Info Sharing Blog

Monday, July 13, 2020

Azure AD Connect Overview #CloudScribblings

July 13, 2020 Posted by jaacostan ,
The Azure AD Connect synchronization service is used to synchronize identity data between your on-premise environment and Azure Active Directory.
There are two components for this service
  • Azure AD Connect sync component – This is installed on the on-premise environment, recommended to be installed on a domain joined separate server and not on AD server directly.
  • Azure AD Connect sync service – This service runs in Azure AD.
Prerequisites for Configuring the Azure AD connect.
  • An Azure AD tenant
  • You need to add and verify your domain in Azure AD
  • The Azure AD Connect sync component must be installed on a Windows Server 2012 Standard or later (On-Premises). The server must have the full GUI installed. The server must be domain joined.Recommended no to install in the AD DC server directly.
The Azure AD Connect sync component requires a SQL Server database for storing identity data. By default , the installation of Azure AD Connect will install SQL Server 2012 Express LocalDB.During the configuration of the Azure AD Connect sync component, you need to use the following accounts and permissions.
  • Azure AD Global Administrator account for the Azure AD tenant. The account should be a school or organization account and cannot be a Microsoft account
  • An Enterprise Administrator account for the on-premise Active Directory
  • The Azure AD Connect server needs DNS resolution for both intranet and internet. The DNS server must be able to resolve names both to your on-premises Active Directory and the Azure AD endpoints. When a user try to authenticate, the sign in page will be redirected to the On-Premises URL, based on your configuration.
There are two methods to connect your on-premise AD with the Azure AD.
Password Hash Synchronization
Here Azure AD Connect synchronizes a hash, of the hash, of a users password from an on-premises Active Directory instance to a cloud-based Azure AD instance.
The advantage is that you only need to maintain one password for both authentication in your on-premise environments and in the cloud.If a user change his/her password on the On-premise AD, the password will be synced onto Azure AD. But the reverse will not happen.
Pass-through Authentication
This is kind of similar to password hash synchronization, but here the users’ passwords is directly validated against the on-premise Active Directory. Means, when a user try to authenticate, the authentication request will be sent to the on-premise Active directory.
Password Write-Back
Password write-back is a feature enabled with Azure AD Connect that allows password changes in the cloud to be written back to an existing on-premises directory in real time. In this configuration, as users change or reset their passwords using Self Service Password Reset (SSPR) in the cloud, the updated passwords also written back to the on-premises AD DS environment. This can be configured along with Password Hash Synchronization & Pass-through Authentication if required.