The previous chapter focused primarily on guest user accounts. We discussed how these guest users would be able to access and collaborate on resources with member users and how we would manage these users. In this chapter, we will bring together on-premises identities and allow them to create a seamless single identity with our Azure Active Directory (Azure AD) tenant. After completing this chapter, you will understand how to configure, manage, and troubleshoot connections between on-premises and cloud identity and access management (IAM) solutions.
In this chapter, we're going to cover the following main topics:
In this chapter, we will continue to explore configuring a tenant for use with Microsoft 365 and Azure. There will be exercises that will require access to Azure AD. If you have not yet created trial licenses for Microsoft 365, please follow the directions provided in Chapter 1, Preparing for your Microsoft Exam.
In order to be able to configure hybrid identities and synchronization in Azure AD and on-premises environments, you will need to have the Global Administrator or Hybrid Identity Administrator role within the Azure AD tenant and the Domain Enterprise Administrator role within the on-premises Windows AD tenant. We will explain more about the differences between these two directory services in this section.
Before we discuss the implementation of hybrid identities, it is important to understand what a hybrid identity is and why it is necessary. The following sections will provide this information.
The term hybrid identity is meant to signify that a company has users that use on-premises resources, and users that use cloud-native resources. Within this hybrid identity infrastructure, there is going to be an on-premises Windows AD domain controller that is used to manage the on-premises users, and Azure AD, which manages the cloud-native users, both members and guests. This infrastructure coincides with companies that use a hybrid cloud. Many companies have this Windows AD domain controller in place today. The next section will provide some understanding of what this means before we discuss how we can connect it to our Azure AD.
To review, Azure AD is Microsoft's cloud-based IAM solution. The role of Azure AD is to manage cloud identities for Microsoft and Azure resources, as well as other third-party cloud applications that utilize open source identity protocols, such as Security Assertion Markup Language (SAML) or Web Services Federation (WS-Federation). For users to access these cloud applications and services, they require their identity to be configured and recognized within the Azure AD tenant.
Many companies do not utilize only cloud-native applications and services, therefore they rely on an on-premises Windows AD to manage access to these applications. The next section will explain Windows AD and its role in a hybrid identity infrastructure.
Windows AD is the software that we are referencing. Within an on-premises infrastructure, we also refer to the role of domain controller and the overall solution of AD Domain Services (AD DS). AD DS is the legacy IAM solution for companies with on-premises infrastructure. The focus of the exam is not to have a deep-dive into Windows AD and AD DS, but it is important to understand how it compares to Azure AD as it pertains to users and groups. If you would like to understand more about AD DS, you can read more at this link: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview.
There are similarities and differences between AD DS and Azure AD. They both manage identities and access by assigning roles and authorizing access to users and groups; however, AD DS does this through an object-based structure. Within this object structure, there can be multiple organizational units (OUs) to which these objects belong. This creates a more hierarchical structure than the flat structure of Azure AD, but this difference creates challenges when wanting users and groups to access on-premises and cloud resources utilizing the same username and password. Additionally, creating duplicate entries in both AD DS and Azure AD will cause an issue with the management of users and groups.
To address this problem, Microsoft has Azure AD Connect as a solution to bring together AD DS and Azure AD. The next section will discuss how this works.
Since a company that is adopting the use of cloud resources has, in most cases, this on-premises identity infrastructure in place, we need to have a way to synchronize these identities to our cloud-based Azure AD. Azure AD Connect is a software solution that is installed within the on-premises infrastructure and configured to synchronize users and groups to Azure AD. Azure AD Connect simplifies the management of these users and groups by providing ways that an identity and access administrator can manage users in one interface and have the changes update in near real time.
Since there are structural differences in how AD DS and Azure AD are built, Azure AD Connect provides a conduit to create a consistent user and administrator experience with IAM.
There are some prerequisites and aspects that are out of scope within Azure AD Connect that you should understand. The installation prerequisites can be found at this link: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-prerequisites. When planning to implement Azure AD Connect, the following information should be understood and planned accordingly:
There are additional considerations in planning for AD DS and Azure AD synchronization with Azure AD Connect, but these will be covered within the use cases for each synchronization type.
There are three options when configuring Azure AD Connect for synchronization, outlined as follows:
Before we move into how to configure Azure AD Connect, let's take a closer look at each of these synchronization types and how they are used.
PHS is the easiest option to configure and is the default option that is within the Express setup. PHS maintains both the on-premises and cloud identities of users. This takes place through providing on-premises user identities to Azure AD, along with an encrypted hash of their passwords. This allows users to sign in to on-premises and cloud applications with the same authentication credentials.
PHS is a good option when a company has a single on-premises domain and is moving quickly to a cloud-native infrastructure. PHS is not for companies with complex authentication and password requirements within on-premises AD.
As previously stated, PHS maintains authentication credentials on-premises and in Azure AD. Therefore, PHS can have users authenticate to cloud applications through Azure AD while passing authentication responsibilities of on-premises applications to on-premises AD. The benefit here is that if a connection fails in Azure AD Connect between the on-premises AD DS and Azure AD, users are still able to authenticate to their cloud applications and remain partially productive. The following diagram provides a visual representation of how this workflow is handled. Additional information can be found at https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs:
As the preceding diagram shows, a user can go to either Azure AD or on-premises AD to authenticate. Therefore, if the Azure AD Connect connection is down, users still have access to their cloud resources. This allows them to continue to work until the synchronization connection is restored. Now, let's look at PTA.
The next hybrid identity synchronization option that we will discuss is PTA. Unlike PHS, which allows user identities to be authenticated in either the on-premises AD or Azure AD, PTA requires all users to authenticate to the on-premises AD.
In this configuration, if the Azure AD Connect connection between Azure AD and the on-premises AD were to become disconnected, no users would be able to authenticate to on-premises or cloud resources. Therefore, it is important to actively monitor this connection and build resiliency in the architecture. The following diagram shows how PTA functions and how you can architect resiliency with redundancy in PTA agents and a backup domain controller:
There are some good reasons to utilize PTA. If a company requires authentication parameters and limits that only allow users to access resources during certain times, these rules can only be configured currently on an AD domain controller. With PTA, you can utilize modern authentication features with Azure AD, such as multi-factor authentication (MFA) and self-service password reset (SSPR). However, for SSPR, you will need to enable the Password writeback feature within Azure AD Connect. Additional information on PTA can be found at this link: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta.
AD FS synchronization is the most complex of the three Azure AD Connect synchronization types. Unlike PHS and PTA, which can be installed directly on the on-premises domain controller in many cases, AD FS requires additional infrastructure in place to support the authentication process. Here is a diagram that shows the complexity of the infrastructure and the necessary components:
AD FS synchronization is utilized in complex AD infrastructures where there are multiple domains, and third-party MFA solutions or smart cards are utilized. For additional information on the configuration of AD FS synchronization, you can use this link: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-management.
PHS and PTA are the more widely discussed of the three Azure AD Connect options. It is important to understand when each should be used within a hybrid identity architecture, as discussed in each of the corresponding sections.
Now, let's go through the initial steps of installing Azure AD Connect and connecting to Azure AD.
The first steps are to download and install Azure AD Connect in the on-premises infrastructure. This can be done on the on-premises AD domain controller server or on another member server that is joined to the domain. For our example, we will use the on-premises domain controller server to install Azure AD Connect. Follow these next steps:
The next sections will discuss the use cases for each and how to configure them with Azure AD and AD DS.
Now that we understand how PHS handles authentication and where we would use it, the next action is to go through the steps to configure it. Let's do this now, as follows:
After the installation completes, Azure AD Connect will be configured to synchronize users from on-premises AD to Azure AD, utilizing PHS. This configuration for Azure AD Connect is the least complex of the three options. The next sections will provide information about PTA and AD FS synchronization.
We will now go through the steps to configure PTA within Azure AD Connect, as follows:
Note
All of the synchronization types are available in this blade, including PHS. These steps would only be used with PHS if certain OUs were going to be synchronized with Azure AD.
The third and final synchronization type within hybrid identity infrastructures is AD FS. The customization of Azure AD Connect would be initiated within the customized fields within the Azure AD Connect wizard. However, AD FS requires additional federated proxy servers, as shown in Figure 6.3 earlier in this chapter.
The next section will discuss how to implement and manage SSO within a hybrid identity infrastructure.
Seamless SSO provides users with a consistent sign-on experience, whether they are accessing cloud applications or on-premises applications. Within a hybrid identity through Azure AD Connect, this is configured based on the synchronization settings. PHS provides this experience when the users are synchronized since the passwords from on-premises environment are synchronized as a hash to Azure AD. PTA requires Password writeback to be enabled in the Optional Features blade. For additional security, Password hash synchronization can also be enabled with PTA. Once these configurations are in place, users can authenticate to their applications on-premises and within Azure AD with the same username and password.
In addition, many third-party cloud applications are registered and available within the Azure AD application marketplace. These applications can also be configured to use Azure AD credentials for SSO. The more applications your company uses that can be configured for Azure AD authentication, the better the experience for users. Chapter 10, Planning and Implementing Enterprise Apps for Single Sign-On (SSO), will cover the registration of applications within Azure AD in detail.
The next section will discuss Azure AD Connect Health and how it can be used to monitor the hybrid identity connection created with Azure AD Connect.
Azure AD Connect Health is used as a monitoring and management tool for Azure AD Connect. Azure AD Connect Health provides a heartbeat from the on-premises installation of Azure AD Connect to Azure AD. The information that is reported in Azure AD Connect Health includes successful and unsuccessful synchronizations and can also alert you as the identity and access administrator of a lost connection between Azure AD Connect and Azure AD. Azure AD Connect Health is not installed by default when installing Azure AD Connect, so you will need to install this application. The following steps will take you through the process and will show you where to access Azure AD Connect Health:
Azure AD Connect Health is now connected and registered within Azure AD. You can now view the health status of the services and determine if any synchronization errors are taking place with the Azure AD Connect services configured in the infrastructure. The final section of this chapter will discuss how to find and troubleshoot errors with Azure AD Connect Health.
The final part of the implementation and management of a hybrid identity infrastructure is how to identify and troubleshoot errors. Azure AD Connect Health provides the platform and heartbeat that is used by Azure AD Connect to verify that the connection and synchronization between the on-premises AD and Azure AD are completing successfully. However, connections are lost and errors happen within every network infrastructure. Azure AD Connect Health can help provide information to troubleshoot and diagnose these synchronization errors.
In the previous section, Figure 6.34 and Figure 6.35 showed how to view the health of the sync services and AD DS. Above the sync services' health on the menu is where you can view sync service errors. Further down the menu, you will find the Troubleshoot section, as shown in the following screenshot:
Within the TROUBLESHOOTING + SUPPORT menu, the Troubleshoot blade provides some common problems that might arise and documentation on how to correct the issue. If this documentation does not help, you can use the New support request blade to open a support ticket with Microsoft.
Synchronization status can also be viewed on the Azure AD Connect installed on-premises server, which is the AD domain controller, as installed during the chapter exercise, by going to Synchronization Services Manager. This is shown in the following screenshot:
This section has shown you how to view and find steps to troubleshoot synchronization issues with Azure AD Connect.
In this chapter, we described how to configure, manage, and monitor hybrid identities utilizing Azure AD and on-premises AD DS. This included how to configure Azure AD Connect synchronization types, set up SSO, install Azure AD Connect Health, and monitor and troubleshoot synchronization status. The next chapter will discuss securing identities with MFA and providing SSPR for users and groups.
3.22.27.45