value
06:26
this value wants sink into as Radi
06:29
has to be manually updated in azure a. D. If you have dated in one pre, maybe it will not automatically update the U P in value
06:38
blank values. Sometimes a required attribute is no
06:42
that usually won't want upload. It won't synchronize into the cloud.
06:46
It will care duplicates. You'd only have one user. One display name has to be each this by name has to be unique. Each u p and has to be unique. Each SMTP address has to be unique.
06:59
The I D fix is a
07:01
gov tool
07:02
that searches and remediation your one premises out of directory issues and give us your environment ready for as Radi connect,
07:11
it's recommended to use that tool until you have no more
07:15
issues that need to be fixed
07:16
before you actually run. As Radi Connect, save herself the headache and the time and trouble.
07:24
Use idee fixe to set up As Radi Connect.
07:27
You have a couple different options. You have expressed settings for single 80 force
07:30
and password hash authentication,
07:33
and you have customers settings. If you're using multiple lady force, you got to use customer settings.
07:40
If you're using custom, sign in options such as a DFS or other federation. If you're using a non Microsoft identity provider, if you are using
07:49
anything other than out of directory domain services, you need to use customers settings. If you're using synchronization filtering,
07:58
you got to use custom, not settings.
08:00
If you would go. Oh, we're using express settings and we have the ability to actually set
08:05
with
08:07
domains and no use within the right of the right order. We won't sink or not sink in as Radi
08:13
quit. If
08:13
which,
08:15
as your 80 connect authentication model has authentication take place in Aseritis directory.
08:22
Is it a
08:22
password hash or be passed through?
08:28
Probably already know this. Just think about what passed through means.
08:33
Whenever you see passed through
08:35
one of exam or doing with Microsoft,
08:39
the verb is the Now
08:41
ask your authentication. It passes through to authenticate. So with that being said,
08:46
the answer would be password hash
08:48
that has a half
08:50
of the local one friend
08:52
80 password. Not a password,
08:54
but a hash, and it compares against the two so it does the authentication in as rifle directory.
09:01
If you have passport, hash and your own premises, out of directory goes completely down. Users can still authenticate to M S 3 65 services through as writing a directory
09:13
as your 80 connect. Health is a great and simple monitoring tool
09:18
that basically provides you health update. It gives you a snapshot
09:22
of your as radi environment.
09:24
It's a azure 80 premium feature.
09:28
The agent. There's a health Asian that's installed when domain control was or federation servers
09:35
a global admin account is required to install and configure as radi. Connect health,
09:41
and you need to have TCP Port for 43 open on the far wall to allow communication from the health agent. So the recap This lesson
09:50
when you do as you're 80 connect, you need careful planning, and you need to re mediate your on premises directory issues prior
10:01
to implementing, installing as radio connect
10:05
password hash passed through or to authentication options within. As your 80 connect
10:09
as your 80 connect. Health is a tool that monitors on premises
10:13
and as your 80 synchronization services and infrastructure. Thank you for joining me on this lesson about as your a d connect.
10:22
I would be seeing you for the next video. Thank you.

Up Next

MS-500: Microsoft 365 Security Administration

The Microsoft 365 Security Administration course is designed to prepare students to take and pass the MS-500 certification exam. The course covers the four domains of the exam, providing students with the knowledge and skills they need to earn their credential.

Instructed By

Instructor Profile Image
Jim Daniels
IT Architect
Instructor