Section 6 and further Flashcards
Connecting on prem to Azure ADD
Domain name must be available, DNS must be accessible online.
Seamless SSO
Users logging in on prem also get logged on through the cloud
Create new DNS database
Add this to your domains
See where this is located via a user
DNS > Forward Lookup Zones > zone = abccorp.com > finish
Tools > AD Domains and Trusts > Right click AD Domains and trust > properties > add abccorp.com > ok
AD Users and Computers > right click your user > properties > account > drop down box with logon name suffix > you’ll see domain
Sync your domain with Microsoft 365 admin center
admin.microsoft.com > show all > settings > domains > Domain name = abccorp.com > Create a text record with one of the values
From local server
DNS > right click abccorp.com > other new records > TXT > create > Don’t worry about record name, add MS=ms3298638 in text and that’s it.
This needs to be internet facing
TXT record - generic record
MX record - mail exchange record
GoDaddy - put in creds and it will just fill everything out for you.
Make your domain the primary domain on microsoft365
portal.microsoft.com
or
admin.microsoft.com?
Show all > settings > domains > Click domain > set as default
Now if got to Users > active users > add users > it will be primary domain
If users added ahead of time, before domain was connected, etc
Do via powershell and via microsoft365
admin.microsoft.com
Users > Active Users > click user > manage username > drop down domain for upn > if user has office365 liscence their email with exchange online will get updated
Licenses and Apps > give the user whatever stuff you want like office 365 E5
connect-msolserver <- connect to microsoft365
set-msoluserprincipalname -userprincipalname bobjones@examlaprcactice0920.onmicrosoft.com -newuserprincipalname bobjones@examlabpractice.com
get-msoluser
You’ll need to refresh on Microsoft365
Look up what records you need to link up with microsoft365
Lookup external domain name system records for office 365
DNS > right click examlabpractice.com >
What are the two options for authentication with the hybrid identity model?
Managed Authentication - Azure AD will handle the authentication process by using a locally-stored hashed version for the password or sends the creds to an on-premise software agent to be authenticated by on-premise AD DS
(Azure gets copy of encrypted creds, so it has what it needs)
Federated Authentication - Azure AD redirects the client computer requesting authentication to another identity provider.
(Federated server can go to an ADFS AD federated server on premist that handles it or it could be authenticated by someone else)
What are the two types of managed authentication?
Password hash Synchronization (PHS)
- Azure does Authentication itself
(recommended) Even if contact with lost connection to domain, you can still log in
Pass-Through Authentication (PTA)
- Azure AD has AD DS perform authentication and they don’t know the passwords.
If we lose our domain people authenticating via cloud won’t be able to login
What is PHS
Password Hash Synchronization
You sync your ADDS user accounts with Microsoft 365 and manager your users on-premise. Hashes of user passwords are synced from your AD DS to Azure AD so that the users have the same password on-premise and in the cloud. This is the simplest way to enable authentication for AD DS identities in Azure AD.
What is PTA
Pass-through authentication
This provides a simple password validation for Azure AD authentication services using a softward agent running on one or more on-premises servers to validate users. You sync ADDS user accounts with Microsoft 365 and manage users on premise
Agent is installed on computer that communicates with AzureAD and authenticates.
What is federated authentication
Large Organization
3rd party authentication.
AD DS identities are synced with Microsoft 364 and user accounts are managed on-premises.
Same password on-premises and in cloud, they don’t have to sign in again to user Microsoft 365
Supports smartcard-based authentication or 3rd party multi factor authentication and is typically required when organizations have authentication requirement not natively supported by Azure AD.
If Azure can’t connect with your federated server then everyone outside can’t logon.
What to do before syncing to the cloud
IDFix - for Cleanup
Azure AD Connect Helath - Health of the environment
Look back 100 days of errors
Remove object that are un-needed
service accounts, groups, etc
Sync failover and disaster recovery
If the Azure AD Connect Sync Server goes offline what happens and what is a solution?
There can only be one sync server
Changes to on-premises cannot be updated in the cloud and can result in access issues for users.
Deploy Azure AD Connect Server in staging mode. - Allows admins to promote the staging server to production by a simple config switch. It sits passive until other server goes down.
OR
Use Virtualization - if Azure AD connect is deployed in a VM, admins can leverage their virtualization stack to live migrate or quickly redeploy the VM and resume sync
Where can you enable staging mode?
At the end of the Microsoft Azure Active Directory Connect menu, on Configure, click the box.
What is a Source Anchor
VIDEO 55
Attribute that on-premises and Azure AD have, it’s also called immutableID.
Links objects in Azure AD with objects on-premises. For instance, my account on premises is actually different than the account on Azure, technically. This makes them linked/look the same.
Using ms-DS-consistencyguid as source anchor allows easier migration of object across forest and domains, which is common in AD Domain consolidation/cleanup, mergers, acquisitions, and divestitures
What is Seamless SSO?
Eliminates unnecessary prompts when users are signed in.