Sharon provides an overview of the Azure Active Directory Connect tool. She discusses the three options for installation, as well as the requirements for the tool and environment.
- [Instructor] Azure Active Directory Connect is the tool that we use to join our on-premise environment to Azure Active Directory. For those of you who have been working with Office 365, you may be familiar with the good old DirSync tool that we use for synchronizing accounts. You may have also been exposed to Azure Active Directory Sync. If you are still using either of these tools, you should be aware that both are now deprecated and support for these tools will end on April 13, 2017, and Microsoft highly recommends upgrading to Azure Active Directory Connect.
The Azure Active Directory Connect tool combines three services into one easy install package. First, we have Sync Services, which allows us to sync our users in groups and keep them synced. AD FS is also included within this tool. This is optional. You may not need to have a full AD FS implementation, but if you need it, the tool is there to help you build that. Finally, we have Health Connect, which monitors our on-premise to our Azure syncing.
We have three different modes in which we can synchronize from Azure Active Directory to our on-premise Active Directory. The first is just Directory Synchronization, or you may hear this referred to as pass through authentication. In this model, users and groups are synchronized, but the passwords are not synchronized. Therefore, the users must maintain two separate logins. When a user needs to authenticate, the request is sent from Azure Active Directory through to the think server, and then to the on-premise active directory.
Next, we have Directory Synchronization with passwords. Again, our users and groups are synchronized and the password hashes are stored in Azure Active Directory. This is a one-way sync from on-premise to Azure Active Directory unless you configure write-back, which is available in the premium SKUs only. If you do not have write-back enabled, if the user changes the password in the Cloud, then on the next sync, the password will be overwritten by the on-premise password.
And this sync occurs every two minutes. For both of these modes, you will require a Server 2012 R2 or above, for the Azure Active Directory Connect, and this server must be a member server, it must have access to Azure Active Directory and the on-premise UPN or user principle name must be the same as the Azure Active Directory username. This is why we go ahead and add in those custom domains into Azure Active Directory.
Finally, we have Directory Synchronization with single sign on and AD FS. This type of deployment test be for larger or complex environments. If you use smart cards, or utilize third-party multifactor authentication, then you'll want to move into an AD FS scenario with Azure Active Directory. In this scenario, authentication is done via the on-premise AD FS server. Therefore, if your users cannot access that internal server, they will not be able to authenticate and use both internal and external resources.
In previous courses, you've heard me reference planning. This is a key example of planning. Directory synchronization requirements for AD FS will include a Server 2012 R2 or better for the Azure Active Directory Connect installation. You will need a 2012 R2 or better federation server, a Server 2012 R2 or better Web Application Server. You will require an SSL certificate. Microsoft recommends that your certificate is from a trusted third-party provider.
The Azure Active Directory Connect will, again, need access to Active Directory. The on-premise UPN must also be the same as the Azure Active Directory username. Finally, the Azure Active Directory Connect requirements themselves, you will need to verify the domain. You do this in Azure Active Directory. The Forest functional level must be Server 2003 or above, as well as the AD schema version must be Server 2003 or above. Azure Active Directory Connect can only be installed on Windows Server.
You cannot install it on SBS, or small business server, or Essentials. A full GUI install is required and you'll have to ensure that DNS can resolve to both the on-premise environment as well as Azure Active Directory endpoints. As always, I recommend that you always check the Azure documentation for the most current requirements and to recap, you have three choices for synchronizing from Azure Active Directory to Server Active Directory. You can synchronize username and groups only, username, groups, and passwords, or you can do a full AD FS implementation.
- Azure AD
- Adding company branding
- Adding a custom domain
- AD Connect configuration
- AD Connect Health
- Administering users and groups
- Configuring SaaS applications
- Granting conditional access
- Revoking access
- Application proxy and discovery
- Integrating web and desktop applications
- Creating an Azure AD B2C directory
- Registering an application
- Creating a Microsoft identity