Designing an Identity Strategy
Managing Identity Sync
The course is part of these learning paths
If your organization uses Active Directory (AD) for its identity management, and you would like to use those identities in Azure or Microsoft 365, then you will need to implement Azure Active Directory Connect.
This course is divided into three sections. The first section is on designing an identity strategy. In this section, we'll look at our AD identities and consider what work needs to be done and what we need to think about ahead of time. The second section is on implementing identity synchronization using AD Connect. We will consider what needs to be synced and what authentication options are available. In the last section, we'll look at managing identity synchronization using Azure AD Connect. We'll look at what it takes to manage and sync and reconfigure options after AD Connect has been initially configured.
- Design a hybrid identity solution
- Implement Azure Active Directory Connect
- Manage synchronized identities
- Azure administrators
- Microsoft 365 administrators
- Basic understanding of Active Directory and Office 365
- To do the examples yourself, you will need an on-premises Active Directory structure and an Azure subscription
So in this demo, we're going to look at the IdFix tool, which is a great tool for cleaning up our user accounts and finding any errors that they may have before we've synchronized them up to Azure AD. And as you can see on the main controller here in AD Users and Computers, we've got a bunch of users who have got attributes against them that may or may not be faulty that we need to sort out before we send them up.
So what I've done is on the machine here, I've gone to the Microsoft download site, searched for the IdFix tool, and downloaded it to the desktop of the machine. So if we go to the folder where I've extracted it, run up the IdFix Tool, click on the privacy statement, you'll see that you've got a fairly blank tool here with none of the users in it.
So the first thing we're going to do before anything else is click on query at the top, here. That will scan through all of our users and look for any errors and issues it can see with the attributes for those users. So as you can see, it's come up with a top-level domain for all of these users as an issue because these users have a .local upn against them, which needs to be changed to the .com domain that we've got for get-content.
So I can click on the first user here and just manually change the setting that is flagged and if I go to action on the side, here, and change that to edit, that will set the action to be editing this particular attribute for that particular user. So then I could just simply click on apply at the top and go to yes. And that's applied that change for us.
So now if I go up to query at the top, Abel should disappear from our list. There we go, Abel has disappeared because she's been edited.
So we can run through all of our set of users here and try and fix any issues and problems that we've got with the attributes and any funny characters and any incorrect top-level domains, etcetera. So what we've also got is we've got an undo button just in case we've made a mistake. So if we click on that we can select the LDF file from the directory where the IdFix Tool is run, click on open, and it will show the change that we've made here. So I just need to click in the action box over on the right-hand side, select on undo, and click on apply.
Now if we run the query again, Abel should appear back in our list. There we go, we've got Abel back in our list again, now. So rather than change all of these manually, we could export this list of users to a CSV, so just click all those users and then click on save. And if we go to the folder we'll see that we've now got a users CSV file with all the users that we could open in Excel, etcetera and edit the .local to a .com, here for all of these users nice and quickly and fix all of the issues.
So I've got a pre-prepared CSV file, here. I've just changed the .local to a .com address. So if I close that down and go back to the tool, I can import that CSV. It's called users fixed. And you can see that every line here has changed from .local to .com so I can click on accept and all of the action items on the right-hand side have been pre-selected to edit, here, and then I can just click apply and it will apply this to all of those users in the list.
So if we click query again, you will notice all of the users have gone apart from Yvonne, here, which needs to be changed manually because I obviously missed this one off the list. So just to illustrate if we go to Yvonne's user account, scan to the bottom of this here, open up Yvonne's user, change her manually to the .com upn and click on apply and then go back to the tool and click query again. And Yvonne has now disappeared from the list. Down at the bottom left-hand side, we've got query count of 154 and errors are equal to zero. So now we've got a clean estate that we can synchronize up to Azure AD.
Matt is a freelance system administrator with over 20 years of experience in IT. His current focus is on the great features of Microsoft Azure and Office 365. He’s always had a fascination for anything techie and loves learning and sharing that knowledge.