Despite the proliferation of cloud architecture, organizations cannot entirely shift from their existing on-premise environments due to the presence of important legacy solutions that do not support the migration. Besides, certain sensitive data and applications can only be locally hosted to avoid security and compliance issues.
In such cases that involve a hybrid infrastructure, it can be extremely tiresome and less secure for users to have multiple passwords across diverse tools and applications. Therefore, Azure ADConnect plays an instrumental role in unifying user identities across platforms.
What is Azure AD Connect?
Azure Active Directory Connect is a set of tools that allow organizations to integrate on-premises directories with Azure AD. Azure AD Connect ensures that users can synchronize their digital identities (which include user accounts, groups, credential hashes, User Principal Name, security identifier) across hybrid infrastructures, thereby enabling single Sign-on and federated identity services. Azure AD Connect comprises of the following technologies:
Azure AD Connect Health: Provides end-to-end diagnosis and monitoring of the Azure ADConnect deployment and other hybrid environments across the Active Directory. Azure AD Connect Health throws light on performance metrics related to synchronization such as sync errors, sync status, usage monitoring, authorization requirements, besides delivering auto-health updates.
Azure ADConnect Sync: The primary component of Azure AD Connect, Azure AD Connect Synchronization services (Sync) takes care of all operations related to unifying on-premise and on-cloud user identity data.
Active Directory Federated Services (ADFS): ADFS unifies identity and access management services across platforms. ADFS is instrumental in providing SSO services.
PHS/PTA/SSSO provisioning connector: Includes authentication measures such as password hashing services, pass-through authentication and seamless single sign-on services required to verify user identity.
Requirements to install Azure ADConnect
Before installing Azure ADConnect, users must ensure that the necessary pre-requisites are fulfilled, which include:
- An Azure AD tenant.
- A verified domain name that can be used in Azure AD. By default, Azure can allow over 50,000 objects by default, and a verified domain can house upto 300,000 objects. To extend the capacity further, the user must have a license, such as Microsoft 365, Azure AD Basic, Azure AD Premium, or Enterprise Mobility + Security.
- On-premise Active Directory. The AD schema and forest functional level must be Windows Server 2016 or beyond, albeit the domain controllers can be of any version as long as the two requirements are met.
- The domain controller must be writable. Azure ADConnect doesn’t support read-only domain controller (RODC).
- Windows server standard. Azure ADConnect is incompatible with Windows Server Essentials (before 2019) or Small Windows server. The Azure ADConnect server must have a GUI installed.NET Framework 4.6.2 or later and Microsoft Powershell 3.0 or later installed.
- Having an SQL database in place, to store identity-based data. The SQL Server 2019 Express LocalDB is installed by default.
- Identify and troubleshoot errors and duplication-related issues within on-premises environment. (Tip: Idfix is a highly-recommended tool to perform this action)
How to deploy Azure ADConnect?
For installation, use the desired sync server and sign in as a local administrator. There are two ways to install Azure ADConnect:
Express: The most commonly used method of installation, express settings are used for a predominant customer case wherein:
- The user has single-forest topology.
- They have less than 100,000 objects in their on-premises AD.
Apart from password hash synchronization, the user receives functionalities such as:
- Automatic upgrades from time to time.
- Synchronization of all AD assets, such as all objects across OUs and domains.
- Configuration that ensures synchronization across users, groups, contacts, and Windows 10 devices.
Custom: This type of setting accommodates more installation scenarios than express. Some of the use cases include:
- You have more that 100,000 objects in their AD.
- You may use group-based filtering besides domain and OU-based filtering.
- You are unauthorized to access enterprise account in AD.
- You have more that one forest to synchronize in the future.
- You intend to use federated identity or pass-through-authentication.
How Azure ADConnect works
Azure ADConnect is used to synchronize user accounts, credential hashes, and group present in your on-prem Active Directory to Azure AD. Besides, it can also sync special attributes of user accounts such as the principal name (UPN) and on-prem security identifier (SID). Azure ADConnect does not sync both ways, it only synchronizes attributes from on-premises AD to Azure AD. However, the sync can be done the other way around by configuring a write-back.
Attributes that cannot be synchronized by Azure ADConnect:
Some of the objects, and attributes that cannot synchronized by Azure ADConnect include:
- Excluded attributes that are chosen by the user.
- Group policies configured in on-prem AD.
- Sysvol folders residing in on-premises environment.
- Computer objects in on-prem AD.
- Existing SIDhistory attributes for users and groups.
- Organizational Units structures.
Synchronization time and frequency of Azure ADConnect:
By default, Azure ADConnect runs synchronization cycles every 30 minutes. Azure ADConnect Sync uses a synchronizer to automatically reflect the changes that happen in the on-premises AD, onto your Azure AD. You can configure changes into the scheduler using Powershell scripts, in case if you need to modify synchronization cycles. After performing changes, you must ensure that the synchronization cycle is implemented atleast once a week.
Best practices for using Azure ADConnect
To secure your sync server running Azure AD Connect, you must treat it like a domain controller. Limit access by restricting local administrative rights and controlling logins. Besides, ensure that the service account for the tool only has necessary rights and implement strong password policies.
Only the user who installed it and local administrators on the machine have default access to Azure ADConnect. To grant access to other users, add them to the ADSyncAdmins group on the local server, but they must be monitored continuously.
When it comes to synchronizing groups to Azure AD, it’s important to evaluate your on-premises groups. The sync engine can filter out any groups that are not relevant to your cloud. Before implementing changes to the filtering, temporarily disable the scheduled sync task to verify your changes.
Avoid syncing on-premises admin groups to Azure AD as it increases risk by exposing these groups to a wider base of users. Instead, use Azure AD functionality to manage your cloud administrators with roles such as: Global Administrator, Application Administrator, Compliance Administrator, and SharePoint Administrator. Consider enhancing security by implementing multifactor authentication and privileged access management.
Besides syncing hybrid groups from your on-premises AD, consider creating cloud-only groups, including Microsoft 365 groups.Azure AD Connect should not be considered as the sole solution for cloud identity management and backup and recovery. While it synchronizes most objects from your on-premises AD to Azure AD, attributes such as Office 365 licenses, roles, and conditional access policies only exist in the cloud. Therefore, during deletion, recovery of the on-premises AD user object may not restore the cloud-only attributes.
