Understanding Azure AD Hybrid Join

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi everyone in this video I want to talk about Azure ad hybrid join it's something I've mentioned in quite a lot of my videos I've never really gone into exactly what it means and what are some of the mechanisms behind it to make it work now if we think about our different states we can have advices we always think of active directory domain Services joined machines so obviously we have our active directory domain services that speaks things like curb Ross and ntlm and remember that is really made real by the fact that we have domain controllers we have these domain controllers that actually provide the services the tickets I'm going to have DNS servers as well for the lookup records this is what makes active directory actually real and then within this directory hey I have user accounts I have groups and then machines will join the active directory so in this case I'm going to use this kind of symbol for a server so when this does a join well it gets an object in the active directory as well so it has its object and then it can get its own tokens as a device from the active directory I can get things like group policy and all of those other types of services the linked into the active directory so we're used to this idea and then In This Cloud World well now we also have this idea of azure ID and if this speaks curb Ross and ntlm and ldap this is all about speaking Cloud protocols open ID connect oauth 2 saml and it can even do a little bit of Kerberos now as well and once again we can have users up here now I might create the users exclusively as Cloud only so actually create them in the Azure ID but what's actually a lot more common is we use Azure ad connect now this could be the Azure ID connect where I run the engine in a Windows Server VM which then actually synchronizes really that way is most of the synchronization or remember there's Azure ready connect Cloud sync where the engine now actually runs in the Azure cloud and I just have a few lightweight agents to facilitate that communication but what I'm commonly going to do here is without Azure ad connect hey I'm going to synchronize for now we'll say the user objects so hey a user here also has a user up here that I can go and authenticate with fantastic I can then have machines that join that Azure ID and we commonly think a lot of these as desktop so now I'm going to have this machine does an Azure ad join now that's different from registering with Azure ID where it's more my personal device that hey I need it to be known by Azure ad and it will still create a device object up here um but it's not going to authenticate directive as radio accounts it's known if I do a registration so I can get certain management of applications I can get certain things but join is more used for corporate devices corporate owned where now I want to actually authenticate to these machines using actual Azure ad credentials and when I do the join once again it's going to go and create device objects in the Azure active directory and obviously once I've done this when I do the join I go and authenticate I get a primary refresh token and I can now authenticate to all of the different services that trust the Azure ad obviously office applications but also any third-party SAS solution I've integrated with the Azure ID but something that's super important here even if I only do Azure ID join if it happens that my machine is actually sitting on a network could be a VPN even that has and this is a key point if I have let's do a different color if I have line of sight so if I have this line of sight so I have IP Communications two domain controllers I have DNS such that when I go and look up different types of service record it resolves even though I'm only Azure ad joined as long as I have line of sight two domain controllers because Azure ID connect is actually synchronizing certain objects my Sam account name my UPN my domain name well they are all told to my device so my local security Authority the LSA on this device if need be it can communicate to domain controllers and actually get tokens so I can get given tokens and I can talk things like Kerberos and ntlm from those domain controllers even though I'm only Azure 80 joint so don't think okay well there are times I need user cobross user ntlm tokens for my on-prem domain controllers okay I'm gonna have to ad join them that is not the case and we can actually see this if I jump over super quickly over here my base machine that I'm connected to this VM so if I look at this box what I can see is I am Azure ID joint I am not domain joined in any way however if I do k-list I have tokens you can see one of them is that Kerberos ticket granting ticket that I actually got from a domain controller and I can also see I have an SMB token so I can actually go and communicate to the sys Vol and that's all I try to do literally the command I ran to make these tokens appear was connect to the sysbol and so this machine although it's only azure adjoined still has the ability to go and actually get the correct tickets so that's really a key Point around this so I don't have to ad join just because I want user Kerberos or ntlm now if I needed the machine to get a curb Roth ticket then yes I need to ad join it so there are scenarios that's required but not just because I need a users to get those okay now hybrid so the hybrid scenario is well they're going to join the active directory now once again this could be servers it could be desktops as well now once again for desktops we really do try and push it more to the Azure ID join but as I've talked about there might be scenarios where I need them to get maybe Machine level tokens so what we're going to do is these machines absolutely join our active directory but what's going to happen in the hybrid scenario we do configuration in Azure ad connect and as part of that configuration of azure ID connect and we can see that super quickly so if we jump back over and look at this it's now going to go and look at my directory sync box and I've got Azure ID connect so the synchronization has been paused we're going to look at our configured device options right here and notice the one we're focused on is this hybrid Azure ad join now I've already configured this but all we're really going to do is I have to authenticate with my Azure ad and then I'll tell it what my device options what it is I want to do so I want to configure the hybrid Azure ID join scenario and then I tell it which devices so the focus here is typically it's going to be the modern devices Windows 10 or above Windows Server 2016 or above you can enable it for down level so my Windows 8.1 my windows 7. it's a little bit of a different mechanism that's going to work behind the scenes in terms of the seamless access it's going to use single sign-on or Federation to get the tokens but the key point is it's going to configure this service connection point and what the service connection point is going to do is it's going to tell my machines when they talk to active directory well this is actually the Azure ID I want you to go and register to as well and if you want it to set it up for you you just give it an Enterprise admin and it will go and create the object for you in your active directory if I go and look at my active directory I'm in adsi edit so I'm looking at the configuration partition remember configuration is Forest wide it's not per domain and then just Services device registration configuration then this special guide and then if I look at that guide there's really two properties I care about and we can see here so the object category is a service connection point and then it's telling me the keywords the Azure ad name and so this is giving it instructions so when the machines go and hey I authenticate to ad I know what's going on it tells me will also go and register to this particular Azure ID so now what's happened is we have created this service connection point that references that Azure ID so now Azure ID connect will also synchronize the devices so it's not just the users it's also going to go and synchronize device objects that it knows about now it will not do this for domain controllers domain controllers are not supported for hybrid but for my other machines it's going to send those over so now those hey are existing up here as well these machines will then go and register with Azure active directory and now what will happen is so when I authenticate on these machines yes I get my regular for example uh ticket granting ticket and other things from my active directory but I also get a primary refresh token from Azure ID to these machines now when I talk about they get a primary refresh token that's going to be for the modern devices so that Windows 10 and above the Windows Server 2016 and above for the old so if I'm thinking of the down level then they have to use seamless sign-on or Federation for the Azure ad seamless authentication but for this modern hey again we're talking that um 10 plus 2016 Plus they will actually go and get a primary refresh token from the Azure active directory and once again we can see that so if I jump over to here if I go back to this machine which is actually my uh Azure ID connect box if I just run DS Reg MD slash status we scroll up to the top as usual we'll see that hey yeah look I'm I'm domain joined but I am also it considers it as an adjoined it's Azure ad joint and then if I go and look down it's got the different tenant details even though it's specific state is its active directory join that's what it is configured as it's a Windows Server I think it's 2019 or 2022 it is joined to active directory but because I've turned that on in Azure 80 connect it also registered with Azure ad and you'll see sure enough I've got an Azure ID primary refresh token as well and obviously I would have the various Kerberos tokens because I am adjoined and the benefit here is now in terms of my devices what if I was to just look for example at my general devices or devices well I'll see them all and there's this machine specifically right here there it is it's showing up I can see it's hybrid and there's different columns you can add to this but you'll see this um registered if it says pending in here pending means that Azure ID connect the sync to the record but the machine has not yet gone and registered itself what you want to see is this registered time completed that means the device has actually gone in it's registered and that hybrid is now complete so that's really what I'll be looking for and that's I mean that's Azure ID hybrid joiners it's the idea that pay my machines they're adjoined but they're also Azure ID registered so for those modern machines Windows 10 and above Windows Server 2016 and above not domain controllers I'll also get a primary refresh token so when I'm using that device I'll get seamless access to both ad trusting and Azure ad trusting Services completely seamless again I can enable down level but that can't get a primary refresh token from Azure ID it's going to use seamless sign-on which is still a great user experience or maybe I'm using Federation but it's really easy to get set up now this is in a managed domain where it's a one-to-one if I have maybe multiple Azure ID tenants then there are some different things I have to do about making the machines know which tenant to go and register with and the documentation goes through all of that but but this is it once again if I can get away with just doing Azure ad joint really for your desktops I want to do that and as I showed it doesn't mean I can't access things that trust the active directory if I'm on maybe I bring my machine into work or I'm VPN in I can still get tokens and use from a user token specific way these services but hey I can also do that hybrid joint if I do need maybe machine tokens or other scenarios I hope that was useful I mean it really is powerful I did my last video was Windows lapsible now I can have Azure ID managed for my servers even from Azure ad in this hybrid World once I'm hybrid I can start maybe transitioning especially for my desktops from Group Policy objects to more MDM and InTune and things like that till next video take care foreign
Info
Channel: John Savill's Technical Training
Views: 19,625
Rating: undefined out of 5
Keywords: azure, azure cloud, microsoft azure, microsoft, cloud, azure ad, identity
Id: Q15ZXyvzQfs
Channel Id: undefined
Length: 16min 35sec (995 seconds)
Published: Wed May 03 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.