Azure AD Sync Concepts
On this step we are going to sync our On-Prem /Cloud AZDC01 with the Azure AD. Azure AD Connect will integrate your on-premises directories with Azure Active Directory. This allows you to provide a common identity for your users for Office 365, Azure, and SaaS applications integrated with Azure AD. Benefits also include enabling passwords to be reset on the cloud, and it will sync to our on-premises DC.
Sync Services
This component responsible for creating users groups and other objects it is also responsible for making sure identity information for your on premises users and groups is matching the cloud.
Health Monitoring
Azure AD connect held and provides robust monitoring and provide situational tests for this mission see Azure Active Directory connect Health
AD FS Federation
Is an optional part of Azure AAD connect and can be used to configure a hybrid environment use an on premise AD FS infrastructure. This can be used by organisations to address complex deployments, such as domain join SSO, enforcement of AD sing-in policy and smart card or 3rd party MFA.
Express Settings vs Custom Settings
This will vary according to your needs, therefore we need to understand all the settings that are available to choose from the Azure AD Sync. Ideally, we want to start with the express settings, then customize the connection afterwards.
Express Settings
- if you have a single forest AD then this is the recommended option to use
- User sign in with the same password using password synchronisation
- Is the default option an mostly used for common deployed scenarios.
Custom Settings
Download Installing Azure DC Sync
On the previous blog we have created the DC and our Global Admin, now we are going to
use the admin account to download the DC Sync and install into our DC.
A default option we have to disable on our server is the IE Enhacement Protection, so we can download content from the internet from our server.
Search for AD Connect Download, find the Microsoft official page, and download it. Install using the Express Settings Login with Azure Global Admin you created. ie : [email protected] then, login with the DC Administrator Account. ie: yourdomain\admin You should be presented with a message like the below
Verify Sync is Working
On Azure you can go into the Azure Sync Admin Pages to check your connection.
However, the best place to check for the connection status will be on your Microsfot 365 Admin Center
AD Sync Summary
Now that you have installed and enabled the Sync from your On-Prem DC into AzureAD, the users, groups and other properties for the users will start to sync
every 30mins into your AzureAD.
Changes to the Azure AD sync time are made with the
Set-ADSyncScheduler PowerShell command
Passwords that are reset from your On-Prem will also be pushed into your AzureAD, but not the other way around, until you enable the Writeback function. On our next blog we are going to explore the Custom settings of the Azure AD Connect on our next blog.
Resolving Issues During Installation
Below are some of the common issues you may encounter during the installtion of the Azure AD Sync
Unable to validate credentials due to an unexpected error. Restart Azure AD Com InteractiveAuth option to further diagnose this issue. (extendedMessage: An errc while sending the request. I The remote name could not be resolved: 'login.microsoftonline.com• webExeeption: The remote name could not be resolved: • login.mierosoftonline.co STS endpoint: HTTPS•.//LOGIN.MICROSOFTONLINE.COM/YOURDOMAIN.CO.UK)
Unable to retrieve the Azure Active Directory configuration. Exception of •Microsoft.Online.AdministratiomAutomation.MicrosoftOnlineException•
Azure Service Connectivity Failed, Unable to proceed
The on-premises synchronization service is not able to connect to Azure Active Directory. Updating the proxy settings for the ADSync this issue.
Solution for all of the above is mostly linked to having MFA enabled on the account you are using
to Manage the AD Sync.
Make sure you don't have MFA enabled for the Global ADmin account that will managed the AD Sync.
As a general best practice, you should make a dedicated in-cloud admin account just for Directory Sync.
Disable MFA (globally)
[AZURE] ▶ Azure Active Directory ▶ Properties ▶ Manager Security Defaults (change disabled)▶ my company uses Conditional Access
Disable MFA (Per-user)
[AZURE] ▶ Users ▶ Per user MFA(top panel)
Disable MFA for a users : Conditional Access Policy
We can enable MFA to affect certain conditions, on this example we are going to create a policy to use MFA for all Cloud Apps, and we are going to exclude Alex from the scope.
[AZURE] ▶ Azure Active Directory ▶ Security ▶ CAP(Conditional Access Policy)▶Users▶Exclude(Alex@)
Recommendations
Its not recommended to disable MFA through Identity Protection Policy, instead it would be best to do it through the Conditional Access Policy. This way the MFA will automatically be triggered, if the user is at a Medium or Hight risk.