Identity Synchronization Part 3: Managing Synchronized Identities

00:00

Welcome back. Cyber brings to the M s 3 65 Security Administration course.

00:05

I'm your instructor, Jim Daniels.

00:07

This video We're module to identity and access. Listen to identity synchronization Part three,

00:15

managing synchronized identities

00:19

And this lesson

00:20

we're gonna cover management of users and groups

00:24

with as radi connects sink

00:26

and we're going to trouble shoot some of the azure A. D connects synchronization issues that you may experience

00:32

that we've mentioned in a previous lesson

00:34

that whenever you have a synchronized directory synchronized identities,

00:39

you have to have a source of authority.

00:41

When you take your one premise 80

00:44

and you think those objects into azure lady through as radi connect your source of authority is one premises.

00:52

What that means

00:54

is the attributes to these objects that are ST

00:58

have to be changed at the source of authority

01:00

that can't be changed.

01:03

And as your a d has to be changed one premise 80 and this sink into as rating.

01:10

Here's a quick table to manage users. You use an underwriter of state organizations.

01:15

So one premise. If you duly an object, guess what? It's gonna be removed from Azure 80

01:19

again source of authority. It's no longer there when, as your 80 connects thinks, there's changes up in the azure a d say, Hey, this is gone. I don't know what it is was put in that self doing state

01:33

where you create object one from It's gonna be added and synchronized in Azure 80

01:38

A game with all this.

01:40

If you have complex filter rules or you have other filtered policies set up within as Radi connect, these may very before a straightforward environment. This is the action and the result in Azure 80.

01:53

If you have data object attributes with an on premise,

01:57

it's also updated in Azure 80

02:00

if there within that scope,

02:02

If you have date group membership

02:05

and fitness,

02:07

the Objects membership is updated in Azure 80 again source of authority. Something changes on prim,

02:13

and it's within the sink scope of as Radi Connect is going to take. Those changes

02:19

fly him as a change, and then it's going to

02:23

upload and update the object in Azure 80. That's the whole point of synchronization,

02:29

as your A D connect has right back options toe where it goes the opposite direction. So instead of just one print and as your a D. You can actually write stuff back from,

02:40

as are 80 to 1 prim,

02:43

so there's a few different options with it.

02:46

The first option is password.

02:46

It allows passwords reset and as your 80 to be written back, the one print and roll time.

02:53

This is a requirement for SSP are

02:57

Option two groups Unified Groups,

03:00

which is the group conglomerate that has part destro

03:05

partnership mailbox. It has a good calendar. SharePoint side one draw team Shannon associated with it. Those were unified groups. We talked about him previously.

03:15

They're written back to warm for him. 80. With exchange

03:19

the reason for that if you're running a hybrid mel environment.

03:22

If those unified groups didn't get

03:24

rowed back on prim

03:27

and you have mailboxes and user still want prim, they would never be able to communicate with those groups.

03:34

The third option is device this enables when they're so for business with hybrid certification trust.

03:40

It enables conditional, access based policies when devices with a DFS 2012 40 plus and protected. That's

03:49

so while this allows, you can have a one premise a DFS environment,

03:53

and you can actually utilize that environment

03:55

to do conditional based access trust

03:58

within applications that are secured in azure 80.

04:02

We have set up as Radi connect.

04:04

There are some security groups are automatically created as a result of having

04:10

that for grain

04:11

a de sink at Mons. Members of this group can edit sync rules and as our a d connect configuration.

04:19

So think of 80 sink admin. Xaz.

04:21

Yeah, these are your global administrators of that whole. As radi connect

04:29

a decent operators

04:30

access the operations of as Radi Connect and Sink Service Manager. Again, you can kind of see what's going on. You can do advanced troubleshooting as an operator that you cannot change configuration 80 sink brows.

04:44

You just gather information about the mini. It's when you reset passwords

04:48

and finally,

04:49

80 sink password set.

04:51

This lets you perform all password management interface operations

04:56

the last two

04:58

certain environments. You may assigned those to other users

05:01

the first two,

05:02

or use a lot more commonly.

05:04

If you have a identity access manager, chances are they're gonna be well involved with your as Radi connects set up.

05:12

So they're probably an admin

05:13

if they have somebody when their teams maybe a junior member, that may be an operator or even though Brandon's person,

05:18

um, tour. They can see everything troubleshoot, but they can't make configuration changes themselves.

05:26

Here's the moral world. Tips for working with as Radi Connect

05:30

enable the recycle bin on your own premises. 80.

05:34

If you don't have the on premise for cycle, been feature for Out of Director and Able, please stop the video. Right now it falls down, maybe the corner somewhere. Just hit balls

05:46

and go do that.

05:47

After you do that,

05:48

please write a thank you. Note the cyber very

05:51

for saving your job, because there will be a day toe where the recycle bin will save your job

05:58

and then you can come back and import.

06:00

So hopefully that's not you. But if it is, go do it. Now

06:04

You want to document all of your filters used by Azure 80 Connect. There's nothing worse than when you have a big environment. You have new people on the team. Maybe you haven't assist admin. They come in and there's all of this spaghetti code everywhere. All of these filters that or just set up by FM

06:24

Magic right? Allstate managers need to understand how the attributes owe you another filter bubble object changes will effect

06:31

as ready. Don't wanna have them not documented.

06:34

Somebody make a change

06:36

and then then realized Oh, I just unsinkable NYSE our whole entire executive teams accounts.

06:44

Yeah. Document

06:46

document document

06:47

credo that filters to detect duplicates on attributes. I have to be unique again. This goes along with the whole idea. Fix.

06:55

Run your idee fixe tools. This shouldn't be an issue.

06:59

Utilize as your 80 connect health and set up a milords.

07:01

You already have it

07:03

implemented.

07:05

Right is another layer of alerts. It's another check when you're one print environment as well as your as your 80 environment.

07:14

If your source the main controllers having replication issues change your source,

07:18

you should be in an environment where you have more than one domain controller. See the first tip here. If you don't have one domain controller, you may want to stop the video and go back in salt, another domain controller to have some redundancy, and some fell over some

07:34

something that will save your job one day. Multiple. DC's

07:39

You want to take the D. C. If it's having issues, change your as your a D connect

07:44

to have a different D. C is a source.

07:46

Here's how we can actually troubleshoot some driver synchronization issues.

07:50

Easy deactivating reality

07:54

Whether that is setting up a ou that's filtered out

07:58

moving the object in that Oh, you Ron. They sink

08:01

checking as radio that there is no over there

08:05

then taking that original print out of that Oh, you back into a no use the sink like a sinking natural 80 Sometimes that solves issues. That's the equivalent of If you try to turn on the often back one again

08:18

view errors in the 3 65 admin center.

08:20

It will give you some explanation. It will say, Hey, you're you know this proxy by you can't have duplicate to focus

08:26

It will say Hey, this SMTP address isn't unique.

08:31

It will tell you something.

08:31

You can also do the drier it synchronization Troubleshooter

08:35

You can do the synchronization service manager

08:37

troubleshoot password synchronization within as your 80 connect you nice will open up your

08:43

connect. Look at your logs. It will give you errors.

08:46

It will take the gooey and it will map it down to the object and I will give you notifications in both directions

08:54

so you can see what while part of the metaverse what part of the process the error is taking place in. So you know how to troubleshoot or better

09:03

power shell course. Always use powershell it. It's our friendly tool

09:07

to start a sink.

09:09

You do start dash 80 sink sink cycle.

09:13

Then you have a switch of policy type. You have Delta and initial.

09:18

Delta

09:18

only looks for new changes since last synchronization.

09:22

It's a quicker sink. However, If you've tried that and it's still not doing right, you can always do. The initial initial is a full synchronisation of all objects whether thinks they're the same or not.

09:35

Sometimes that's issue in and of itself, and I'm Jack changes. However, as your 80 Connect doesn't see, it has changed. So when it runs a Delta sink, nothing updates. So you actually have to run a full initial sink,

09:52

which the phone is not

09:54

a right back option of as our A D Conduct

09:56

Device

09:58

Policy

09:58

Password group survey says

10:09

policy

10:11

policy is not a right back option for Azure 80 connect.

10:16

So, to recap, this lesson on premises at the directory is a D

10:20

source of authority in a azure 80 connect sink identity environment.

10:26

Changes to objects are made. One promise and then sink into azure 80.

10:31

Please document any changes or configuration filters within your as your 80 connected environment

10:37

as your 80 connect creates sink security groups that can utilize for troubleshooting and delegation of starting operations within synchronization.

10:46

So that's this video's lesson.