Info Security Memo
  • Blog
  • Sitemap
    • Categories
  • Contact
  • About
  • Resources
  • Tools
  • 51sec.org

Build Confidence

Focusing on Information Security 

Info Security Notes

Install Azure AD Connect to Integrate On-Prem ADFS with AAD (Hybrid Identity)

2/25/2022

0 Comments

 
Install Azure AD Connect to Integrate On-Prem ADFS with AAD (Hybrid Identity)

 Azure AD Connect comes with several features you can optionally turn on or are enabled by default. Some features might sometimes require more configuration in certain scenarios and topologies.

Filtering is used when you want to limit which objects are synchronized to Azure AD. By default all users, contacts, groups, and Windows 10 computers are synchronized. You can change the filtering based on domains, OUs, or attributes.

Password hash synchronization synchronizes the password hash in Active Directory to Azure AD. The end-user can use the same password on-premises and in the cloud but only manage it in one location. Since it uses your on-premises Active Directory as the authority, you can also use your own password policy.

Password writeback will allow your users to change and reset their passwords in the cloud and have your on-premises password policy applied.

Device writeback will allow a device registered in Azure AD to be written back to on-premises Active Directory so it can be used for Conditional Access.

The prevent accidental deletes feature is turned on by default and protects your cloud directory from numerous deletes at the same time. By default it allows 500 deletes per run. You can change this setting depending on your organization size.

Automatic upgrade is enabled by default for express settings installations and ensures your Azure AD Connect is always up to date with the latest release.





Pre-requisites

Azure AD

  • You need an Azure AD tenant. 
  • Add and verify the domain you plan to use in Azure AD. An Azure AD tenant allows, by default, 50,000 objects. When you verify your domain, the limit increases to 300,000 objects. 



On-Prem Prepare

  • Use IdFix to identify errors such as duplicates and formatting problems in your directory before you synchronize to Azure AD and Microsoft 365.
  • Review optional sync features you can enable in Azure AD, and evaluate which features you should enable.
  • The Active Directory schema version and forest functional level must be Windows Server 2003 or later. 
  • If you plan to use the feature password writeback, the domain controllers must be on Windows Server 2016 or later.
  • The domain controller used by Azure AD must be writable. 
  • Using on-premises forests or domains by using "dotted" (name contains a period ".") NetBIOS names isn't supported.
  • We recommend that you enable the Active Directory recycle bin.
  • Azure Active Directory Connect runs signed PowerShell scripts as part of the installation. Ensure that the PowerShell execution policy will allow running of scripts. The recommended execution policy during installation is "RemoteSigned".


 
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine
Get-ExecutionPolicy -List

Scope ExecutionPolicy
        ----- ---------------
MachinePolicy       Undefined
   UserPolicy       Undefined
      Process       Undefined
  CurrentUser    RemoteSigned
 LocalMachine    RemoteSigned


Installation prerequisites

  • Azure AD Connect must be installed on a domain-joined Windows Server 2016 or later.
  • The minimum .Net Framework version required is 4.6.2, and newer versions of .Net are also supported.
  • Azure AD Connect can't be installed on Small Business Server or Windows Server Essentials before 2019 (Windows Server Essentials 2019 is supported). The server must be using Windows Server standard or better.
  • The Azure AD Connect server must have a full GUI installed. Installing Azure AD Connect on Windows Server Core isn't supported.
  • The Azure AD Connect server must not have PowerShell Transcription Group Policy enabled if you use the Azure AD Connect wizard to manage Active Directory Federation Services (AD FS) configuration. You can enable PowerShell transcription if you use the Azure AD Connect wizard to manage sync configuration.
  • If AD FS is being deployed:
    • The servers where AD FS or Web Application Proxy are installed must be Windows Server 2012 R2 or later. Windows remote management must be enabled on these servers for remote installation.
    • You must configure TLS/SSL certificates. For more information, see Managing SSL/TLS protocols and cipher suites for AD FS and Managing SSL certificates in AD FS.
    • You must configure name resolution.
  • It is not supported to break and analyze traffic between Azure AD Connect and Azure AD. Doing so may disrupt the service.
  • If your global administrators have MFA enabled, the URL https://secure.aadcdn.microsoftonline-p.com must be in the trusted sites list. You're prompted to add this site to the trusted sites list when you're prompted for an MFA challenge and it hasn't been added before. You can use Internet Explorer to add it to your trusted sites.
  • If you plan to use Azure AD Connect Health for syncing, ensure that the prerequisites for Azure AD Connect Health are also met. For more information, see Azure AD Connect Health agent installation.



Express installation of Azure AD Connect

Introduction Express Installation

Express is the most common option and is used by about 90% of all new installations. It was designed to provide a configuration that works for the most common customer scenarios.

It assumes:

  • You have a single Active Directory forest on-premises.
  • You have an enterprise administrator account you can use for the installation.
  • You have less than 100,000 objects in your on-premises Active Directory.

You get:

  • Password hash synchronization from on-premises to Azure AD for single sign-on.
  • A configuration that synchronizes users, groups, contacts, and Windows 10 computers.
  • Synchronization of all eligible objects in all domains and all OUs.
  • Automatic upgrade is enabled to make sure you always use the latest available version.

Options where you can still use Express:

  • If you do not want to synchronize all OUs, you can still use Express and on the last page, unselect Start the synchronization process...*. Then run the installation wizard again and change the OUs in configuration options and enable scheduled sync.
  • You want to enable one of the features in Azure AD Premium, such as Password writeback. First go through express to get the initial installation completed. Then run the installation wizard again and change the configuration options.

Steps:

  1. Sign in as a local administrator to the server you wish to install Azure AD Connect on. You should do this on the server you wish to be the sync server.
  2. Navigate to and double-click AzureADConnect.msi.
  3. On the Welcome screen, select the box agreeing to the licensing terms and click Continue.
  4. On the Express settings screen, click Use express settings.
    Welcome to Azure AD Connect
  5. On the Connect to Azure AD screen, enter the username and password of a global administrator for your Azure AD. Click Next.
    Connect to Azure AD
    If you receive an error and have problems with connectivity, then see Troubleshoot connectivity problems.
  6. On the Connect to AD DS screen, enter the username and password for an enterprise admin account. You can enter the domain part in either NetBios or FQDN format, that is, FABRIKAM\administrator or fabrikam.com\administrator. Click Next.
    Connect to AD DS
  7. The Azure AD sign-in configuration page only shows if you did not complete verify your domains in the prerequisites. Unverified domains
    If you see this page, then review every domain marked Not Added and Not Verified. Make sure those domains you use have been verified in Azure AD. Click the Refresh symbol when you have verified your domains.
  8. On the Ready to configure screen, click Install.
    • Optionally on the Ready to configure page, you can unselect the Start the synchronization process as soon as configuration completes checkbox. You should unselect this checkbox if you want to do additional configuration, such as filtering. If you unselect this option, the wizard configures sync but leaves the scheduler disabled. It does not run until you enable it manually by rerunning the installation wizard.
    • Leaving the Start the synchronization process as soon as configuration completes checkbox enabled will immediately trigger a full synchronization to Azure AD of all users, groups, and contacts.
    • If you have Exchange in your on-premises Active Directory, then you also have an option to enable Exchange Hybrid deployment. Enable this option if you plan to have Exchange mailboxes both in the cloud and on-premises at the same time. Ready to configure Azure AD Connect
  9. When the installation completes, click Exit.
  10. After the installation has completed, sign off and sign in again before you use Synchronization Service Manager or Synchronization Rule Editor.



Post Installation


Add additional sync admins

By default, only the user who did the installation and local admins are able to manage the installed sync engine. For additional people to be able to access and manage the sync engine, locate the group named ADSyncAdmins on the local server and add them to this group.

Assign licenses to Azure AD Premium and Enterprise Mobility Suite users

Now that your users have been synchronized to the cloud, you need to assign them a license so they can get going with cloud apps such as Microsoft 365.

Verify the scheduled synchronization task

Use the Azure portal to check the status of a synchronization.

Start a scheduled synchronization task

If you need to run a synchronization task, you can do this by:

  1. Double-click on the Azure AD Connect desktop shortcut to start the wizard.
  2. Click Configure.
  3. On the tasks screen, select the Customize synchronization options and click Next
  4. Enter your Azure AD credentials
  5. Click Next. Click Next. Click Next.
  6. On the Ready to Configure screen, ensure that the Start the synchronization process when configuration completes box is selected.
  7. Click Configure.


Additional Tasks

Additional tasks available in Azure AD Connect

After your initial installation of Azure AD Connect, you can always start the wizard again from the Azure AD Connect start page or desktop shortcut. You will notice that going through the wizard again provides some new options in the form of additional tasks.

The following table provides a summary of these tasks and a brief description of each task.

List of additional tasks

ADDITIONAL TASKS AVAILABLE IN AZURE AD CONNECT
Additional task Description
Privacy Settings View what telemetry data is being shared with Microsoft.
View current configuration View your current Azure AD Connect solution. This includes general settings, synchronized directories, and sync settings.
Customize synchronization options Change the current configuration like adding additional Active Directory forests to the configuration, or enabling sync options such as user, group, device, or password write-back.
Configure device options Device options available for synchronization
Refresh directory schema Allows you to add new on-premises directory objects for synchronization
Configure Staging Mode Stage information that is not immediately synchronized and is not exported to Azure AD or on-premises Active Directory. With this feature, you can preview the synchronizations before they occur.
Change user sign-in Change the authentication method users are using to sign-in
Manage federation Manage your AD FS infrastructure, renew certificates, and add AD FS servers
Troubleshoot Help with troubleshooting Azure AD Connect issues




Manage Azure AD Connect

Tasks to Manage AAD Connect 

  • Enable device writeback
  • Enable group writeback
  • Device options
  • Additional features in Azure AD Connect
  • Prevent accidental deletes
  • Enable AD recycle bin
  • Configure the AD DS Connector account
  • Change the Azure ADSync service account password
  • Change the Azure AD Connector account password
  • Change the AD DS Connector account password

    Enable Sync features:

    Topic Link
    Configure filtering Azure AD Connect sync: Configure filtering
    Password hash synchronization Password hash synchronization
    Pass-through Authentication Pass-through authentication
    Password writeback Getting started with password management
    Device writeback Enabling device writeback in Azure AD Connect
    Prevent accidental deletes Azure AD Connect sync: Prevent accidental deletes
    Automatic upgrade Azure AD Connect: Automatic upgrade

    References

    • Prerequisites for Azure AD Connect
    • Hybrid identity documentation





    via Blogger http://blog.51sec.org/2022/02/install-azure-ad-connect-to-integrate.html
    February 25, 2022 at 10:20AM Cloud
    0 Comments



    Leave a Reply.

      Categories

      All
      Architecture
      Blog
      Checkpoint
      Cisco
      Cloud
      CyberArk
      F5
      Fortigate
      Guardium
      Juniper
      Linux
      Network
      Others
      Palo Alto
      Qualys
      Raspberry Pi
      Security
      SIEM
      Software
      Vmware
      VPN
      Wireless

      Archives

      March 2024
      February 2024
      January 2024
      December 2023
      November 2023
      October 2023
      September 2023
      August 2023
      July 2023
      June 2023
      May 2023
      April 2023
      March 2023
      February 2023
      January 2023
      December 2022
      November 2022
      October 2022
      September 2022
      August 2022
      July 2022
      June 2022
      May 2022
      April 2022
      March 2022
      February 2022
      January 2022
      December 2021
      November 2021
      October 2021
      September 2021
      August 2021
      July 2021
      June 2021
      May 2021
      April 2021
      March 2021
      February 2021
      January 2021
      December 2020
      November 2020
      October 2020
      September 2020
      August 2020
      July 2020
      October 2019
      September 2019
      June 2019
      July 2018
      May 2018
      December 2017
      August 2017
      April 2017
      March 2017
      January 2017
      December 2016
      November 2016
      October 2016
      September 2016
      August 2016
      July 2016
      June 2016
      May 2016
      April 2016
      March 2016
      February 2016
      January 2016
      December 2015
      November 2015
      October 2015
      September 2015
      August 2015
      July 2015
      June 2015
      May 2015
      April 2015
      March 2015

      Print Page:

      RSS Feed

      Email Subscribe
    Powered by Create your own unique website with customizable templates.
    • Blog
    • Sitemap
      • Categories
    • Contact
    • About
    • Resources
    • Tools
    • 51sec.org