Designing an Identity Strategy
Managing Identity Sync
The course is part of this learning path
If your organization uses Active Directory (AD) for its identity management, and you would like to use those identities in Azure or Microsoft 365, then you will need to implement Azure Active Directory Connect.
This course is divided into three sections. The first section is on designing an identity strategy. In this section, we'll look at our AD identities and consider what work needs to be done and what we need to think about ahead of time. The second section is on implementing identity synchronization using AD Connect. We will consider what needs to be synced and what authentication options are available. In the last section, we'll look at managing identity synchronization using Azure AD Connect. We'll look at what it takes to manage and sync and reconfigure options after AD Connect has been initially configured.
- Design a hybrid identity solution
- Implement Azure Active Directory Connect
- Manage synchronized identities
- Azure administrators
- Microsoft 365 administrators
- Basic understanding of Active Directory and Office 365
- To do the examples yourself, you will need an on-premises Active Directory structure and an Azure subscription
The domain and user requirements for Azure AD Connect are fairly simple, but we need to make sure we've considered these beforehand. We need to make sure that our forest functional level is Windows Server 2008 or higher. And we're going to need three different accounts in order to configure Azure AD Connect. We're going to need a local administrator in order to install Azure AD Connect. We're going to need a Microsoft 365 global administrator to make sure that we've got the rights in order to create and change objects in Azure AD. And we're going to need an on-premise AD Enterprise Administrator so that we've got all the rights that we need to add and change user objects in an on-prem AD structure.
The domain object requirements for Azure AD Connect are a little more complicated but not too bad once we know what these are. So we need to make sure we remove any duplicate proxy addresses or email addresses and user principal names because these need to be unique when they arrive up at Azure AD.
We need to make sure we've removed any questionable characters in the following fields that you can see on screen. So things like displayName, givenName, surname, and particularly the sAMAccountName and the userPrincipalName. The user also must have a UPN that matches our Azure domain.
So if our domain is domain.com, we need to make sure that that's configured up in Azure AD. And that that user's UPN matches that domain. And in fact, Microsoft recommends as a best practice that we use the user's email address as their UPN because this makes it very simple. The user will always know what their login account name is.
Thankfully, Microsoft provides us with a great tool called the IdFix tool which does a lot of the heavy lifting of going through on-premise AD accounts that find any issues or problems that may be there before we sync them up to Azure AD. This tool can be downloaded from the Microsoft download site and requires four gigs of RAM and two gigs of disk space and .NET 4.0 or higher. But interestingly this can be run from a Windows 7 or higher box. It doesn't have to be a server OS, it doesn't have to be a domain controller. It just needs access to read and write to the on-premise AD objects. And this will go through and find any errors or any inaccuracies in those objects and suggest some changes and give us the opportunity to edit them ourselves.
About the Author
Matt is a freelance system administrator with over 20 years of experience in IT. His current focus is on the great features of Microsoft Azure and Office 365. He’s always had a fascination for anything techie and loves learning and sharing that knowledge.