Azure AD - #2 - AzureAD Connect

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

I'm Dean Sephora and this is the Azure Academy thanks for joining us again at the Azure Academy and we are continuing our series on Azure Active Directory and if you haven't done so already please do click on that subscribe button and join us here at the Azure Academy as well as leave us some comments below on any questions you have or what you'd like to see in a video in the future so today we're going to be discussing hybrid identity and this is where we can bring in identities to the cloud from other places and most notably on premise but also from other Azure Active Directory tenants or identity environments for example you can see here in the top right I'm logged in as my Microsoft identity into the Microsoft directory so if I go to Azure Active Directory here on the Left we can see that I'm logged into the Microsoft directory from here I can switch directories but also that same functionality you can find under the user ID there's a switch directories button there as well as a dedicated button for it at the top under my all directories you can see every directory that my user account has access to and that's currently Microsoft and the a massager Academy so before I switch over let me show you my current subscriptions these are subscriptions that are within the Microsoft Azure Active Directory tenant that I have access to with this account so when I go to switch directories and I switch to MS Azure Academy it'll log me in here for the first time and again I'm using the same credentials I was using before and if I go to my either Active Directory over here on the left we can see we're in the MS as your Academy tenant now when I look at my subscriptions here under all services there are no subscriptions that I have any access to with this identity underneath this as your ad tenant now I can grant myself access into these subscriptions if I have permissions in Azure ad to do so so if I go back to Azure ad and I look at users we can see here that my user of my Microsoft account is here as a guest and it is a source of external Azure Active Directory so this user has membership in some other azure ad tenant and now it's used here in my azure ad tenant when I click on this user it's just like every other user in the environment I can give it a directory role it can be a group member it can do all these kinds of things and I've given it the role of global administrator which means that this user now has full control over my Asscher Active Directory now I'm doing this for demonstration purposes you probably don't want outside people being given high-level access in your subscriptions I'm just doing it to prove the point that you can do it also notice here under users that I do not have any users in this environment outside of my external Azure Active Directory account that is a guest so all of my on Prem IDs are not here yet we're gonna cover how to do that today as part of our discussion on Azure ad connect so azure ad Connect as you can see here in the portal is a tool that you can download which is going to synchronize your identities from on-prem typically or could be your VMs running in another cloud or in another Azure subscription and to have them sync into this tenant so then they can have access to stuff in this tenant and then you can use and enable other features which we'll talk about in a few minutes where would you install at your ad Connect so first of all it does not have to be installed on a domain controller it can be installed on any member server so with that said it certainly will work on a domain controller and because I have a small lab that's where I'm putting it today but you can put it wherever it is that most fits your environment the other thing here is the azure ad connection health and this tool is good for going through things like synchronization issues of particular services that you are syncing if you're using ad FS and authorizing your Azure ad to work with it as well as as your ad domain services and look at some of the syncing options here as well as some settings around the auto-update health and if you would allow Microsoft to see your tenant health data for troubleshooting purposes let's go over to our documentation and we'll go under product and on the left here we'll go down to identity and then we'll go to Azure Active Directory and in our main Doc's page we'll scroll down here to hybrid identity so what is hybrid identity basically where we can take identity from one place Active Directory on-premise synchronize it out to the cloud utilize higher level security features like doing password hash sync pastor authentication password right back Federation single sign-on user self-service for password reset all those kind of things are enabled through a tool like as rady Connect and if we scroll down a little bit here we can see the common scenarios and recommendations for how you should configure your environment so for example if you wanted to use something like smart card authentication you would have to use a DFS however you could do pass-through authentication and single sign-on using just as your ad connect so let's jump over to my environment here the next thing we need to do is install the azure ad Connect tool and I've got that right here so if I double click this to install and then we'll click run and then I'll just minimize these other things so we have a clear window all right so on our first screen here we'll click I agree to the terms assuming of course that you have read the license agreements and are okay with everything any click continue and now we come to the the big question of I T do we do Express settings or custom settings so the official word from the product group is that you should use Express settings reasons for this are basically that it will set up your environment in the most typical way that we recommend customers set up their environment this will do things like set up password hash sync as well as take your directory structure in its entirety users and groups and funnel them up to Azure Active Directory that's certainly a good practice and if you want to do that that's perfectly fine I however I'm going to customize so you can see we've got a couple options here we can set a custom install location and if you want that you just pick the particular directory as well as if you have a separate existing sequel server that you want to leverage I do not in this case if you have an existing service account that you want this to run as which I do not and then if you want to specify any custom sync groups again I don't because we're gonna do some of these things further down the install so I'll just let the install go to its default and we'll hit install and then it's going to be setting up an instance of sequel server Express for our database continuing with the installation where we're talking about now the users sign-in experience several different options here which one should we choose well it really depends on your scenario we can first of all not configure this at all this is definitely not recommended at the very minimum you should be using password hash sync so what exactly is password hash sync basically what we had a concept of way back in the beginning was where we would take passwords and synchronize them from on-prem to Azure security people didn't quite like this for understandable reasons we don't want to sync passwords in the clear from one place to another so instead what we do now is we sync the hash so first thing is we get the md5 hash of the users password and then we iterate that through shots you 56 about a thousand times and once we have that final hash we send that hash up to the cloud so the password hash is what's synced not the password itself so when the password changes on Prem it usually takes about two minutes or so before that sync has pushed up to the cloud that's password hash sync and at the very minimum password hash sync is what you should be using so the next one is pass-through authentication and pass-through authentication works instead of that authentication happening in the cloud it will pass that request to Azure ad back to on-premise to a domain controller that will actually do a win32 logon to validate your creds and get you logged into the environment so that you can do whatever you need to do and the last two options here for Federation with ad FS or with ping Fedder a tar just two different methods of doing Federation and of course another thing that you can do with AD FS has also used domain hints but that's something that we'll get into in our next video and the final box here is for enabling single sign-on and so we're definitely going to use that because it allows you as the bubbler tells us to use the single log on to your corporate environment whether that's on Prem whether that's across an application in the cloud and once you are the rest of your authentications we'll just pass through and accept your credentials so we're going to enable that because it our lives a little bit easier going forward and we'll hit next now we need a set of credentials where we can authenticate to the azure ad environment and now that we've authenticated with our global admin credentials now we need to verify what domains we want to use so in this case I've only got one domain in my forest and that is Emma Sacha Academy comm but if you have multiple domains in your forest here then you can pick any one of those so I'll click Add now we need to use either an existing ad account or create a new enterprise admin account for this so I'm going to use an existing account and I'm specifically using an existing account because I do not want to add another enterprise admin into my environment so I'll hit OK and now we've been validated here so we can click Next and it's going to review our schema and there we go so now is where we get to choose what particular attribute of our users that we're going to focus on as we connect these two worlds together in this case I'm going to just use the UPN which is the the log in you know wvd @ ms as your academy.com that's your UPN and if you don't like that you can pick any of the other attributes that are listed here whatever works for you I'm sticking with the UPN and we'll hit next and now we get to the part where we're gonna filter or not filter what things we're gonna send across the wire through as ready connect to our cloud directory the default here and this is what you'll get a for you choose express as well is to sync all domains and OU's I'm gonna choose instead to do a specific sync not on the entire tree but on the Corp oh you and everything in it that I created already as part of this so if you want to choose to do everything that's certainly fine but you may get some things that you didn't really intend for example you would get all of the default groups and users that are in your environment so if you want that no problem that's great but if not then do a specific sync and just choose the particular OU's that you want so hit next now we need to uniquely identify the users and tie them together from on-prem to the cloud and we can do this by using what's called a source anchor now the source anchor is that single attribute that we're going to use to connect them but you can also use any one of these other attributes that are listed here you can see there's quite a lot of things here so you can feel free to pick whatever attribute you want or simply let as your manage it which is what I'm going to do so we'll hit next so this gives us the opportunity to create a single group that I want to use to push things out to Azure although be aware that nested groups are not supported at this point so I'm going to just choose to synchronize all users and devices and that'll be everything under my corp oh you structure and we'll click Next and then we get to the optional features here now this part depends greatly on which license model you have for my case I have basic here and so I can do password hash sync which we set up on another screen I can also do password right back which means if I make a change to the password in Azure that password change will be written back to my same user on-premise these other features you need a p1 or p2 license it's in order to be able to use these or they're related to things around exchange which I just don't have in my environment at this time all right so we'll hit next and now we need to since we chose enabling single sign-on enter our credentials for our environment and this does need to be a domain admin account and I'll hit OK and we're good to go so we'll hit next and now it's going to go through and configure our environment once this is done we can have the checkbox here to force a synchronization now you can choose to not do this now and just do it again later on as well as we can choose to enable staging mode so in the staging mode server is around high availability of azure ad connect so I'm not going to enable that at this time but we'll click install all right so everything has been set up here and we'll click exit and so now we have on the desktop as your ad connect and if you click this it will not actually open the sync engine but rather the configuration tool and then you can go through click configure and look at your current config so we'll do that real quick then you'll see all of the particulars around how you set it up now under the Start menu on the system a new folder item for azure ad connect and in here we've got as your ad connect itself which is the same thing that we saw on the desktop as well as the sync rules editor the synchronization service itself and we'll open that and this is where we can start to see the operations that go on behind the scenes to make things happen so first thing you can see is that we have done a full import that's what happens when we left that checkbox at the end of the installer and we can also force this through PowerShell and once you have installed the azure ad connect tool you will also have the sync module so I'll go ahead and do an import on that and now that that module has been imported these two commands down here or how you can force synchronization so this first one here is the initial that would do the full import and then the Delta which would do Delta sync so changes since the initial so first thing I'll do is run a delta and that was successful so if we look back at the tool we'll see in a couple seconds that this will update and then this walks through a particular progression here so we do the first thing is the import and then the synchronization and then an export so the import is where the azure ad connect tool gathers information from the domain environment that it's synching with and then after that is done it does a synchronization Delta inside the meta verse so it's parsing all of that information and then it does the export and that's what it sends out to Azure Active Directory and then we can see down here we've got all of the things that it has communicated and sent out so I've got 21 and these are all of my different users that I've got in here and so we can click on any one of them and take a deeper look at what we've got now down on the bottom right is also where we would find any errors in synchronization if we came across them and we'll look at connectors for a second and the connector has to do with the environment that we're syncing with then I can look at the properties around this look at the connections to the forest I can change what I'm authenticating with here to my domain so if we open the dot on microsoft.com we can see under connectivity here that we've got a specific user that has been set up in order to do this synchronization process so if we go back to the azure portal and this time i'll log in through the azure portal app that i've got installed on this machine and if we go to our users and we can see that first of all all of our users have synced from our environment and their source is our Windows Server ad telling us that they have been synced from on-prem but we have a special user here and that is the on-prem directory synchronization service account and if we open that up we can see that there is our sync user that is being used from on-prem from Azure ad connect to sync with the cloud and that has a special directory role and that is directory synchronization and if we look at the description for that we can see all of the rights and rules that it has associated with it so I hope you've enjoyed looking at the azure ad connect tool and all of the varied options that it gives us the biggest benefit being that it links the two different worlds together from on-prem to the cloud and it enables us for other things going forward things like password hash sync user self-service right back as well as other security features if you have other licensing like p1 or p2 so if you haven't done so already please do click on that subscribe button it just lets us know that you're interested in our content and want to join on the Azure Academy community and while you're down there hit the notification bell so that you can get a notice when our videos come out which is roughly once a week and click on that thumbs up if you enjoyed this video today and we'll see you in the next one happy learning

Info

Channel: Azure Academy

Views: 61,946

Rating: 4.9660378 out of 5

Keywords: Azure AD Connect, azure ad connect, ad connect, ad connect azure, azure active directory connect step by step, Azure AD, azure ad, AzureAcademy, Microsoft Azure Academy, Azure Academy, The Azure Academy, Azure CAF, Cloud Adoption Framework, Azure, yt:cc=on, Azure Tips and Tricks, azure active directory authentication, Security, Azure training, azure active directory, Azure Tutorial, Microsoft, Microsoft Azure, microsoft azure, azure tutorial for beginners, Azure fundamentals

Id: NlQs38uLCmA

Channel Id: undefined

Length: 17min 41sec (1061 seconds)

Published: Sun Sep 08 2019