Syncing Hybrid DC to Azure using Azure AD Connect Sync

Paulo Bazzo

Azure AD Sync Concepts

On this step we are going to sync our On-Prem /Cloud AZDC01 with the Azure AD. Azure AD Connect will integrate your on-premises directories with Azure Active Directory. This allows you to provide a common identity for your users for Office 365, Azure, and SaaS applications integrated with Azure AD. Benefits also include enabling passwords to be reset on the cloud, and it will sync to our on-premises DC.

Sync Services

This component responsible for creating users groups and other objects it is also responsible for making sure identity information for your on premises users and groups is matching the cloud.

Health Monitoring

Azure AD connect held and provides robust monitoring and provide situational tests for this mission see Azure Active Directory connect Health

AD FS Federation

Is an optional part of Azure AAD connect and can be used to configure a hybrid environment use an on premise AD FS infrastructure. This can be used by organisations to address complex deployments, such as domain join SSO, enforcement of AD sing-in policy and smart card or 3rd party MFA.

Express Settings vs Custom Settings

This will vary according to your needs, therefore we need to understand all the settings that are available to choose from the Azure AD Sync. Ideally, we want to start with the express settings, then customize the connection afterwards.

Express Settings

  • if you have a single forest AD then this is the recommended option to use
  • User sign in with the same password using password synchronisation
  • Is the default option an mostly used for common deployed scenarios.

Custom Settings

  • Used when you have multiple forests. Supports many on premises topologies
  • Customise this tiny option, such AD FS for federation or use third body identity provider
  • Customise synchronisation features, such as filtered and right back

    • Download Installing Azure DC Sync

    On the previous blog we have created the DC and our Global Admin, now we are going to use the admin account to download the DC Sync and install into our DC.

    A default option we have to disable on our server is the IE Enhacement Protection, so we can download content from the internet from our server.

                   
Search for AD Connect Download, find the Microsoft official page, and download it.
Install using the Express Settings
Login with Azure Global Admin you created.  ie : [email protected]
then, login with the DC Administrator Account. ie: yourdomain\admin
You should be presented with a message like the below

    Verify Sync is Working

    On Azure you can go into the Azure Sync Admin Pages to check your connection.

    However, the best place to check for the connection status will be on your Microsfot 365 Admin Center

    AD Sync Summary

    Now that you have installed and enabled the Sync from your On-Prem DC into AzureAD, the users, groups and other properties for the users will start to sync every 30mins into your AzureAD.

    Changes to the Azure AD sync time are made with the
    Set-ADSyncScheduler PowerShell command


    Passwords that are reset from your On-Prem will also be pushed into your AzureAD, but not the other way around, until you enable the Writeback function. On our next blog we are going to explore the Custom settings of the Azure AD Connect on our next blog.

    Resolving Issues During Installation

    Below are some of the common issues you may encounter during the installtion of the Azure AD Sync

    Unable to validate credentials due to an unexpected error. Restart Azure AD Com InteractiveAuth option to further diagnose this issue. (extendedMessage: An errc while sending the request. I The remote name could not be resolved: 'login.microsoftonline.com• webExeeption: The remote name could not be resolved: • login.mierosoftonline.co STS endpoint: HTTPS•.//LOGIN.MICROSOFTONLINE.COM/YOURDOMAIN.CO.UK)


    Unable to retrieve the Azure Active Directory configuration. Exception of •Microsoft.Online.AdministratiomAutomation.MicrosoftOnlineException•


    Azure Service Connectivity Failed, Unable to proceed

    The on-premises synchronization service is not able to connect to Azure Active Directory. Updating the proxy settings for the ADSync this issue.


    Solution for all of the above is mostly linked to having MFA enabled on the account you are using to Manage the AD Sync. Make sure you don't have MFA enabled for the Global ADmin account that will managed the AD Sync.

    As a general best practice, you should make a dedicated in-cloud admin account just for Directory Sync.

    Disable MFA (globally)

    
[AZURE] ▶ Azure Active Directory ▶ Properties ▶ Manager Security Defaults (change disabled)▶ my company uses Conditional Access

    Disable MFA (Per-user)

    
[AZURE] ▶ Users ▶ Per user MFA(top panel)

    Disable MFA for a users : Conditional Access Policy

    We can enable MFA to affect certain conditions, on this example we are going to create a policy to use MFA for all Cloud Apps, and we are going to exclude Alex from the scope.

    
[AZURE] ▶ Azure Active Directory ▶ Security ▶ CAP(Conditional Access Policy)▶Users▶Exclude(Alex@)

    Recommendations

    Its not recommended to disable MFA through Identity Protection Policy, instead it would be best to do it through the Conditional Access Policy. This way the MFA will automatically be triggered, if the user is at a Medium or Hight risk.

    Sources

    Learn Cloud UrTech