getting started with hybrid identity · azure ad connect sizing the minimum hardware requirements...
Post on 22-May-2020
13 Views
Preview:
TRANSCRIPT
Welcome to the Azure Active Directory Webinar (Getting Started with
Hybrid Identity)
We will start at 2-3 minutes after the scheduled time to accommodate those still connecting
Questions? Feel free to type them in the instant message window at any time. Note that any questions
you post will be public. You have the option to post questions anonymously. After the webinar you can
ask questions at our AAD Tech Community AMA page.
This webinar is being recorded. We will post a video recording of the content from this webinar roughly
2-3 weeks after today at https://aka.ms/AADWebinarRecordings.
Visit our AAD Webinar Community page at https://aka.ms/AADWebinarCommunity.
Let us know what you think by taking this 5-minute survey.
https://aka.ms/FY20AzureActiveDirectoryWebinarFeedback.
Getting Started with Hybrid IdentitySeptember 2019
Agenda
• Azure AD Connect
• Sign-in methods
• Identity synchronization
• Custom configuration
• Resources
• Q&A
Azure AD Connect: Your identity bridge
On-premises / Private cloud
Azure ADConnectWindows Server
Active Directory
SelfService
MFA
Singlesign-on
Microsoft Azure Active Directory
Prerequisites for Azure AD Connect
• Forest functional level 2003 or higher
• Writable domain controllers
• Windows Server 2008 or later
• Domain joined for Express Settings
• Password Hash Synchronization
• Windows Server 2008 R2 SP1 or later
• Password Writeback
• DCs must be Windows Server 2008 (with latest SP) or later
• Ports required
• Outbound: 80/443/5671
Prerequisites for Azure AD Connect - Licensing
• Included in Azure AD/Office 365 license:
• Installation wizard
• Synchronization from on-premises to Azure AD
• Writeback for Exchange hybrid deployment
• Requires Azure AD Premium:
• Writeback (password, group, etc.)
• Connect Health
• Additional licenses required for:
• SQL Server (if needed)
Synchronized Objects CPU Memory Hard Drive SQL server required
Fewer than 10,000 1.6 GHz 4 GB 70 GB No
10,000 – 50,000 1.6 GHz 4 GB 70 GB No
50,000 – 100,000 1.6 GHz 16 GB 100 GB No
100,000 – 300,000 1.6 GHz 32 GB 300 GB Yes
300,000 – 600,000 1.6 GHz 32 GB 450 GB Yes
More than 600,000 1.6 GHz 32 GB 500 GB Yes
Azure AD Connect sizing
The minimum hardware requirements for Azure AD Connect synchronization are based on the
number of objects that will be synchronized to Azure AD. SQL Express is used by default to host
the configuration database, but full SQL Server is required for more than 100K synchronized objects.
Azure AD Connect with Express settings
• Quick (4 clicks)
• Start here, then add
• Single Forest
• Installs SQL Express
• Custom option for advanced scenarios
• Multi-forest topologies
• Select SQL Server
• Filtering OU/Group
• Staging Mode
• Sign in
• Federation
• Passthrough-authentication
• Optional features (writeback etc.)
• Custom attributes
Azure AD Connect with Custom settings
Sign-in Methods
What are your authentication options with Azure AD
Cloud authentication
Cloud-only
Password Hash Sync +
Seamless SSO
Pass-through authentication
+ Seamless SSO
Federated
authentication
AD FS
Third party federation
providers
Azure AD Authentication decision tree aka.ms/auth-options
FederationFederation with
Password Hash Sync
Pass-through Auth +
Seamless SSO with
Password Hash Sync
Password Hash
Sync + Seamless SSO
Pass-through Auth +
Seamless SSO
Do you want
Azure AD to handle
sign-in completely in
the cloud?1
Do you want to
integrate with an
existing federation
provider?2
No
Yes
No YesNo
Do you have
a sign-in requirement
not natively
supported by Azure
AD?4
Do you have
a sign-in requirement
not natively
supported by Azure
AD?4
No
No
Yes
Start
Yes
Do you want
sign-in disaster
recovery or leaked
credential reports?5
Yes
Do you want
sign-in disaster
recovery or leaked
credential reports?5
No
Yes
Do you want to
enforce user-level
Active Directory
security policies
during sign-in?3
No
Yes
Azure AD Hybrid Identity with Password Hash Sync
Azure AD
ActiveDirectory
Azure ADConnectUser
SaaS
Public Cloud
Azure
Azure Active Directory Seamless Single Sign-on (SSO)
Azure AD
ActiveDirectory
Azure ADConnect
Identity sync with password hashes
Application access
SaaS
Public Cloud
Azure
Directory query
On-premisesCloud
🔑 User sign-in from domain joined machine
🔑 Kerberos authentication
Azure Active Directory Pass-through authentication
On-premisesCloud
ActiveDirectory
Azure AD
Connect
PTA Agent
PTA Agent
Azure AD
SaaS
Public Cloud
Azure
Federated authentication
Cloud
ActiveDirectory
Azure ADConnect
FederationProxy
FederationProxy
Federation Server
Federation Server
Azure ADUser
SaaS
Public Cloud
Azure
Perimeter On-premises
Identity Synchronization
Identifying Users
SourceAnchor (Immutable ID)
ms-DS-ConsistencyGuid is now the
default.
If the attribute is null, Azure AD
Connect will derive a new source
anchor from objectGUID and write it
back to consistency GUID.
Azure managed (recommended)
How should Azure AD Connect assign the source anchor (immutable ID) on users synchronized to the
tenant?
Decision required
Immutable during the lifetime of an object
Cannot be changed afterwards
Good: EmployeeID
Bad: mail, userPrincipalName
Implications
This was the default option in the past.
This is the simplest option for source
anchor
It does not allow for migration of users
between forests.
objectGUID
If an attribute like employee ID is
reliably populated on users and
guaranteed to be unique, it can be
used as the source anchor.
Use another attribute
Decision required
Implications
User Principal Name (UPN)
Advantages
▪ Requires changes to on-premises UPNs
▪ Some applications may have dependency on
current UPNs
Disadvantages
▪ Best end-user experience
▪ Limited confusion – user is told to sign-in to all Azure AD-integrated applications with their email address
Align UPN with Email and SIP
(Recommended)
Users will authenticate to Azure AD with a user principal name (UPN), which uses the format
user@domain.com. Will it match their email and SIP (Skype for Business) address?
Decision required
▪ Users need to know UPN and email/SIP
▪ Many Office clients will first prompt for email
or SIP and then prompt the user for their UPN
▪ In some cases, email/SIP may be
prepopulated in the username field and will
need to be changed by users
▪ Match verified domain in Azure AD (contoso.com not contoso.local)
▪ Use Alternate Logon ID feature ONLY if UPN cannot be changed
Use existing UPNs or something else
Identifying users –Multiple forests
FabrikamContoso
Mary John
JohnMary
Mary’sDuplicate
Azure AD Connect will match users and other objects between forests. The criteria (attribute) used for
matching will be determined based on the relationship between forests. The topologies depicted here
are common patterns.
How are forestsrelated?
Mary John
JohnMary
Mary’sContact
John’sContact Mary Joh
Mary
Mary’sMailbox/
Skype
FabrikamContoso ResourceAccount
Matching users across forests
Use this when users
will always exist in only
one forest
No matching
What matching criteria will be used to match users across forests?Decision required
Use this when GAL sync
has been deployed
between forests to
instruct Azure AD
Connect to join contacts
to corresponding users
Mail attribute
Use this in
account/resource
forest topologies to
join disabled resource
accounts to primary
user accounts
ObjectSID,
msExchMasterAccountSid,msRTCSIP-OriginatorSid
Use this to join
duplicate users across
forest by account
name or mail nickname
sAMAccountName, mailNickname
The matching criteria must fit the environment so that related users/objects in different forests are
joined together. This instructs Azure AD Connect how to setup authentication, source system
attributes from the proper forest, and preserve cross-forest group membership, among other things.
Implications
Use this when another
attribute in the
environment is used to
store authoritative
matching criteria
Other attribute
Custom Configuration Settings
Configure filtering
Option Description Recommendation
Group-based Only members of the specified group will be synchronized.
This option is only configurable upon initial install using
the configuration wizard.
Test lab only
Domain-based This option can be used to exclude entire domains from
synchronization. It’s configured using the Synchronization
Service Manager.
Organizational unit (OU)-
based
This option can be used to exclude parts of the OU
hierarchy from synchronization. It’s configured using the
Synchronization Service Manager.
Filter out Service
accounts/non-personal
accounts
Attribute-based For additional flexibility, filtering can be configured based
on attribute values. This is done by customizing
synchronization rules.
Only use this option when the
others won’t work
By default, Azure AD Connect synchronizes all relevant objects from the on-premises AD DS to Azure
AD. This is recommended to establish a unified global address list (GAL) between premises, but
filtering is sometimes required. Decide if objects need to be excluded from the scope of
synchronization.
Decision required
aka.ms/aadconnectperf
Optional features
Optional features –Writeback
There are several optional features which can be enabled in Azure AD Connect. Decide which features
will be used.
Decision required
Option Description Options Recommendation
Password writeback Used with Azure AD self-service password
management to synchronize changes
which originate in Azure AD back to AD
DS
On/off Enable when using Azure AD self-service
password management
Group writeback Synchronizes Office 365 Groups (modern
groups) to the on-prem environment as
distribution groups so they can be mailed
to from on-prem mailboxes
On/off,
select the
target OU
Enable when using Office 365 Groups in
hybrid environments. Currently only
supported in single-organization
environments and requires additional
PowerShell scripting to present groups in
the GAL
Device writeback Synchronizes registered devices in Azure
AD to AD DS so they can be used with AD
FS conditional access policies
On/off,
select
writeback
forest
Enable when using device-based
conditional access in AD FS with Azure
AD Device Registration or Intune
Staging server
Decision required
Will an Azure AD Connect staging server be
deployed? If so, in what datacenter?
Considerations
• A staging server reads data from all directories
but does not write anything to connected
directories.
• If the primary server fails, the Azure AD Connect
wizard can be used to failover to the staging
server.
Deploy the staging server in a second datacenter for
geographical redundancy for Azure AD Connect sync
Active Directory Domain Services
Configure and install
Configure and install
• Prevents accidental deletions
• Feature on by default
• Cannot export more than 500 deletes (default)
• Can be configured with:• Enable-ADSyncExportDeletionThreshold
• Disable-ADSyncExportDeletionThreshold
• Configuration stored in Azure Active Directory
Sync cycle schedule
• Every 30 minutes for adds/updates to objects
• Password changes poll and sync every 2 minutes
• To see your current configuration, run ‘Get-ADSyncSchedule’
Auto upgrade
• The automatic upgrade is enabled when:• Azure AD Connect is
o Build 1.1.105.0 or higher
o Installed with the Express settings
o Using SQL Express LocalDB
• Run ‘Get-ADSyncAutoUpgrade’ to get current
upgrade state• Returns: Enabled, Suspended, or Disabled
• Application event log• Filter for source “Azure AD Connect Upgrade”
Resources
• Article – Authentication Methods
• aka.ms/auth-options
aka.ms/aadconnectperf
• Convert from ADFS to Password Hash Sync
• aka.ms/deploymentplans/adfs2phs
• Convert from ADFS to Passthrough Authentication
• aka.ms/deploymentplans/adfs2pta
• Azure AD blog
• aka.ms/identityblog
• Sign up for more webinars!
• aka.ms/aadwebinars
© Copyright Microsoft Corporation. All rights reserved.
Q & A
© Copyright Microsoft Corporation. All rights reserved.
Thank you
Additional resources
• Azure Active Directory Webinar Community:
https://aka.ms/AADWebinarCommunity
• Product documentation:
https://docs.microsoft.com/azure/active-directory/
• Deployment Resources:
https://www.microsoft.com/fasttrack/resources
Let us know what you think by taking this 5-minute survey.
https://aka.ms/FY20AzureActiveDirectoryWebinarFeedback.
top related