/

Similar documents

Office 365 and Azure Active Directory Identities In-depth

AAD Connect setup guide

Single Sign-On Showdown

"Charting the Course to Your Success!" MOC B Implementing Forefront Identity Manager 2010 Course Summary

Tech Dive: Microsoft Azure Identity Management and Office 365

DATACENTER MANAGEMENT Goodbye ADFS, Hello Modern Authentication! Osman Akagunduz

Implementing Forefront Identity Manager 2010

How To Remove Active Directory Connectors

RSA SecurID Access Configuration for Microsoft Office 365 STS (Secure Token Service)

Forest Active Directory Schema Snap In 2008 R2

TS: Forefront Identity Manager 2010, Configuring

Office 365 for IT Pros

One Identity Active Roles 7.2. Azure AD and Office 365 Management Administrator Guide

SharePoint 2016 Administrator's Survival Camp

MCSE Server Infrastructure. This Training Program prepares and enables learners to Pass Microsoft MCSE: Server Infrastructure exams

Course Outline 20742B

Actual4Dumps. Provide you with the latest actual exam dumps, and help you succeed

Assess Remediate Enable Migrate

Office 365 Deployment Guide

Identity with Windows Server 2016 (742)

Security and Compliance

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Planning and Administering SharePoint 2016

Course 10993A: Integrating On-Premises Identity Infrastructure with Microsoft Azure

Advanced Technologies of SharePoint 2016 ( )

Exam Code: Exam Code: Exam Name:Managing Office 365 Identities and Requirements.

70-742: Identity in Windows Server Course Overview

Identity with Windows Server 2016

M20742-Identity with Windows Server 2016

One Identity Active Roles 7.3. Synchronization Service Administration Guide

Advanced Technologies of SharePoint 2016

ENABLING AND MANAGING OFFICE 365

Advanced Technologies of SharePoint 2016

20742: Identity with Windows Server 2016

Chime for Lync High Availability Setup

Manually Remove Failed Exchange 2007 Server From Active Directory

Identity with Windows Server 2016

METHODOLOGY This program will be conducted with interactive lectures, PowerPoint presentations, discussions and practical exercises.

Integrating On-Premises Identity Infrastructure with Microsoft Azure

Course 20533B: Implementing Microsoft Azure Infrastructure Solutions

Quest Migration Manager Migrating to Microsoft Office 365

Workspace ONE UEM Directory Service Integration. VMware Workspace ONE UEM 1811

Who am I? Identity Product Group, CXP Team. Premier Field Engineer. SANS STI Student GWAPT, GCIA, GCIH, GCWN, GMOB

Course Outline. Enabling and Managing Office 365 Course 20347A: 5 days Instructor Led

Microsoft Advanced Technologies of SharePoint 2016

SHAREPOINT 2016 ADMINISTRATOR BOOTCAMP 5 DAYS

Real4Test. Real IT Certification Exam Study materials/braindumps

Microsoft Certified System Engineer

Office 365 management done right

Course Content. This is the second in a sequence of two courses for IT Professionals and is aligned with the SharePoint 2016 IT Pro certification.

MCSE Productivity. A Success Guide to Prepare- Advanced Solutions of Microsoft Exchange Server edusum.com

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

Managing Identity Lifecycles at Scale

Integrating AirWatch and VMware Identity Manager

Track MS-100: Microsoft 365 Identity and Services

Identity as the Entrée to the Microsoft Cloud

Enabling and Managing Office 365

Active Directory Security: The Journey. Sean Metcalf s e a n TrimarcSecurity.com TrimarcSecurity.

Exchange Control Panel EMC. Remote PowerShell

Q&As Managing Office 365 Identities and Requirements

Vendor: Microsoft. Exam Code: Exam Name: Managing Office 365 Identities and Requirements. Version: Demo

Understanding The Ad Lds Schema Editor

MS : Installation and Deployment in Microsoft Dynamics CRM 2013

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Our broad and deep array of solutions enables you to use the cloud in your own way, at your own pace.

COURSE OUTLINE: A Advanced Technologies of SharePoint 2016

User Guide. Version R94. English

Microsoft SharePoint Server 2013 Plan, Configure & Manage

Advanced Solutions of Microsoft SharePoint Server 2013

Power365. Prerequisites. April 2018

How to Map OnPrem Active Directory users to existing Office365 Users

One Identity Active Roles 7.2. Synchronization Service Administrator Guide

Configuring Advanced Windows Server 2012 Services (412)

Microsoft Installation and Deployment in Microsoft Dynamics CRM 2013

Migrate All Mailboxes to the Cloud with a Cutover Exchange

Implementing Microsoft Azure Infrastructure Solutions

Coveo Platform 7.0. Microsoft SharePoint Connector Guide

MCSA Windows Server 2012 Configuring Advanced Services

MD-101: Modern Desktop Administrator Part 2

Migrating vrealize Automation 6.2 to 7.2

Identity with Windows Server 2016 (20742)

SharePoint Online for Administrators

Microsoft Exchange Server 2013 Hybrid Deployments Documentation Help

VMware Identity Manager Administration. MAY 2018 VMware Identity Manager 3.2

[ Sean TrimarcSecurity.com ]

Advanced Solutions of Microsoft SharePoint Server 2013 Course Contact Hours

MOC 6232A: Implementing a Microsoft SQL Server 2008 Database

Advanced Solutions of Microsoft SharePoint 2013

Education and Support for SharePoint, Office 365 and Azure

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

Windows Server 2008 Active Directory Certificate Services Step By Step Guide Pdf

2016 Braindump2go Valid Microsoft Exam Preparation Materials:

SharePoint Server 2016 Feature Comparison* Accessibility Standards Support Yes Yes. Asset Library Enhancements/Video Support Yes Yes.

A: Advanced Technologies of SharePoint 2016

[MS20347]: Enabling and Managing Office 365

Microsoft Official Curriculum Enabling and Managing Office 365 (5 Days - English) Programme détaillé

Step-by-step Guide to Office 365 Hybrid Deployment

One Identity Quick Connect Sync Engine Administrator Guide

Using Trustwave SEG Cloud with Exchange Online

Transcription:

About www.linkedin.com/in/anca-robu- 84054117/ arobu@microsoft.com

Azure AD Connect Synchronization services Core component ADFS Easy Mode Configure an on-premises AD FS farm. Health (Monitoring) Agent Connect Health Configure Hybrid Env. Password Sync / Passthrough Auth Device Writeback SCP DirSync Azure AD Sync FIM + Azure AD Connector ADFS Sync ADFS Health

Understanding the architecture

The sync engine Creates an integrated view of objects that are stored in multiple connected data sources This view is determined by the identity information retrieved from connected data sources and a set of rules that determine how to process this information. Wizard defines the scope of objects, select the attributes to synchronize (attribute inclusion list) ensuring the required attributes are present.

Sync engine consists of two namespaces connector space is a distinct staging area that contains representations of the designated objects from a connected data source: stages incoming/outgoing changes, track changes in the data source. metaverse is a storage area that contains the aggregated identity information from multiple connected data sources, providing a single global, integrated view of all combined objects.

Connector space: Staging Obj. and Placeholders Anchor attribute uniquely identifies objects in the connected data source (es. objectguid for AD). Objects with new identity information are flagged as pending import or export. New Objects are created as import or export Objects. Export objects become import objects when sync engine receives them in the next import flow. Placeholders represents a component of an object's hierarchical name that has not been imported into sync engine (OUs, Manager Attributes, )

Metaverse Objects Sync engine creates metaverse objects by using the information in import objects. Relationship is MV Obj One-to-Many CS Obj Extensible MV schema with a predefined set of object types and associated attributes. CS staging object linked to a MV object is called a joined object (connector). A staging object that is not linked to a metaverse object is called a disjoined object (disconnector). MV objects that do not have a link to any CS object are deleted.

Identity management process Import process first tries to locate a representation of the object in the CS matching the anchor attribute or distinguished name. Staging objects with updated data are marked as pending import (Add, Update, Delete) Inbound synchronization will project/provision new objects in the MV, Join existing MV objects to a Staging Obj or update attribute values (attribute flow) Outbound synchronization updates export objects on MV object change: Rename a joined object. Create joined objects, where a metaverse object is linked to a newly created export object Disjoin links between a metaverse object and staging objects, creating a disjoined object.

Identity management process During the export process, sync engine examines all export objects that are flagged as pending export in the connector space, and then sends updates to the connected data source. Sync engine uses the import process to confirm attribute values that have been exported to the connected data source. A comparison between the imported and exported information enables sync engine to determine whether the export was successful or if it needs to be repeated.

Scope Determines the rules that are in scope and should be included in the processing: EQUAL, CONTAINS, ISNULL, ISBITSET, ISMEMBEROF Join Finding the relationship between the object in the source and an object in the target. For example an object in the CS linking to one in the MV (Inbound Rule). Search for an object already in the metaverse to link to.

Join The join rules are only evaluated once. When a CS object and a MV object are joined, they remain joined as long as the scope of the Synchronization Rule is still satisfied. Only one Synchronization Rule with join rules defined must be in scope: precedence is not managed for Join Rules. The groups in join rules are processed from top to bottom. If there s not exactly one match, the Link Type is used: only f this option is set to Provision, then a new object in the target is created.

Transformations Define the Attribute Flow as: Direct flows an attribute value as-is with no additional transformations. Constant sets the specified value. Expression uses the declarative provisioning expression language to express how the transformation should be. Precedence is set for each rule: lowest number wins. See default ruleset example (enabled Accounts have higher precedence). Multi-valued attributes from several different Connectors can be merged instead of updated by precedence.

User/contact out-of-box rules: Must have a sourceanchor ; after creation in AAD this cannot be changed. UserAccountControl must be populated (default in ADDS). Exclusions: IsPresent([isCriticalSystemObject]) IsPresent([sAMAccountName]) = False Left([sAMAccountName], 4) = "AAD_", Left([sAMAccountName], 5) = "MSOL_ Not synchronize objects and Exchange objects that would not work in Exchange Online.

The default AD Connect ruleset is complex and carefully built: modifying the ruleset can quickly became a dangerous and daunting task! The out-of-box sync rules have a thumbprint. If you make a change to these rules, the thumbprint is no longer matching. You might have problems in the future when you try to apply a new release of Azure AD Connect. Only make changes the way it is described in the article below. Consider the supportability of the customizations, follow the recommendations on how to change the default configuration https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directoryaadconnectsync-best-practices-changing-default-configuration

The Rules Demo!

sourceanchor (dilemma)

Definition: An attribute immutable during the lifetime of an object. It uniquely identifies an object as being the same object on-premises and in Azure AD. The attribute is also called immutableid. What to choose? objectguid is unique *but* unfortunately does change when a user is migrated between AD forests: when this happens there s no easy way to relink the migrated user to his cloud self (your mileage may vary) employeeid can be a good choice, should be unique and immutable. msds-consistencyguid adds a bit of rules complexity but is the recommended choice, especially in multi-forest environments. sourceanchor should *not* be case-sensitive and should avoid characters that may vary by case.

Azure AD Connect (1.1.524.0+) now facilitates the use of msds-consistencyguid as sourceanchor : Use msds-consistencyguid as the sourceanchor attribute for User objects. ObjectGUID is used for other object types. Rule will try to Join using msds-consistencyguid or ObjectGUID. If msds-consistencyguid attribute isn't populated, Azure AD Connect writes its objectguid value back to the msds-consistencyguid attribute in on-premises Active Directory.

Nice to Know Service account must be granted write permission to the msds-consistencyguid attribute in on-premises Active Directory. Azure AD Connect (1.1.524.0 and after) stores information in your Azure AD tenant about the sourceanchor attribute used during installation. Wizard checks the state of the msds-consistencyguid attribute in your onpremises Active Directory: if attribute is configured on one or more objects falls back to using objectguid as the sourceanchor attribute. Azure AD Connect (1.1.552.0 and after) supports switching from ObjectGuid to ConsistencyGuid as the Source Anchor attribute Azure AD Connect automatically updates the claim rules to use the same AD attribute as sourceanchor

msds- ConsistencyGuid

Accounts and Permissions

Created/Required Service Accounts Active Directory account AAD Connect Sync Service Account Virtual Service Account (VSA) Group Managed Service Account (gmsa) Local / domain account Azure AD Service account With build from 2017 March or earlier, do not reset the password on the AAD Connect Sync Service Account since Windows destroys the encryption keys for security reasons.

Express settings installation <> required permissions Administrator of the local server Creates the local account that is used as the sync engine service account. Enterprise Admin credentials Creates an account in Active Directory and grants permissions to it. Global administrator role in Azure AD Creation of the Azure AD account that is used for on-going sync operations in Azure AD. Enabling sync in the Azure AD directory.

Custom settings installation <> Required permissions Administrator of the local server Creates the local account that is used as the sync engine service account. AD or local user account credentials If this account is specified, it is used as the service account for the sync service. On-premises ADDS creds for each forest that is connected to AAD Domain Administrator for Installation and configuration of the AD FS server role. Local admin on the Web application proxy servers Domain account that is a local administrator of the AD FS server(s) for the proxy trust credentials AD user account credentials for AD FS Service Account

Upgrade Azure AD Connect / Staging Mode

Upgrade from DirSync or Azure AD Sync In-place migration of all supported custom configurations Side by Side for > 50K objects Will not migrate unsupported configurations (such as removed attribute flows) https://azure.microsoft.com/en-us/documentation/articles/activedirectory-aadconnect-dirsync-upgrade-get-started/ Upgrade Azure AD Connect Automatic Upgrade In-Place Upgrade Swing Migration https://docs.microsoft.com/en-us/azure/active-directory/connect/activedirectory-aadconnect-upgrade-previous-version

Use Staging Mode in scenarios as: High availability. Test and deploy new configuration changes. Introduce a new server and decommission the old Server is active for import and synchronization, but does not run any exports Disaster Recovery recommendations Rebuild when needed. Have a spare standby server, known as staging mode. Use virtual machines Optional: SQL High Availibility Support for SQL AOA from version 1.1.524.0. You must enable SQL AOA before installing Azure AD Connect!

Scheduler

Responsible for two tasks: Synchronization Cycle Import, sync and export processes Maintenance Tasks Renew keys and certificates for Password Reset and DRS. Purges old entries in the operations logs. Configuration View by using Get-ADSyncScheduler in PowerShell Modify: Set-ADSyncScheduler CustomizedSyncCycleInterval NextSyncCyclePolicyType PurgeRunHistoryInterval SyncCycleEnabled MaintenanceEnabled

Disable the scheduler: Set-ADSyncScheduler -SyncCycleEnabled $false Start the scheduler Delta or full (initial) Sync Cycle: Start-ADSyncSyncCycle -PolicyType Delta Start-ADSyncSyncCycle -PolicyType Initial Stop the scheduler Stop-ADSyncSyncCycle

Custom scheduler: Invoke-ADSyncRunProfile -ConnectorName "name of connector" - RunProfileName "name of profile Recommended Order: 1. (Full/Delta) Import from on-premises directories, such as Active Directory 2. (Full/Delta) Import from Azure AD 3. (Full/Delta) Synchronization from on-premises directories, such as Active Directory 4. (Full/Delta) Synchronization from Azure AD 5. Export to Azure AD 6. Export to on-premises directories, such as Active Directory Get the status: Get-ADSyncConnectorRunStatus

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback