1. An Azure AD tenant. You get one with an Azure free trial also.
2. Add and verify the domain you plan to use in Azure AD. This should be your publicly registered domain. For example, if you plan to use goud.com for your users then make sure this domain has been verified and you are not only using the goud.onmicrosoft.com default domain. Every new Azure AD tenant comes with an initial domain name, <domainname>.onmicrosoft.com. You can’t change or delete the initial domain name, but you can add your organization’s names. Adding custom domain names helps you to create user names that are familiar to your users, such as sri@goudo.com.
1. Azure AD Connect can only be installed on Windows Server Standard, Enterprise or Datacenter editions.
2. Azure AD Connect must be installed on Windows Server 2012 or later. This server must be domain joined and may be a domain controller or a member server.
SQL for Azure AD Connect:
1. Azure AD Connect requires a SQL Server database to store identity data. By default a SQL Server 2012 Express LocalDB (a light version of SQL Server Express) is installed. SQL Server Express has a 10GB size limit that enables you to manage approximately 100,000 objects. If you need to manage a higher volume of directory objects, you need to point the installation wizard to a different installation of SQL Server.
2. Microsoft Azure SQL Database is not supported as a database.
Accounts:
1. An Azure AD Global Administrator account for the Azure AD tenant you wish to integrate with. This account must be a school or organization account and cannot be a Microsoft account.
2. If you use express settings or upgrade from DirSync, then you must have an Enterprise Administrator account for your on-premises Active Directory.
Network Connectivity:
If your local network has firewall/proxy then you need to ensure that all the required ports and endpoints mentioned in below documentations.
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-ports
https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges?redirectSourcePath=%252fen-gb%252farticle%252foffice-365-urls-and-ip-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2
Azure AD Connect – Key Terminologies and Components:
Azure AD Connect is a vast solution in itself so it’s not feasible to cover all the deep dive architecture details in this post, below are important AAD Connect terminologies and concepts that you need to understand when working with Azure AD Connect.
1. Azure AD Connect sync (sync engine)
2. Connector
3. Connected Data Sources or Connected Directories (CD)
4. Source anchor
5. Connector Space (CS)
6. Metaverse (MV)
7. Joined Object (or connector object)
8. Disjoined Object (or disconnector object)
9. Provisioning
10. Deprovisioning
It will be good to refer below Microsoft documentations to dive deeper into Azure AD Connect architecture and above concepts.
Azure AD Connect sync: Technical Concepts:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-design-concepts
Azure AD Connect sync: Understanding the architecture:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/concept-azure-ad-connect-sync-architecture
Azure AD Connect Authentication (sign-in) Options:
Below are the four different authentication (sign-in) mechanisms provided by Azure AD when you are using Azure AD Connect, based on your feasibility from security and compliance perspective you can choose the one appropriate. During Azure AD Connect installation wizard you will have the ability to choose one of the authentication mechanism.
1. Password Hash Synchronization (PHS):
–When we install Azure AD Connect with “Express Settings” then Password Harsh Synchronization (PHS) authentication mechanism is the default configuration.
–AAD Connect synchronizes a hash, of the hash, of an AD user’s password from an on-premises AD to Azure AD.
–To synchronize user’s password, Azure AD Connect sync extracts user’s password hash from the on-premises Active Directory. Extra security processing is applied to the password hash before it is synchronized to the Azure Active Directory.
–PHS process runs every 2 minutes and we cannot modify the frequency of this process.
2. Pass-through Authentication (PTA):
–Users credentials are validated by on-premises Active Directory Domain Controller via AAD Connect Authentication Agent, On-premises AD user’s passwords are not stored in Azure AD in any form.
–For Pass-through Authentication to work, users need to be provisioned into Azure AD from on-premises Active Directory using Azure AD Connect. Pass-through Authentication does not apply to cloud-only users.
–Communication between Authentication Agent and Azure AD is uses certificate-based authentication. These certificates are automatically renewed every few months by Azure AD.
–Microsoft recommends to have more than one AAD Connect Authentication Agent to provide high availability of authentication requests.
–PTA can also be used in conjunction with PHS for high availability scenarios, As per Microsoft “Enabling Password Hash Synchronization gives you the option to failover authentication if your on-premises infrastructure is disrupted. This failover from Pass-through Authentication to Password Hash Synchronization is not automatic. You’ll need to switch the sign-in method manually using Azure AD Connect. If the server running Azure AD Connect goes down, you’ll require help from Microsoft Support to turn off Pass-through Authentication.”
3. Federation with ADFS:
–In ADFS federation scenario, Azure AD will be redirecting authentication request to ADFS.
4. Federation with PingFederate:
–If you are already using PingFederate in your environment then you may choose this method for authentication. AAD Connect natively supports PingFederate, please refer below official document from PingFederate regarding implementation of this.
Azure AD Connect Server Installation:
I have talked about some important concepts theoretically, Now let’s go ahead and install the Azure AD Connect server in on-premises ADDS environment.
1. Add Custom Domain (Routable) to Azure AD and make it as a “Primary Domain” for Azure AD:
–Login to Azure portal and go to Azure Active Directory.
–Click on “Add custom domain” option.
No comments:
Post a Comment