Identity Synchronization Part 3: Managing Synchronized Identities

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
6 hours 59 minutes
Difficulty
Intermediate
CEU/CPE
7
Video Transcription
00:00
Welcome back. Cyber brings to the M s 3 65 Security Administration course.
00:05
I'm your instructor, Jim Daniels.
00:07
This video We're module to identity and access. Listen to identity synchronization Part three,
00:15
managing synchronized identities
00:19
And this lesson
00:20
we're gonna cover management of users and groups
00:24
with as radi connects sink
00:26
and we're going to trouble shoot some of the azure A. D connects synchronization issues that you may experience
00:32
that we've mentioned in a previous lesson
00:34
that whenever you have a synchronized directory synchronized identities,
00:39
you have to have a source of authority.
00:41
When you take your one premise 80
00:44
and you think those objects into azure lady through as radi connect your source of authority is one premises.
00:52
What that means
00:54
is the attributes to these objects that are ST
00:58
have to be changed at the source of authority
01:00
that can't be changed.
01:03
And as your a d has to be changed one premise 80 and this sink into as rating.
01:10
Here's a quick table to manage users. You use an underwriter of state organizations.
01:15
So one premise. If you duly an object, guess what? It's gonna be removed from Azure 80
01:19
again source of authority. It's no longer there when, as your 80 connects thinks, there's changes up in the azure a d say, Hey, this is gone. I don't know what it is was put in that self doing state
01:33
where you create object one from It's gonna be added and synchronized in Azure 80
01:38
A game with all this.
01:40
If you have complex filter rules or you have other filtered policies set up within as Radi connect, these may very before a straightforward environment. This is the action and the result in Azure 80.
01:53
If you have data object attributes with an on premise,
01:57
it's also updated in Azure 80
02:00
if there within that scope,
02:02
If you have date group membership
02:05
and fitness,
02:07
the Objects membership is updated in Azure 80 again source of authority. Something changes on prim,
02:13
and it's within the sink scope of as Radi Connect is going to take. Those changes
02:19
fly him as a change, and then it's going to
02:23
upload and update the object in Azure 80. That's the whole point of synchronization,
02:29
as your A D connect has right back options toe where it goes the opposite direction. So instead of just one print and as your a D. You can actually write stuff back from,
02:40
as are 80 to 1 prim,
02:43
so there's a few different options with it.
02:46
The first option is password.
02:46
It allows passwords reset and as your 80 to be written back, the one print and roll time.
02:53
This is a requirement for SSP are
02:57
Option two groups Unified Groups,
03:00
which is the group conglomerate that has part destro
03:05
partnership mailbox. It has a good calendar. SharePoint side one draw team Shannon associated with it. Those were unified groups. We talked about him previously.
03:15
They're written back to warm for him. 80. With exchange
03:19
the reason for that if you're running a hybrid mel environment.
03:22
If those unified groups didn't get
03:24
rowed back on prim
03:27
and you have mailboxes and user still want prim, they would never be able to communicate with those groups.
03:34
The third option is device this enables when they're so for business with hybrid certification trust.
03:40
It enables conditional, access based policies when devices with a DFS 2012 40 plus and protected. That's
03:49
so while this allows, you can have a one premise a DFS environment,
03:53
and you can actually utilize that environment
03:55
to do conditional based access trust
03:58
within applications that are secured in azure 80.
04:02
We have set up as Radi connect.
04:04
There are some security groups are automatically created as a result of having
04:10
that for grain
04:11
a de sink at Mons. Members of this group can edit sync rules and as our a d connect configuration.
04:19
So think of 80 sink admin. Xaz.
04:21
Yeah, these are your global administrators of that whole. As radi connect
04:29
a decent operators
04:30
access the operations of as Radi Connect and Sink Service Manager. Again, you can kind of see what's going on. You can do advanced troubleshooting as an operator that you cannot change configuration 80 sink brows.
04:44
You just gather information about the mini. It's when you reset passwords
04:48
and finally,
04:49
80 sink password set.
04:51
This lets you perform all password management interface operations
04:56
the last two
04:58
certain environments. You may assigned those to other users
05:01
the first two,
05:02
or use a lot more commonly.
05:04
If you have a identity access manager, chances are they're gonna be well involved with your as Radi connects set up.
05:12
So they're probably an admin
05:13
if they have somebody when their teams maybe a junior member, that may be an operator or even though Brandon's person,
05:18
um, tour. They can see everything troubleshoot, but they can't make configuration changes themselves.
05:26
Here's the moral world. Tips for working with as Radi Connect
05:30
enable the recycle bin on your own premises. 80.
05:34
If you don't have the on premise for cycle, been feature for Out of Director and Able, please stop the video. Right now it falls down, maybe the corner somewhere. Just hit balls
05:46
and go do that.
05:47
After you do that,
05:48
please write a thank you. Note the cyber very
05:51
for saving your job, because there will be a day toe where the recycle bin will save your job
05:58
and then you can come back and import.
06:00
So hopefully that's not you. But if it is, go do it. Now
06:04
You want to document all of your filters used by Azure 80 Connect. There's nothing worse than when you have a big environment. You have new people on the team. Maybe you haven't assist admin. They come in and there's all of this spaghetti code everywhere. All of these filters that or just set up by FM
06:24
Magic right? Allstate managers need to understand how the attributes owe you another filter bubble object changes will effect
06:31
as ready. Don't wanna have them not documented.
06:34
Somebody make a change
06:36
and then then realized Oh, I just unsinkable NYSE our whole entire executive teams accounts.
06:44
Yeah. Document
06:46
document document
06:47
credo that filters to detect duplicates on attributes. I have to be unique again. This goes along with the whole idea. Fix.
06:55
Run your idee fixe tools. This shouldn't be an issue.
06:59
Utilize as your 80 connect health and set up a milords.
07:01
You already have it
07:03
implemented.
07:05
Right is another layer of alerts. It's another check when you're one print environment as well as your as your 80 environment.
07:14
If your source the main controllers having replication issues change your source,
07:18
you should be in an environment where you have more than one domain controller. See the first tip here. If you don't have one domain controller, you may want to stop the video and go back in salt, another domain controller to have some redundancy, and some fell over some
07:34
something that will save your job one day. Multiple. DC's
07:39
You want to take the D. C. If it's having issues, change your as your a D connect
07:44
to have a different D. C is a source.
07:46
Here's how we can actually troubleshoot some driver synchronization issues.
07:50
Easy deactivating reality
07:54
Whether that is setting up a ou that's filtered out
07:58
moving the object in that Oh, you Ron. They sink
08:01
checking as radio that there is no over there
08:05
then taking that original print out of that Oh, you back into a no use the sink like a sinking natural 80 Sometimes that solves issues. That's the equivalent of If you try to turn on the often back one again
08:18
view errors in the 3 65 admin center.
08:20
It will give you some explanation. It will say, Hey, you're you know this proxy by you can't have duplicate to focus
08:26
It will say Hey, this SMTP address isn't unique.
08:31
It will tell you something.
08:31
You can also do the drier it synchronization Troubleshooter
08:35
You can do the synchronization service manager
08:37
troubleshoot password synchronization within as your 80 connect you nice will open up your
08:43
connect. Look at your logs. It will give you errors.
08:46
It will take the gooey and it will map it down to the object and I will give you notifications in both directions
08:54
so you can see what while part of the metaverse what part of the process the error is taking place in. So you know how to troubleshoot or better
09:03
power shell course. Always use powershell it. It's our friendly tool
09:07
to start a sink.
09:09
You do start dash 80 sink sink cycle.
09:13
Then you have a switch of policy type. You have Delta and initial.
09:18
Delta
09:18
only looks for new changes since last synchronization.
09:22
It's a quicker sink. However, If you've tried that and it's still not doing right, you can always do. The initial initial is a full synchronisation of all objects whether thinks they're the same or not.
09:35
Sometimes that's issue in and of itself, and I'm Jack changes. However, as your 80 Connect doesn't see, it has changed. So when it runs a Delta sink, nothing updates. So you actually have to run a full initial sink,
09:52
which the phone is not
09:54
a right back option of as our A D Conduct
09:56
Device
09:58
Policy
09:58
Password group survey says
10:09
policy
10:11
policy is not a right back option for Azure 80 connect.
10:16
So, to recap, this lesson on premises at the directory is a D
10:20
source of authority in a azure 80 connect sink identity environment.
10:26
Changes to objects are made. One promise and then sink into azure 80.
10:31
Please document any changes or configuration filters within your as your 80 connected environment
10:37
as your 80 connect creates sink security groups that can utilize for troubleshooting and delegation of starting operations within synchronization.
10:46
So that's this video's lesson.
10:48
Thank you for joining me. And I hope to see you next time. Thank you.
Up Next
MS-500: Microsoft 365 Security Administration

The Microsoft 365 Security Administration course is designed to prepare students to take and pass the MS-500 certification exam. The course covers the four domains of the exam, providing students with the knowledge and skills they need to earn their credential.

Instructed By