Learn how to set up the first step to using Azure AD—Azure AD Connect.
- [Instructor] So what we're going to do here is we're going to set up Azure AD Connect, which is that bridge that creates the hybrid identity between your on-premises active directory and Azure Active Directory. I've gone ahead and installed Azure Active Directory Connect, often known as AD Connect, on the machine that we're looking at. What's a little different than many things is that the installation process here doesn't actually configure it, it just puts the binaries on the system. So that's why we went ahead and skipped over that step. Once you complete the installation, there's a shortcut on the desktop called Azure AD Connect that's really going to take you through the setup process.
The first thing it's going to ask you is whether you want to use a custom setup or an express setup. Ordinarily I would recommend that whenever possible you use the express setup, because it keeps everything set to the defaults, and there's a lot less work that you have to do and less choices that you have to make, and finally, that last bullet point in the list there is really important, enabling auto-upgrade. When you use an express setup, Azure AD Connect can actually take care of upgrading itself so that it's always up to date. Once you start customizing, there's a lot of scenarios where that's not possible any more.
Now, that said, we're going to go ahead and do a custom setup here so we can talk about what the different choices that you might have to make are. The first thing it's going to ask is whether or not you want to use an existing SQL server or you want to specify your own service account or groups that are going to be used. Ordinarily, typically the only choice that we would make here sometimes is using an existing SQL server, and we do that when we're going to have Azure AD Connect synchronize enough objects that it would be too big for Azure AD Connect's database to be stored in Windows internal database.
There's not a hard and fast number for when that happens, but it's usually around 100,000 objects, give or take a little bit. And when you think about objects, it's not just users, but it's everything that gets synchronized. So users, groups, contacts, and so forth. For our installation, we're going to use the Windows internal database, so we're going to leave all the check boxes unchecked here. Okay, now that installation's complete, we get to make some real choices here. The first thing it's going to ask us is about which sign-in option, or we called them authentication options a little earlier, we're going to use.
All the different options that we talked about are here on the screen, and also that seamless single sign-on checkbox on the bottom enables single sign-on. We're going to go with password hash synchronization, so it's going to take our password hashes from active directory, re-hash them, and then copy them to Azure Active Directory, and we're going to enable stable single sign-on so users don't get prompted again if they're on the network. Next, we're going to have to supply a set of global administrator credentials to Azure Active Directory. These credentials are only used during the wizard, so you don't have to worry about them being used as a service account or something like that.
Onc you enter the credentials, it'll do a little bit of discovery to learn something about your Azure Active Directory, and then the next step is all about connecting to your existing on-premises Active Directory. By default, it pre-populates the forest that your Azure AD Connect server is joined to, and all you have to do is click Add Directory. The next thing it's going to ask is what credentials you want to use in order to connect. There's two options here. If you select Create a New AD Account, then you'll enter your Enterprise admin credentials and Azure AD Connect will take care of creating a service account and giving it all the right permissions in Active Directory.
This is great because you don't have to do that heavy lifting. There's quite a few steps involved, but the downside is those credentials? The username might not match your naming convention for service accounts or some of your other policies. So your other option is to click Use an Existing AD Account, in which case you'll need to take care of setting up all your permissions yourself. We're going to take the easy option here.
Once you click OK, it goes ahead and adds that directory to the Configured Directories list on the bottom. Now, if you have multiple Active Directory forests, perhaps because you have different divisions in your company or mergers and acquisitions or something like that, you could fill in the next forest. In the forest box, click Add Directory, and repeat the process as many times as you need to. You can choose to only have one here, or you could have a few, or even dozens or hundreds. The wizard will take care of everything for you.
Once you click Next, it's going to ask, how do you want to sign into Azure Active Directory? If you remember, we talked about the user principal name or the UPN, and that's an attribute of the user's Active Directory account, that they only use to sign in to Azure Active Directory. The suffix of that, or the right side, the domain name, is a domain that you have to verify in Azure ID. There's a couple steps that you take in order to do that verification, but what the wizard does here is it goes and finds all the unique UPN suffixes in your active directory, and lets you know whether or not they're verified in Azure AD or not.
Now, chances are, sometimes you see a whole bunch here, but you're not going to use some of them, and it'll let you know that they're not set up completely. That's totally fine, as long as you're not going to use them. And finally, you get to tell it what attribute you're going to use for the user principle name. Whenever possible, I like to recommend that you use the user principle name, but some people change this to use the user's email address, for example, because that has the correct data. Next, do you want to filter any OUs or parts of your directory out? By default, it synchronizes everything, but if you wanted to, you could click Sync Selected Domains and OUs, and then you could uncheck one of these if it has things that you don't want to synchronize.
Whenever possible, I like to keep this simple and just synchronize everything, but know that this is a choice if you need it. Next, it asks us, does the user account exist in more than one forest? If you're only synchronizing one forest, you can just go with the defaults here, but if you're synchronizing multiple forests and there's scenarios where your user has an account in more than one forest, you'll need to tell Azure Active Directory Connect how it can match those users so that you don't get any duplicates. And then finally, it asks about the source anchor.
The source anchor is a fancy term for how does Azure AD map the user in Azure AD to their on-premises AD account? By default, it uses a unique attribute in AD called the object GUID. That's a unique attribute that's generated in AD when you create a user, and it can never change. If you have multiple forests or there's scenarios where a user can move from forest one to forest two, you might have to use something else here in order to make sure that you always match the user on premises with their corresponding cloud account.
Finally, while we're able to select specific OUs that we did or didn't want to sync, we can also filter based on membership in a group if your users aren't easily picked out from different OUs. And then optional features. These are things that you can turn on, depending on whether or not you have Azure AD Premium and whether or not you need them. If you have Exchange on premises and you're going to be using Exchange online in Office 365, those first two choices are things that you'll want to enable so that you can keep both Exchange organizations in sync.
Azure AD app and attribute filtering, if for compliance reasons there are specific active directory attributes that you can't synchronize to Azure AD, if you turn that on, you can filter those out. Password synchronization is password hash synchronization, which we discussed. Password writeback, with the self-service password reset feature, if you turn that on and you have Azure Active Directory Premium, when a user changes their password or resets their password in Azure AD, that password change will also be copied to your on-premises active directory. Group writeback is similar for groups.
It enables users to make changes to groups in Azure Active Directory and have those changes be written to your on-premises AD. Device writeback works really well with Intune, and there's scenarios where you can have people join their devices, whether they're Windows 10 or iOS devices, Android devices, to Intune into Azure AD and then have a copy of those written to your on-premises active directory. And finally, if you have custom attributes in your active directory schema, that directory extension attribute sync lets you copy those to custom attributes in Azure AD as well.
Since we enabled seamless single sign-on, we do have to provide an administrator account that it uses one time only just to configure AD for that seamless single sign-on. And once we click Next, it'll go ahead and configure all this, and by default, that start the synchronization process checkbox means that when this is done, it'll run the first synchronization. There's a second checkbox there that's not checked by default called enabling staging mode. Staging mode has two purposes, in this case. When you turn that on, no changes from Azure AD Connect are ever copied to Azure AD, so what you can do with that is two things.
One, if you're setting this up for the first time or you're upgrading, you can use this so you can preview any changes that are going to be sent to Azure AD. And two, while we have one Azure AD Connect server here, you often want to have a second one for failover disaster recovery purposes, and to keep that server up to date, you would install it and then enable it in staging mode so that this way you have one server that's active, that's sending changes to Azure AD, and a second server that's up to date but isn't writing changes. And if you ever needed to activate that server, you would run this wizard again, turn off staging mode, and then that server would start sending changes to Azure AD.
I'll go ahead and click Install, and this will kick off the process. Once this is complete, Azure AD Connect will be in place, it will be synchronizing changes to Azure Active Directory, and you'll have the basis of your hybrid identity infrastructure. And once it's done, configuration is complete. Sometimes it gives you a couple warnings, for example, for joining Windows 10 machines to Azure AD, there's a couple PowerShell commands that you need to run. Once you run those, that'll be available, but once we click Exit, this will be in place.
- Authentication options with Azure AD
- Configuring Azure AD Connect for sync and authentication
- Securing remote access with the Azure Application Proxy
- Managing apps and devices with Intune
- Building and deploying a basic Intune policy for iOS or Android
- Protecting data beyond the firewall with Azure Information Protection (AIP)
- Configuring AIP classification labels and protection
- Integrating Exchange and SharePoint with AIP
- Managing risk with Advanced Threat Analytics
- Connecting Office 365 to cloud app security