Welcome to the Azure Active Directory Webinar (Getting Started with

Hybrid Identity)

We will start at 2-3 minutes after the scheduled time to accommodate those still connecting

Questions? Feel free to type them in the instant message window at any time. Note that any questions

you post will be public. You have the option to post questions anonymously. After the webinar you can

ask questions at our AAD Tech Community AMA page.

This webinar is being recorded. We will post a video recording of the content from this webinar roughly

2-3 weeks after today at https://aka.ms/AADWebinarRecordings.

Visit our AAD Webinar Community page at https://aka.ms/AADWebinarCommunity.

Let us know what you think by taking this 5-minute survey.

https://aka.ms/FY20AzureActiveDirectoryWebinarFeedback.

Getting Started with Hybrid IdentitySeptember 2019

Agenda

• Azure AD Connect

• Sign-in methods

• Identity synchronization

• Custom configuration

• Resources

• Q&A

Azure AD Connect: Your identity bridge

On-premises / Private cloud

Azure ADConnectWindows Server

Active Directory

SelfService

MFA

Singlesign-on

Microsoft Azure Active Directory

Prerequisites for Azure AD Connect

• Forest functional level 2003 or higher

• Writable domain controllers

• Windows Server 2008 or later

• Domain joined for Express Settings

• Password Hash Synchronization

• Windows Server 2008 R2 SP1 or later

• Password Writeback

• DCs must be Windows Server 2008 (with latest SP) or later

• Ports required

• Outbound: 80/443/5671

Prerequisites for Azure AD Connect - Licensing

• Included in Azure AD/Office 365 license:

• Installation wizard

• Synchronization from on-premises to Azure AD

• Writeback for Exchange hybrid deployment

• Requires Azure AD Premium:

• Writeback (password, group, etc.)

• Connect Health

• Additional licenses required for:

• SQL Server (if needed)

Synchronized Objects CPU Memory Hard Drive SQL server required

Fewer than 10,000 1.6 GHz 4 GB 70 GB No

10,000 – 50,000 1.6 GHz 4 GB 70 GB No

50,000 – 100,000 1.6 GHz 16 GB 100 GB No

100,000 – 300,000 1.6 GHz 32 GB 300 GB Yes

300,000 – 600,000 1.6 GHz 32 GB 450 GB Yes

More than 600,000 1.6 GHz 32 GB 500 GB Yes

Azure AD Connect sizing

The minimum hardware requirements for Azure AD Connect synchronization are based on the

number of objects that will be synchronized to Azure AD. SQL Express is used by default to host

the configuration database, but full SQL Server is required for more than 100K synchronized objects.

Azure AD Connect with Express settings

• Quick (4 clicks)

• Start here, then add

• Single Forest

• Installs SQL Express

• Custom option for advanced scenarios

• Multi-forest topologies

• Select SQL Server

• Filtering OU/Group

• Staging Mode

• Sign in

• Federation

• Passthrough-authentication

• Optional features (writeback etc.)

• Custom attributes

Azure AD Connect with Custom settings

Sign-in Methods

What are your authentication options with Azure AD

Cloud authentication

Cloud-only

Password Hash Sync +

Seamless SSO

Pass-through authentication

+ Seamless SSO

Federated

authentication

AD FS

Third party federation

providers

Azure AD Authentication decision tree aka.ms/auth-options

FederationFederation with

Password Hash Sync

Pass-through Auth +

Seamless SSO with

Password Hash Sync

Password Hash

Sync + Seamless SSO

Pass-through Auth +

Seamless SSO

Do you want

Azure AD to handle

sign-in completely in

the cloud?1

Do you want to

integrate with an

existing federation

provider?2

No

Yes

No YesNo

Do you have

a sign-in requirement

not natively

supported by Azure

AD?4

Do you have

a sign-in requirement

not natively

supported by Azure

AD?4

No

No

Yes

Start

Yes

Do you want

sign-in disaster

recovery or leaked

credential reports?5

Yes

Do you want

sign-in disaster

recovery or leaked

credential reports?5

No

Yes

Do you want to

enforce user-level

Active Directory

security policies

during sign-in?3

No

Yes

Azure AD Hybrid Identity with Password Hash Sync

Azure AD

ActiveDirectory

Azure ADConnectUser

SaaS

Public Cloud

Azure

Azure Active Directory Seamless Single Sign-on (SSO)

Azure AD

ActiveDirectory

Azure ADConnect

Identity sync with password hashes

Application access

SaaS

Public Cloud

Azure

Directory query

On-premisesCloud

🔑 User sign-in from domain joined machine

🔑 Kerberos authentication

Azure Active Directory Pass-through authentication

On-premisesCloud

ActiveDirectory

Azure AD

Connect

PTA Agent

PTA Agent

Azure AD

SaaS

Public Cloud

Azure

Federated authentication

Cloud

ActiveDirectory

Azure ADConnect

FederationProxy

FederationProxy

Federation Server

Federation Server

Azure ADUser

SaaS

Public Cloud

Azure

Perimeter On-premises

Identity Synchronization

Identifying Users

SourceAnchor (Immutable ID)

ms-DS-ConsistencyGuid is now the

default.

If the attribute is null, Azure AD

Connect will derive a new source

anchor from objectGUID and write it

back to consistency GUID.

Azure managed (recommended)

How should Azure AD Connect assign the source anchor (immutable ID) on users synchronized to the

tenant?

Decision required

Immutable during the lifetime of an object

Cannot be changed afterwards

Good: EmployeeID

Bad: mail, userPrincipalName

Implications

This was the default option in the past.

This is the simplest option for source

anchor

It does not allow for migration of users

between forests.

objectGUID

If an attribute like employee ID is

reliably populated on users and

guaranteed to be unique, it can be

used as the source anchor.

Use another attribute

Decision required

Implications

User Principal Name (UPN)

Advantages

▪ Requires changes to on-premises UPNs

▪ Some applications may have dependency on

current UPNs

Disadvantages

▪ Best end-user experience

▪ Limited confusion – user is told to sign-in to all Azure AD-integrated applications with their email address

Align UPN with Email and SIP

(Recommended)

Users will authenticate to Azure AD with a user principal name (UPN), which uses the format

user@domain.com. Will it match their email and SIP (Skype for Business) address?

Decision required

▪ Users need to know UPN and email/SIP

▪ Many Office clients will first prompt for email

or SIP and then prompt the user for their UPN

▪ In some cases, email/SIP may be

prepopulated in the username field and will

need to be changed by users

▪ Match verified domain in Azure AD (contoso.com not contoso.local)

▪ Use Alternate Logon ID feature ONLY if UPN cannot be changed

Use existing UPNs or something else

Identifying users –Multiple forests

FabrikamContoso

Mary John

JohnMary

Mary’sDuplicate

Azure AD Connect will match users and other objects between forests. The criteria (attribute) used for

matching will be determined based on the relationship between forests. The topologies depicted here

are common patterns.

How are forestsrelated?

Mary John

JohnMary

Mary’sContact

John’sContact Mary Joh

Mary

Mary’sMailbox/

Skype

FabrikamContoso ResourceAccount

Matching users across forests

Use this when users

will always exist in only

one forest

No matching

What matching criteria will be used to match users across forests?Decision required

Use this when GAL sync

has been deployed

between forests to

instruct Azure AD

Connect to join contacts

to corresponding users

Mail attribute

Use this in

account/resource

forest topologies to

join disabled resource

accounts to primary

user accounts

ObjectSID,

msExchMasterAccountSid,msRTCSIP-OriginatorSid

Use this to join

duplicate users across

forest by account

name or mail nickname

sAMAccountName, mailNickname

The matching criteria must fit the environment so that related users/objects in different forests are

joined together. This instructs Azure AD Connect how to setup authentication, source system

attributes from the proper forest, and preserve cross-forest group membership, among other things.

Implications

Use this when another

attribute in the

environment is used to

store authoritative

matching criteria

Other attribute

Custom Configuration Settings

Configure filtering

Option Description Recommendation

Group-based Only members of the specified group will be synchronized.

This option is only configurable upon initial install using

the configuration wizard.

Test lab only

Domain-based This option can be used to exclude entire domains from

synchronization. It’s configured using the Synchronization

Service Manager.

Organizational unit (OU)-

based

This option can be used to exclude parts of the OU

hierarchy from synchronization. It’s configured using the

Synchronization Service Manager.

Filter out Service

accounts/non-personal

accounts

Attribute-based For additional flexibility, filtering can be configured based

on attribute values. This is done by customizing

synchronization rules.

Only use this option when the

others won’t work

By default, Azure AD Connect synchronizes all relevant objects from the on-premises AD DS to Azure

AD. This is recommended to establish a unified global address list (GAL) between premises, but

filtering is sometimes required. Decide if objects need to be excluded from the scope of

synchronization.

Decision required

aka.ms/aadconnectperf

Optional features

Optional features –Writeback

There are several optional features which can be enabled in Azure AD Connect. Decide which features

will be used.

Decision required

Option Description Options Recommendation

Password writeback Used with Azure AD self-service password

management to synchronize changes

which originate in Azure AD back to AD

DS

On/off Enable when using Azure AD self-service

password management

Group writeback Synchronizes Office 365 Groups (modern

groups) to the on-prem environment as

distribution groups so they can be mailed

to from on-prem mailboxes

On/off,

select the

target OU

Enable when using Office 365 Groups in

hybrid environments. Currently only

supported in single-organization

environments and requires additional

PowerShell scripting to present groups in

the GAL

Device writeback Synchronizes registered devices in Azure

AD to AD DS so they can be used with AD

FS conditional access policies

On/off,

select

writeback

forest

Enable when using device-based

conditional access in AD FS with Azure

AD Device Registration or Intune

Staging server

Decision required

Will an Azure AD Connect staging server be

deployed? If so, in what datacenter?

Considerations

• A staging server reads data from all directories

but does not write anything to connected

directories.

• If the primary server fails, the Azure AD Connect

wizard can be used to failover to the staging

server.

Deploy the staging server in a second datacenter for

geographical redundancy for Azure AD Connect sync

Active Directory Domain Services

Configure and install

Configure and install

• Prevents accidental deletions

• Feature on by default

• Cannot export more than 500 deletes (default)

• Can be configured with:• Enable-ADSyncExportDeletionThreshold

• Disable-ADSyncExportDeletionThreshold

• Configuration stored in Azure Active Directory

Sync cycle schedule

• Every 30 minutes for adds/updates to objects

• Password changes poll and sync every 2 minutes

• To see your current configuration, run ‘Get-ADSyncSchedule’

Auto upgrade

• The automatic upgrade is enabled when:• Azure AD Connect is

o Build 1.1.105.0 or higher

o Installed with the Express settings

o Using SQL Express LocalDB

• Run ‘Get-ADSyncAutoUpgrade’ to get current

upgrade state• Returns: Enabled, Suspended, or Disabled

• Application event log• Filter for source “Azure AD Connect Upgrade”

Resources

• Article – Authentication Methods

• aka.ms/auth-options

aka.ms/aadconnectperf

• Convert from ADFS to Password Hash Sync

• aka.ms/deploymentplans/adfs2phs

• Convert from ADFS to Passthrough Authentication

• aka.ms/deploymentplans/adfs2pta

• Azure AD blog

• aka.ms/identityblog

• Sign up for more webinars!

• aka.ms/aadwebinars

© Copyright Microsoft Corporation. All rights reserved.

Q & A

© Copyright Microsoft Corporation. All rights reserved.

Thank you

Additional resources

• Azure Active Directory Webinar Community:

https://aka.ms/AADWebinarCommunity

• Product documentation:

https://docs.microsoft.com/azure/active-directory/

• Deployment Resources:

https://www.microsoft.com/fasttrack/resources

Let us know what you think by taking this 5-minute survey.

https://aka.ms/FY20AzureActiveDirectoryWebinarFeedback.