Table 10.2 was taken directly from Microsoft’s website, and it shows some of the common hybrid identity and access management scenarios along with their recommendations as to which hybrid identity option would be suitable for each.
In Table 10.2, the three headers are abbreviated. Column 2, PHS and SSO, stands for password hash synchronization with single sign- on. Column 3, PTA and SSO, stands for pass- through authentication and single sign on. Finally, Column 4 stands for Federated single sign- on using Active Directory Federation Services.
TABLE 10.2 Common Identity Scenarios and Recommendations
Scenario | PHS and SSO | PTA and SSO | AD FS |
Sync new user, contact, and group accounts created in my on- premises Active Directory to the cloud automatically. | X | X | X |
Set up my tenant for Microsoft 365 hybrid scenarios | X | X | X |
Enable my users to sign in and access cloud services using their on- premises password | X | X | X |
Implement single sign- on using corporate credentials | X | X | X |
Ensure no password hashes are stored in the cloud | X | X | |
Enable cloud multifactor authentication solutions | X | X | |
Enable on-p remises multifactor authentication solutions | X | ||
Support smartcard authentication for my users | X | ||
Display password expiry notifications in the Office Portal and on the Windows 10/11 desktop | X |
Azure AD Connect
Once you decide that you want your onsite network to be integrated with Azure AD, you need to install a component that allows both versions of Active Directory to work together.
This component is called Azure AD Connect.
Azure AD Connect is a Microsoft utility that allows you to set up a hybrid design between Azure AD and your onsite AD. It provides the following features:
■ Password hash synchronization
■ Pass- through authentication
■ Federation integration
■ Synchronization
■ Health Monitoring
Azure AD Connect Health Monitoring
Azure AD Connect Health Monitoring is a way that you can monitor your onsite identity infrastructure and maintain a constant connection to all of your Azure services.
To access the Azure AD Connect Health information, you must connect to the Azure AD Connect Health portal. The portal can be used to view alerts, usage information, performance monitoring, and other key information. The portal gives you a one- stop shop for all of your Azure AD Connect monitoring.
Creating and Verifying a Custom Domain Name
Once you have decided to create a hybrid network between your onsite domain and Azure, you must add your domain name to Azure. Once you add the Custom Domain Name in Azure, you have to create either a DNS .TXT record or an MX record.
Once you open the Azure portal, click Azure Active Directory. From the left-s ide menu, choose Custom Domain Name. Click the Add button and enter the name of your domain. Once you do this, Azure will show you the settings for either creating a TXT or an MX record. Open your domain DNS and create the TXT file. It’s preferred that you create a TXT record in DNS. Use an MX record only if your DNS server does not allow TXT records.
After you open your domain DNS server, create a new TXT record. Copy the information from Azure into your new TXT record. After the TXT record is created on your DNS server, in Azure click Verify to verify the Custom Domain Name. Once the verification process happens, you can continue with Azure AD Connect.
Be aware that the verification process can take 24–48 hours. So, make sure this is done well before you connect the two networks.
Installing Azure AD Connect
Before you can install Azure AD Connect, you need to make sure that your infrastructure and your Azure network have met some prerequisites. The following is a list of requirements for installing Azure AD Connect:
■ Azure AD.
■ Onsite Active Directory.
■ Azure AD Connect server.
■ If you plan to use the feature password writeback, the domain controllers must be on Windows Server 2016 or later.
■ SQL Server database used by Azure AD Connect.
■ Azure AD Global Administrator account.
■ Enterprise Administrator account.
■ Connectivity between networks.
■ PowerShell and .NET 4.6.2 or higher Framework setup
■ Enabled TLS 1.2 for Azure AD Connect
In Exercise 10.5, you’ll learn how to download and install Azure AD Connect. To complete this exercise, you must have an onsite version of AD that can be connected to Azure.
EXERCISE 10.5
Azure AD Connect
- Go to the Azure AD Connect download page: www.microsoft.com/en- us/ download/details.aspx?id=47594
- Click the Download button.
- When the download box appears, choose to download the AzureADConnect.msi file to a network location. Once the download is complete, close the download box.
- Log into the server (where you wish to install Azure AD Connect) as the local administrator.
- Navigate to the AzureADConnect.msi file and double- click the file to start the installation.
- On the Welcome screen, select the box to agree to the license terms and then click Continue.
- On the Express Settings page, click Use Express Settings.
- On the Connect To Azure AD page, enter the Azure global administrator’s username and password and then click Next.
- The Connect To AD DS page will appear; enter the username and password for an onsite enterprise admin and then click Next.
- The Azure AD sign- in configuration page will appear. Review every domain marked Not Added and Not Verified. Make sure domains are verified in Azure AD. Once the domains are verified in Azure, click the Refresh symbol. If you need to verify your domains, go into Azure Active Directory, and then select Custom Domain Names. Enter the domain names for your onsite domain.
- On the Ready To Configure page, click Install.
- When the installation completes, click Exit.
- After the installation has completed, you will need to sign off and sign in again before you can use or set up any other services.