Similar documents
/

RSA SecurID Access Configuration for Microsoft Office 365 STS (Secure Token Service)

AAD Connect setup guide

Tech Dive: Microsoft Azure Identity Management and Office 365

ENABLING AND MANAGING OFFICE 365

Office 365 and Azure Active Directory Identities In-depth

Enabling and Managing Office 365

Azure Active Directory from Zero to Hero

Course Outline. Enabling and Managing Office 365 Course 20347A: 5 days Instructor Led

Course 20533B: Implementing Microsoft Azure Infrastructure Solutions

Office 365 Deployment Guide

Implementing Microsoft Azure Infrastructure Solutions

Workspace ONE UEM Directory Service Integration. VMware Workspace ONE UEM 1811

Microsoft Official Curriculum Enabling and Managing Office 365 (5 Days - English) Programme détaillé

One Identity Active Roles 7.2. Azure AD and Office 365 Management Administrator Guide

User Management Tool

Single Sign-On Showdown

SharePoint Online for Administrators

MCSA Office 365 Bootcamp

DATACENTER MANAGEMENT Goodbye ADFS, Hello Modern Authentication! Osman Akagunduz

Directory Integration with VMware Identity Manager

Chime for Lync High Availability Setup

D9.2.2 AD FS via SAML2

8.0 Help for Community Managers About Jive for Google Docs...4. System Requirements & Best Practices... 5

Multi Factor Authentication & Self Password Reset

2016 Braindump2go Valid Microsoft Exam Preparation Materials:

Overview What is Azure Multi-Factor Authentication? How it Works Get started Choose where to deploy MFA in the cloud MFA on-premises MFA for O365

Microsoft Azure Course Content

Office 365 for IT Pros

Education and Support for SharePoint, Office 365 and Azure

SharePoint 2016 Administrator's Survival Camp

[MS20347]: Enabling and Managing Office 365

Assess Remediate Enable Migrate

Managing Identity Lifecycles at Scale

20533B: Implementing Microsoft Azure Infrastructure Solutions

20347: Enabling and Managing Office hours

Course Content. This is the second in a sequence of two courses for IT Professionals and is aligned with the SharePoint 2016 IT Pro certification.

Enabling and Managing Office 365 (NI152) 40 Hours MOC 20347A

Course Content of Office 365:

MCSE Server Infrastructure. This Training Program prepares and enables learners to Pass Microsoft MCSE: Server Infrastructure exams

Power365. Prerequisites. April 2018

Microsoft Dynamics CRM Online Deployment (MB2-706)

Planning for and Managing Devices in the Enterprise: Enterprise Mobility Suite (EMS) & On-Premises Tools

ENABLING AND MANAGING OFFICE 365

Enabling and Managing Office 365

Developer s Guide to Azure RemoteApp Hybrid Collection Deployment

Office : Enabling and Managing Office 365. Upcoming Dates. Course Description. Course Outline

Planning and Administering SharePoint 2016

MD-101: Modern Desktop Administrator Part 2

Vyapin Office 365 Management Suite

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

COURSE OUTLINE: A Advanced Technologies of SharePoint 2016

DigitalPersona. SSO for Office 365. On Premise DigitalPersona SSO for Office 365. Solution Deployment Guide

SHAREPOINT 2016 ADMINISTRATOR BOOTCAMP 5 DAYS

GALSYNC V7.4. Manual. NETsec. NETsec GmbH & Co.KG Schillingsstrasse 117 DE Düren. 14. September 2018

Deploy Cisco Directory Connector

GALSYNC V7.4. Upgrade Instructions. NETsec. NETsec GmbH & Co.KG Schillingsstrasse 117 DE Düren. 14. September 2018

Course 10993A: Integrating On-Premises Identity Infrastructure with Microsoft Azure

Enabling and Managing Office 365

Enterprise Vault.cloud CloudLink Google Account Synchronization Guide. CloudLink to 4.0.3

Course Outline 20742B

How to Map OnPrem Active Directory users to existing Office365 Users

Enabling and Managing Office 365

Migrate All Mailboxes to the Cloud with a Cutover Exchange

9.0 Help for Community Managers About Jive for Google Docs...4. System Requirements & Best Practices... 5

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

Integrating On-Premises Identity Infrastructure with Microsoft Azure

Microsoft Certified System Engineer

Planning for and Managing Devices in the Enterprise: Enterprise Mobility Suite (EMS) & On- Premises Tools

Exam Code: Exam Code: Exam Name:Managing Office 365 Identities and Requirements.

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

SharePoint Server 2016 Feature Comparison* Accessibility Standards Support Yes Yes. Asset Library Enhancements/Video Support Yes Yes.

A: Advanced Technologies of SharePoint 2016

INSTALLATION GUIDE Spring 2017

Microsoft SharePoint Online for Administrators

External Data Connector for SharePoint

Advanced Technologies of SharePoint 2016 ( )

Windows Server 2008 Active Directory Certificate Services Step By Step Guide Pdf

At Course Completion After completing this course, students will be able to:

Track MS-100: Microsoft 365 Identity and Services

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8

Microsoft Enabling and Managing Office 365

Coveo Platform 7.0. Microsoft SharePoint Legacy Connector Guide

Microsoft Dynamics CRM Installation (MB2-708)

How To Remove Active Directory Connectors

Developing Microsoft Azure Solutions (70-532) Syllabus

Planning and Administering SharePoint 2016

Advanced Technologies of SharePoint 2016

Advanced Technologies of SharePoint 2016

Planning for and Managing Devices in the Enterprise: Enterprise Management Suite (EMS) & On-Premises Tools

Partner Center: Secure application model

BMS Managing Users in Modelpedia V1.1

Vendor: Microsoft. Exam Code: Exam Name: Managing Office 365 Identities and Requirements. Version: Demo

DocAve Online 3. User Guide. Service Pack 17, Cumulative Update 2

Identity as the core of enterprise mobility

Microsoft Official Course

Setting Up Resources in VMware Identity Manager

Our broad and deep array of solutions enables you to use the cloud in your own way, at your own pace.

Contents Overview... 5 Downloading Primavera Gateway... 5 Primavera Gateway On-Premises Installation Prerequisites... 6

Transcription:

About chverstr@microsoft.com

People-centric approach Devices Apps Data Enable your users Unify your environment Protect your data

People-centric approach Devices Apps Data Enable your users Unify your environment Protect your data

Identity as the foundation Simple connection Self-service Single sign on Windows Server Active Directory Other Directories Username Azure Public cloud SaaS Office 365 On-premises Microsoft Azure Active Directory Cloud

Azure AD Connect (sync + sign on) LDAP directories Active Directory

Two installation types: Express / Customized EXPRESS When Single ADDS forest on-premises. Less than 100,000 objects in your on-premises Active Directory. (Requires an enterprise administrator account for the installation.) Outcome Password synchronization from on-premises to Azure AD for single sign-on. Synchronizes users, groups, contacts, and Windows 10 computers. Synchronization of all eligible objects in all domains and all OUs. Automatic upgrade is enabled.

EXPRESS Other options? You do not want to synchronize all OUs Use Express and on the last page, unselect Start the synchronization process...*. Run the installation wizard again and change the OUs in configuration options Enable scheduled sync. You want to enable one of the features in Azure AD Premium, such as Password writeback. First complete the initial installation. Then re-run the installation wizard and change the configuration options.

CUSTOM When More than one ADDS forest on-premises to synchronize. No access to an enterprise admin account in Active Directory. Domains in the forest that are not reachable from the Connect server. Federation or pass-through authentication. More than 100,000 objects (and use a full SQL Server). Group-based filtering (not only domain or OU-based).

Optional Configuration Options Specify a custom install folder Use an existing SQL Server Use an existing service account Specify custom sync groups The groups must be local on the server and cannot be located in the domain.

Topologies

Single forest, single Azure AD tenant Multiple forests, single Azure AD tenant Multiple forests, separate topologies Multiple forests: match users Multiple forests: full mesh with optional GALSync Multiple forests: account-resource forest Multiple Azure AD tenants Each object only once in an Azure AD tenant GALSync with on-premises sync server

Single forest, multiple sync servers to one Azure AD tenant Multiple forests, multiple sync servers to one Azure AD tenant Each object multiple times in an Azure AD tenant GALSync by using writeback Change the configuration of Azure AD Connect sync to read data from another Azure AD tenant. Export users as contacts to another on-premises Active Directory instance by using Azure AD Connect sync

sourceanchor (dilemma)

Definition: An attribute immutable during the lifetime of an object. It uniquely identifies an object as being the same object on-premises and in Azure AD. The attribute is also called immutableid. What to choose? objectguid is unique *but* unfortunately does change when a user is migrated between AD forests: when this happens there s no easy way to relink the migrated user to his cloud self (your mileage may vary) employeeid can be a good choice, should be unique and immutable. msds-consistencyguid adds a bit of rules complexity but is the recommended choice, especially in multi-forest environments. sourceanchor should *not* be case-sensitive and should avoid characters that may vary by case.

Azure AD Connect (1.1.524.0+) now facilitates the use of msds-consistencyguid as sourceanchor : Use msds-consistencyguid as the sourceanchor attribute for User objects. ObjectGUID is used for other object types. Rule will try to Join using msds-consistencyguid or ObjectGUID. If msds-consistencyguid attribute isn't populated, Azure AD Connect writes its objectguid value back to the msds-consistencyguid attribute in on-premises Active Directory.

Nice to Know Service account must be granted write permission to the msds-consistencyguid attribute in on-premises Active Directory. Azure AD Connect (1.1.524.0 and after) stores information in your Azure AD tenant about the sourceanchor attribute used during installation. Wizard checks the state of the msds-consistencyguid attribute in your onpremises Active Directory: if attribute is configured on one or more objects falls back to using objectguid as the sourceanchor attribute. Azure AD Connect (1.1.552.0 and after) supports switching from ObjectGuid to ConsistencyGuid as the Source Anchor attribute Azure AD Connect automatically updates the claim rules to use the same AD attribute as sourceanchor

msds-consistencyguid

Azure AD Connect v1.1.524.0 and later now facilitates the use of msds- ConsistencyGuid as sourceanchor attribute Azure AD Connect automatically configures the synchronization rules to: Use msds-consistencyguid as the sourceanchor attribute for User objects When msds-consistencyguid attribute isn't populated, Azure AD Connect writes its objectguid value back to the msds-consistencyguid (on-premises Active Directory). After the msds-consistencyguid attribute is populated, Azure AD Connect then exports the object to Azure AD.

New installations: Express Installation Azure AD Connect wizard queries your Azure AD tenant to retrieve the AD attribute used as the sourceanchor attribute. If available, AAD Connect will use the same AD attribute. If not, wizard checks the state of the msds- ConsistencyGuid attribute in your on-premises Active Directory Attribute not configured? msds-consistencyguid is used as the sourceanchor attribute Already in use (by e.g. other apps)? Wizard falls back to use objectguid as the sourceanchor attribute

Existing deployments: Important: Only newer versions of Azure AD Connect (1.1.552.0 and after) supports switching from ObjectGuid to ConsistencyGuid as the Source Anchor attribute. Azure AD Connect wizard => Configure => Configure Source Anchor Analyzes the state of the msds-consistencyguid attribute in your on-premises Active Directory. If not used, re-configuration is done. If in use, you can override by using CMD syntax: "c:\program Files\Microsoft Azure Active Directory Connect\AzureADConnect.exe" /SkipLdapSearch

Using AAD Connect to manage onpremises AD FS deployment? AAD Connect automatically updates the claim rules to use the same AD attribute as sourceanchor. => ImmutableID claim generated by ADFS is consistent with the sourceanchor values exported to Azure AD Manage ADFS Outside AAD Connect or 3rd Party federation? Manually update the claim rules for ImmutableID claim to be consistent with the sourceanchor values exported to Azure AD

samaccountname cn userprincipalname objectguid onpremisesamaccountname commonname userprincipalname sourceanchor Active Directory Azure Active Directory

Active Directory AAD Connect Azure Active Directory

Source Anchor How users should be identified with Azure AD Clarification User identifier to link the user in Active Directory with the corresponding user in Azure Active Directory.

Active Directory Metaverse Azure Active Directory objectguid sourceanchor cloudanchor cloudsourceanchor sourceanchor 5439DA9B72889741904EB02C423C5F06 VDnam3KIl0GQTrAsQjxfBg== VDnam3KIl0GQTrAsQjxfBg== Metaverse Azure Active Directory cloudanchor cloudsourceanchor cloudanchor sourceanchor User_05dc224c-d002-4a66-b619-d6fbe1d1dc1f VDnam3KIl0GQTrAsQjxfBg==

joes-p@contoso.com joe.smith@adatum.com joes-p@contoso.com joe.smith@adatum.com

joes-p@contoso.com & joe.smith@adatum.com joes-p@contoso.com : joe.smith@adatum.com

AD FS UPN ImmutableID AAD Office 365

$true $false

$false mail objectguid $true mail ms-ds-consistencyguid

Filtering

By default, all objects in all domains in the configured forests are in-scope. Examples to use filtering: Multi-Azure AD directory topology. Apply a filter to control which objects are synchronized to a particular Azure AD directory. Pilot or functional test: A subset of users in Azure AD. In the small pilot, it's not important to have a complete Global Address List to demonstrate the functionality. Service accounts and other non-personal accounts that you don't want in Azure AD. Compliance reasons

Filtering Options: Group-based Domain-based OU-based Attribute-based You can use multiple filtering options at the same time. When you use multiple filtering methods, the filters use a logical "AND" between the filters

Objects that are filtered out are no longer synchronized to Azure AD Objects in AAD that were synched but were then filtered out are deleted in AAD. Disable scheduled task before making changes Set-ADSyncScheduler -SyncCycleEnabled $false Prevent accidental deletion is on (500) by default. Change the value in PowerShell: Enable-ADSyncExportDeletionThreshold -DeletionThreshold <value>. Disable (temporary) by using Disable-ADSyncExportDeletionThreshold If threshold exceeded admin will receive mail notification or look in the Synchronization Service for status stopped-deletion-threshold-exceeded

Common sync errors

Windows Server Active Directory Azure AD Connect (Sync) Microsoft Azure Active Directory Hard Match matches the incoming object sourceanchor to the immutableid of objects in AAD. Soft Match falls back to use the ProxyAddresses and UserPrincipalName attributes to find a match. AAD schema enforce uniqueness of ProxyAddresses, UserPrincipalName, onpremisessecurityidentifier,objectid, +

Scenarios for Duplicate/Invalid Soft Match Two or more objects with the same value of ProxyAddresses or userprincipalname attributes exists in on premises Active Directory A synced account was migrated between forests. ObjectGUID (SourceAnchor) changes and Soft Match is invalid due to existing ImmutableId A synced object got accidentally deleted and recreated in AD without also deleting the account in Azure Active Directory. The new account fails to sync with the existing Azure AD object. Azure AD Connect was uninstalled and re-installed using a different attribute as the SourceAnchor.

Duplicate Attribute Resiliency Azure Active Directory quarantines the duplicate attribute which would violate the uniqueness constraint and proceeds with the object creation or update. If this attribute is required for provisioning, like UserPrincipalName, the service assigns a placeholder value: +<4DigitNumber>@domain.com. To support this behavior a new attribute has been added to the User, Group, and Contact object classes: DirSyncProvisioningErrors Enabled by default on new Tenants and rolled out in batches on existing Tenants. Get-MsolDirSyncFeatures -Feature DuplicateUPNResiliency Get-MsolDirSyncFeatures -Feature DuplicateProxyAddressResiliency

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback