Identity Synchronization Part 3: Managing Synchronized Identities
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
Welcome back. Cyber brings to the M s 3 65 Security Administration course.
I'm your instructor, Jim Daniels.
This video We're module to identity and access. Listen to identity synchronization Part three,
managing synchronized identities
And this lesson
we're gonna cover management of users and groups
with as radi connects sink
and we're going to trouble shoot some of the azure A. D connects synchronization issues that you may experience
that we've mentioned in a previous lesson
that whenever you have a synchronized directory synchronized identities,
you have to have a source of authority.
When you take your one premise 80
and you think those objects into azure lady through as radi connect your source of authority is one premises.
What that means
is the attributes to these objects that are ST
have to be changed at the source of authority
that can't be changed.
And as your a d has to be changed one premise 80 and this sink into as rating.
Here's a quick table to manage users. You use an underwriter of state organizations.
So one premise. If you duly an object, guess what? It's gonna be removed from Azure 80
again source of authority. It's no longer there when, as your 80 connects thinks, there's changes up in the azure a d say, Hey, this is gone. I don't know what it is was put in that self doing state
where you create object one from It's gonna be added and synchronized in Azure 80
A game with all this.
If you have complex filter rules or you have other filtered policies set up within as Radi connect, these may very before a straightforward environment. This is the action and the result in Azure 80.
If you have data object attributes with an on premise,
it's also updated in Azure 80
if there within that scope,
If you have date group membership
the Objects membership is updated in Azure 80 again source of authority. Something changes on prim,
and it's within the sink scope of as Radi Connect is going to take. Those changes
fly him as a change, and then it's going to
upload and update the object in Azure 80. That's the whole point of synchronization,
as your A D connect has right back options toe where it goes the opposite direction. So instead of just one print and as your a D. You can actually write stuff back from,
as are 80 to 1 prim,
so there's a few different options with it.
The first option is password.
It allows passwords reset and as your 80 to be written back, the one print and roll time.
This is a requirement for SSP are
Option two groups Unified Groups,
which is the group conglomerate that has part destro
partnership mailbox. It has a good calendar. SharePoint side one draw team Shannon associated with it. Those were unified groups. We talked about him previously.
They're written back to warm for him. 80. With exchange
the reason for that if you're running a hybrid mel environment.
If those unified groups didn't get
rowed back on prim
and you have mailboxes and user still want prim, they would never be able to communicate with those groups.
The third option is device this enables when they're so for business with hybrid certification trust.
It enables conditional, access based policies when devices with a DFS 2012 40 plus and protected. That's
so while this allows, you can have a one premise a DFS environment,
and you can actually utilize that environment
to do conditional based access trust
within applications that are secured in azure 80.
We have set up as Radi connect.
There are some security groups are automatically created as a result of having
that for grain
a de sink at Mons. Members of this group can edit sync rules and as our a d connect configuration.
So think of 80 sink admin. Xaz.
Yeah, these are your global administrators of that whole. As radi connect
a decent operators
access the operations of as Radi Connect and Sink Service Manager. Again, you can kind of see what's going on. You can do advanced troubleshooting as an operator that you cannot change configuration 80 sink brows.
You just gather information about the mini. It's when you reset passwords
80 sink password set.
This lets you perform all password management interface operations
the last two
certain environments. You may assigned those to other users
the first two,
or use a lot more commonly.
If you have a identity access manager, chances are they're gonna be well involved with your as Radi connects set up.
So they're probably an admin
if they have somebody when their teams maybe a junior member, that may be an operator or even though Brandon's person,
um, tour. They can see everything troubleshoot, but they can't make configuration changes themselves.
Here's the moral world. Tips for working with as Radi Connect
enable the recycle bin on your own premises. 80.
If you don't have the on premise for cycle, been feature for Out of Director and Able, please stop the video. Right now it falls down, maybe the corner somewhere. Just hit balls
and go do that.
After you do that,
please write a thank you. Note the cyber very
for saving your job, because there will be a day toe where the recycle bin will save your job
and then you can come back and import.
So hopefully that's not you. But if it is, go do it. Now
You want to document all of your filters used by Azure 80 Connect. There's nothing worse than when you have a big environment. You have new people on the team. Maybe you haven't assist admin. They come in and there's all of this spaghetti code everywhere. All of these filters that or just set up by FM
Magic right? Allstate managers need to understand how the attributes owe you another filter bubble object changes will effect
as ready. Don't wanna have them not documented.
Somebody make a change
and then then realized Oh, I just unsinkable NYSE our whole entire executive teams accounts.
credo that filters to detect duplicates on attributes. I have to be unique again. This goes along with the whole idea. Fix.
Run your idee fixe tools. This shouldn't be an issue.
Utilize as your 80 connect health and set up a milords.
You already have it
Right is another layer of alerts. It's another check when you're one print environment as well as your as your 80 environment.
If your source the main controllers having replication issues change your source,
you should be in an environment where you have more than one domain controller. See the first tip here. If you don't have one domain controller, you may want to stop the video and go back in salt, another domain controller to have some redundancy, and some fell over some
something that will save your job one day. Multiple. DC's
You want to take the D. C. If it's having issues, change your as your a D connect
to have a different D. C is a source.
Here's how we can actually troubleshoot some driver synchronization issues.
Easy deactivating reality
Whether that is setting up a ou that's filtered out
moving the object in that Oh, you Ron. They sink
checking as radio that there is no over there
then taking that original print out of that Oh, you back into a no use the sink like a sinking natural 80 Sometimes that solves issues. That's the equivalent of If you try to turn on the often back one again
view errors in the 3 65 admin center.
It will give you some explanation. It will say, Hey, you're you know this proxy by you can't have duplicate to focus
It will say Hey, this SMTP address isn't unique.
It will tell you something.
You can also do the drier it synchronization Troubleshooter
You can do the synchronization service manager
troubleshoot password synchronization within as your 80 connect you nice will open up your
connect. Look at your logs. It will give you errors.
It will take the gooey and it will map it down to the object and I will give you notifications in both directions
so you can see what while part of the metaverse what part of the process the error is taking place in. So you know how to troubleshoot or better
power shell course. Always use powershell it. It's our friendly tool
to start a sink.
You do start dash 80 sink sink cycle.
Then you have a switch of policy type. You have Delta and initial.
only looks for new changes since last synchronization.
It's a quicker sink. However, If you've tried that and it's still not doing right, you can always do. The initial initial is a full synchronisation of all objects whether thinks they're the same or not.
Sometimes that's issue in and of itself, and I'm Jack changes. However, as your 80 Connect doesn't see, it has changed. So when it runs a Delta sink, nothing updates. So you actually have to run a full initial sink,
which the phone is not
a right back option of as our A D Conduct
Password group survey says
policy is not a right back option for Azure 80 connect.
So, to recap, this lesson on premises at the directory is a D
source of authority in a azure 80 connect sink identity environment.
Changes to objects are made. One promise and then sink into azure 80.
Please document any changes or configuration filters within your as your 80 connected environment
as your 80 connect creates sink security groups that can utilize for troubleshooting and delegation of starting operations within synchronization.
So that's this video's lesson.
Thank you for joining me. And I hope to see you next time. Thank you.
Identity Synchronization Part 4: Federated Identities
Access Management Part 1: Conditional Access
Access Management Part 2: Device Access
Access Management Part 3: Role Based Access Control
Access Management Part 4: External Access