About chverstr@microsoft.com
People-centric approach Devices Apps Data Enable your users Unify your environment Protect your data
People-centric approach Devices Apps Data Enable your users Unify your environment Protect your data
Identity as the foundation Simple connection Self-service Single sign on Windows Server Active Directory Other Directories Username Azure Public cloud SaaS Office 365 On-premises Microsoft Azure Active Directory Cloud
Azure AD Connect (sync + sign on) LDAP directories Active Directory
Two installation types: Express / Customized EXPRESS When Single ADDS forest on-premises. Less than 100,000 objects in your on-premises Active Directory. (Requires an enterprise administrator account for the installation.) Outcome Password synchronization from on-premises to Azure AD for single sign-on. Synchronizes users, groups, contacts, and Windows 10 computers. Synchronization of all eligible objects in all domains and all OUs. Automatic upgrade is enabled.
EXPRESS Other options? You do not want to synchronize all OUs Use Express and on the last page, unselect Start the synchronization process...*. Run the installation wizard again and change the OUs in configuration options Enable scheduled sync. You want to enable one of the features in Azure AD Premium, such as Password writeback. First complete the initial installation. Then re-run the installation wizard and change the configuration options.
CUSTOM When More than one ADDS forest on-premises to synchronize. No access to an enterprise admin account in Active Directory. Domains in the forest that are not reachable from the Connect server. Federation or pass-through authentication. More than 100,000 objects (and use a full SQL Server). Group-based filtering (not only domain or OU-based).
Optional Configuration Options Specify a custom install folder Use an existing SQL Server Use an existing service account Specify custom sync groups The groups must be local on the server and cannot be located in the domain.
Topologies
Single forest, single Azure AD tenant Multiple forests, single Azure AD tenant Multiple forests, separate topologies Multiple forests: match users Multiple forests: full mesh with optional GALSync Multiple forests: account-resource forest Multiple Azure AD tenants Each object only once in an Azure AD tenant GALSync with on-premises sync server
Single forest, multiple sync servers to one Azure AD tenant Multiple forests, multiple sync servers to one Azure AD tenant Each object multiple times in an Azure AD tenant GALSync by using writeback Change the configuration of Azure AD Connect sync to read data from another Azure AD tenant. Export users as contacts to another on-premises Active Directory instance by using Azure AD Connect sync
sourceanchor (dilemma)
Definition: An attribute immutable during the lifetime of an object. It uniquely identifies an object as being the same object on-premises and in Azure AD. The attribute is also called immutableid. What to choose? objectguid is unique *but* unfortunately does change when a user is migrated between AD forests: when this happens there s no easy way to relink the migrated user to his cloud self (your mileage may vary) employeeid can be a good choice, should be unique and immutable. msds-consistencyguid adds a bit of rules complexity but is the recommended choice, especially in multi-forest environments. sourceanchor should *not* be case-sensitive and should avoid characters that may vary by case.
Azure AD Connect (1.1.524.0+) now facilitates the use of msds-consistencyguid as sourceanchor : Use msds-consistencyguid as the sourceanchor attribute for User objects. ObjectGUID is used for other object types. Rule will try to Join using msds-consistencyguid or ObjectGUID. If msds-consistencyguid attribute isn't populated, Azure AD Connect writes its objectguid value back to the msds-consistencyguid attribute in on-premises Active Directory.
Nice to Know Service account must be granted write permission to the msds-consistencyguid attribute in on-premises Active Directory. Azure AD Connect (1.1.524.0 and after) stores information in your Azure AD tenant about the sourceanchor attribute used during installation. Wizard checks the state of the msds-consistencyguid attribute in your onpremises Active Directory: if attribute is configured on one or more objects falls back to using objectguid as the sourceanchor attribute. Azure AD Connect (1.1.552.0 and after) supports switching from ObjectGuid to ConsistencyGuid as the Source Anchor attribute Azure AD Connect automatically updates the claim rules to use the same AD attribute as sourceanchor
msds-consistencyguid
Azure AD Connect v1.1.524.0 and later now facilitates the use of msds- ConsistencyGuid as sourceanchor attribute Azure AD Connect automatically configures the synchronization rules to: Use msds-consistencyguid as the sourceanchor attribute for User objects When msds-consistencyguid attribute isn't populated, Azure AD Connect writes its objectguid value back to the msds-consistencyguid (on-premises Active Directory). After the msds-consistencyguid attribute is populated, Azure AD Connect then exports the object to Azure AD.
New installations: Express Installation Azure AD Connect wizard queries your Azure AD tenant to retrieve the AD attribute used as the sourceanchor attribute. If available, AAD Connect will use the same AD attribute. If not, wizard checks the state of the msds- ConsistencyGuid attribute in your on-premises Active Directory Attribute not configured? msds-consistencyguid is used as the sourceanchor attribute Already in use (by e.g. other apps)? Wizard falls back to use objectguid as the sourceanchor attribute
Existing deployments: Important: Only newer versions of Azure AD Connect (1.1.552.0 and after) supports switching from ObjectGuid to ConsistencyGuid as the Source Anchor attribute. Azure AD Connect wizard => Configure => Configure Source Anchor Analyzes the state of the msds-consistencyguid attribute in your on-premises Active Directory. If not used, re-configuration is done. If in use, you can override by using CMD syntax: "c:\program Files\Microsoft Azure Active Directory Connect\AzureADConnect.exe" /SkipLdapSearch
Using AAD Connect to manage onpremises AD FS deployment? AAD Connect automatically updates the claim rules to use the same AD attribute as sourceanchor. => ImmutableID claim generated by ADFS is consistent with the sourceanchor values exported to Azure AD Manage ADFS Outside AAD Connect or 3rd Party federation? Manually update the claim rules for ImmutableID claim to be consistent with the sourceanchor values exported to Azure AD
samaccountname cn userprincipalname objectguid onpremisesamaccountname commonname userprincipalname sourceanchor Active Directory Azure Active Directory
Active Directory AAD Connect Azure Active Directory
Source Anchor How users should be identified with Azure AD Clarification User identifier to link the user in Active Directory with the corresponding user in Azure Active Directory.
Active Directory Metaverse Azure Active Directory objectguid sourceanchor cloudanchor cloudsourceanchor sourceanchor 5439DA9B72889741904EB02C423C5F06 VDnam3KIl0GQTrAsQjxfBg== VDnam3KIl0GQTrAsQjxfBg== Metaverse Azure Active Directory cloudanchor cloudsourceanchor cloudanchor sourceanchor User_05dc224c-d002-4a66-b619-d6fbe1d1dc1f VDnam3KIl0GQTrAsQjxfBg==
joes-p@contoso.com joe.smith@adatum.com joes-p@contoso.com joe.smith@adatum.com
joes-p@contoso.com & joe.smith@adatum.com joes-p@contoso.com : joe.smith@adatum.com
AD FS UPN ImmutableID AAD Office 365
$true $false
$false mail objectguid $true mail ms-ds-consistencyguid
Filtering
By default, all objects in all domains in the configured forests are in-scope. Examples to use filtering: Multi-Azure AD directory topology. Apply a filter to control which objects are synchronized to a particular Azure AD directory. Pilot or functional test: A subset of users in Azure AD. In the small pilot, it's not important to have a complete Global Address List to demonstrate the functionality. Service accounts and other non-personal accounts that you don't want in Azure AD. Compliance reasons
Filtering Options: Group-based Domain-based OU-based Attribute-based You can use multiple filtering options at the same time. When you use multiple filtering methods, the filters use a logical "AND" between the filters
Objects that are filtered out are no longer synchronized to Azure AD Objects in AAD that were synched but were then filtered out are deleted in AAD. Disable scheduled task before making changes Set-ADSyncScheduler -SyncCycleEnabled $false Prevent accidental deletion is on (500) by default. Change the value in PowerShell: Enable-ADSyncExportDeletionThreshold -DeletionThreshold <value>. Disable (temporary) by using Disable-ADSyncExportDeletionThreshold If threshold exceeded admin will receive mail notification or look in the Synchronization Service for status stopped-deletion-threshold-exceeded
Common sync errors
Windows Server Active Directory Azure AD Connect (Sync) Microsoft Azure Active Directory Hard Match matches the incoming object sourceanchor to the immutableid of objects in AAD. Soft Match falls back to use the ProxyAddresses and UserPrincipalName attributes to find a match. AAD schema enforce uniqueness of ProxyAddresses, UserPrincipalName, onpremisessecurityidentifier,objectid, +
Scenarios for Duplicate/Invalid Soft Match Two or more objects with the same value of ProxyAddresses or userprincipalname attributes exists in on premises Active Directory A synced account was migrated between forests. ObjectGUID (SourceAnchor) changes and Soft Match is invalid due to existing ImmutableId A synced object got accidentally deleted and recreated in AD without also deleting the account in Azure Active Directory. The new account fails to sync with the existing Azure AD object. Azure AD Connect was uninstalled and re-installed using a different attribute as the SourceAnchor.
Duplicate Attribute Resiliency Azure Active Directory quarantines the duplicate attribute which would violate the uniqueness constraint and proceeds with the object creation or update. If this attribute is required for provisioning, like UserPrincipalName, the service assigns a placeholder value: +<4DigitNumber>@domain.com. To support this behavior a new attribute has been added to the User, Group, and Contact object classes: DirSyncProvisioningErrors Enabled by default on new Tenants and rolled out in batches on existing Tenants. Get-MsolDirSyncFeatures -Feature DuplicateUPNResiliency Get-MsolDirSyncFeatures -Feature DuplicateProxyAddressResiliency