Azure AD connect
Notes on Azure AD connect and it’s services | Az-500 series
What’s Azure AD connect?
Azure AD Connect is a software tool which is to be downloaded on the on-premise server. This software tool helps the Azure AD service sync the user identities from the on-premise AD. This way one can have consistency in the user manged both on on-premise and on cloud. The tool has various features and supports AD federated Services as well.
What does Azure AD connect provide?
- Synchronization services
- Active Directory Federation Services
- Health Monitoring
Synchronization services: It provides users groups and other objects in on-premise AD (AD Domain Service) be synchronized with the Azure AD and vice-versa.
Active Directory Federation Services: This feature provides Domain join SSO, 3rd party MFA, Smart Card solution or other Federation Services to be integrated with Azure AD.
Health Monitoring: This feature provides a insightful dashboard on Azure AD in cloud to keep monitoring the health parameters of the AD Domain Service or AD Federated services
Features of Synchronization services:
- Filtering — by default all users, groups and windows 10 users only are synced through Azure AD Connect. The Sync feature can be custom filtered.
- Password hash sync — For same account password to be used for both Azure AD and on-premise AD. This way password policy of on-premise will work with Azure AD.
- Password write back — For password changes or reset in Azure AD to be reflected back to on-premise AD.
- Device write back — Registered in Azure will allow write back to the device to keep more tight security for the devices within the Domain.
- Prevent accidental deletes — Stops accidental deletes of user accounts or groups. By default set to 500 accounts, this number can be configured.
- Automatic upgrade — Azure AD connect will be auto upgrade itself to the latest version.
Different Password Synchronization options
Password Synchronization: Synchronization of Azure AD with AD Domain Services is the simplest way to authenticate the users. Periodically Azure AD connect software agent on the server will do a directory query to the on-premise AD and sync with Azure AD. By default Azure AD is highly available, so from Business Continuity and Disaster Recovery point of view its a great option. But still keep three instances of Azure AD connect will completely wipe-off the cases synchronization failure.
Azure AD Identity Protection will require Password Synchronization.
Pass authentication: Azure AD will internally route the user’s inputs to the on-premise AD (AD Domain Service). This method uses the Azure AD connect software agent running on-premise to do the authentication. User identities are still synced with the Azure AD but the authentication is now happening on-premise. This method bounds the user’s confidential information within the organizational boundaries.
AD Federated service: Azure AD will redirect to a federation Service page for authentication. For this method to be utilized the AD Federation Service has to have fully federated service with AD Domain Service and Azure AD.
For simplicity to choose between the Authentication services the Microsoft documentation provides the following the decision tree.
Stay tuned, Azure AD Identity Protection post will follow soon.
I would really appreciate your feedback and support on the content, please let me know it by sharing or commenting or clapping.
