Welcome to Langenile

[email protected]
Contact Us

Yearly Archives: 2021

  1. Home / 
  2. 2021
Dec 27, 2021
Transformation– Planning Identity Synchronization

As part of the synchronization process, Azure AD performs certain computations or evaluations on objects. This process is called transformation. Transformations (sometimes called transforms) are the actions configured inside synchronization rules and are used to determine how attributes are mapped between objects and what (if any) additional calculations are done between the source and target objects.

For example, you may wish to change the order of a person’s name from Firstname, Lastname to Lastname, Firstname. You can perform this update by using a transformation inside a synchronization rule.

Export

The export process is responsible for writing objects (or their updates) to a particular connected directory.

Scope

The term scope is used in a few different places in the context of Azure AD Connect. Scope is broadly used to determine what objects are eligible to be managed as part of Azure AD Connect. Scope can be used in the Azure AD connector configuration to limit which organizational units or domains are imported or exported in the directory. Scope, in the context of an Azure AD synchronization rule, can be used to limit which objects can be affected by a particular synchronization rule.

Metaverse

The metaverse, in simple terms, is a consolidated view of all the objects from connector spaces.

Staging server

Azure AD Connect supports a form of redundancy called a staging server. This server should be configured with the same features, options, settings, and customizations that the primary server has. If the primary server is unavailable for an extended period, you can enable the staging server to continue providing identity synchronization services.

Note

The staging server is passive and does not actively process exports to Azure AD. Having two active Azure AD Connect servers in a single tenant is not supported.

Now that you understand the basic terminology surrounding Azure AD Connect, let’s move on to working with directories.

Understanding Azure AD Connect with a single forest and single tenant

Of all the potential architectures available between Active Directory, Azure AD, and Azure AD Connect, the most common (and easiest) is when Azure AD Connect is used to synchronize data from a single Active Directory forest (including one or more domains in the same forest) into a single Azure Active Directory tenant. This example is depicted in Figure 3.1:

Figure 3.1 – Single forest to single tenant synchronization

Exam tip

If you choose the express installation choice during setup, this is the only supported Azure AD Connect topology. The express installation will automatically configure Password Hash Synchronization.

More Details
Sep 8, 2021
Designing synchronization solutions– Planning Identity Synchronization

We’ve already touched on the fact that Microsoft 365 is an identity-driven platform. This means you need to provision some sort of identity for your users to begin accessing the tools and features of the service.

When discussing Azure AD, it’s important to understand where identities are stored and how authentication is performed. With Azure AD, three basic identity models are available:

  • Cloud authentication: Cloud authentication is a model where identities are created in (or synchronized to) Azure AD and the authentication is processed by Azure AD
  • Federated identity: With federated identity, user objects are synchronized to Azure AD, but the authentication happens in the identity source’s directory
  • External identity: Commonly used for business-to-business (B2B) or business-to-consumer (B2C) scenarios, external identity is used when a tenant stores a type of reference or a guest object that represents an external user in another directory, such as a business partner’s Azure AD environment, Facebook, or Google

For the exam objective, however, we’re going to focus on identity models that involve directory synchronization and working with the features surrounding those solutions. Hybrid identity is an identity and authentication model that involves both an on-premises identity and a corresponding synchronized cloud identity. With Microsoft 365, you can deploy a hybrid identity solution using Azure Active Directory Connect (most commonly referred to as Azure AD Connect).

Overview of Azure AD Connect

Azure AD Connect is a directory synchronization tool that has steadily evolved over the past several years to provide increased capabilities in the identity synchronization and authentication management areas. The current Azure AD Connect platform is built on Microsoft Identity Manager (MIM).

At a high level, Azure AD Connect works by connecting to various on-premises and cloud directories, reading in objects such as users and groups, and then provisioning them to another directory. There are several key terms to understand when working with Azure AD Connect, which we’ll discuss in this section.

Connected system

Sometimes referred to as a connected directory, a connected system is any directory source that has been configured for use with Azure AD Connect.

Connector

A connector is a logical object that represents the configuration necessary to communicate with a connected directory. For example, the Azure AD Connector stores the configuration necessary for Azure AD Connect to read and write data to Azure Active Directory. A connector can contain information about what attributes are available from the connected directory or what server is used when accessing the directory.

Connector space

You can think of the connector space as a database table that is used to hold all the objects related to a particular connector. Each connector has its own connector space.

sourceAnchor

Each object has a unique, immutable attribute that stays with it throughout its lifetime. The sourceAnchor is an attribute you can use to trace the lineage of an object as it moves between connector spaces and is represented in various connected directories. No two objects can share the same sourceAnchor.

Import

To populate each connector’s connector space, Azure AD Connect must read the object data from a source directory. Objects commonly include users, contacts, groups, and devices. The process for reading data is called import.

Synchronization

Once objects have been imported into the connector space, a synchronization job is executed. Synchronization is responsible for executing logic (called rules) that can be used to connect (or join, in Azure AD Connect terminology) objects from different directories together or map attributes from between directory objects.

For example, a synchronization rule is responsible for mapping a user’s Department property in Active Directory to the Department property in Azure AD. If you have users who are represented in more than one source directory, a synchronization rule can be used to join the two objects together and map their attributes accordingly.

Synchronization also has the idea of precedence, meaning that the order of the synchronization rules can (and will) affect the outcome of the processing. Rules configured with higher precedence (which translates to a lower ordinal number when looking at the rules list) means that the outcome of their processing overrides that of lower-precedence (higher-numbered) rules.

More Details
Jun 6, 2021
Technology experiences– Monitoring Microsoft 365 Tenant Health

The technology experiences category focuses on areas relating to the devices that people are using to access Microsoft 365 services:

  • Endpoint analytics: This area provides insights into the overall performance data of devices that are enrolled in Intune or Configuration Manager with tenant attach. The performance metrics include things such as boot time, how long it takes to sign in and get to a responsive desktop, how much time is spent processing Group Policy, how often applications hang or crash, and the number of active devices that have launched a particular app during the past 14 days. The endpoint analytics reporting has special requirements, such as particular operating system versions of endpoints being either Azure AD joined or hybrid Azure AD joined, as well as licensed for Intune or Microsoft Endpoint Configuration Manager.
  • Network connectivity: This area provides insights into factors involving network communication between your endpoints and the Microsoft 365 platform. Specific network requirements must be met, such as configuring networks in the Microsoft 365 admin center and enabling location data collection features. For more information on the prerequisites for enabling network connectivity reporting, see https://learn.microsoft.com/en-us/microsoft-365/enterprise/office-365-network-mac-perf-overview?view=o365-worldwide.
  • Microsoft 365 Apps: In this area, you can view insights on how many devices across your organization are up-to-date with their Microsoft 365 app deployments.

The technology experiences score reports can help you gain insight into how devices may affect the overall adoption and satisfaction with Microsoft 365 services.

Special reports

Finally, there is a lightweight version of the Business Resilience report (from Viva Insights), which is available to organizations that have at least 100 active Exchange and Viva Insights licenses. This report helps organizational leaders understand how to utilize remote work, how to maintain a work-life balance, the effectiveness of virtual meetings, and how to participate in Yammer communities.

Summary

In this chapter, you learned about a variety of different types of data that is available in the Microsoft 365 environment, including service health, audit and security log data, and adoption and usage metrics. You were also introduced to Viva Insights as part of an employee experience platform to help organizations understand and manage effective employee communications and well-being.

In the next chapter, we will start planning for identity synchronization.

Knowledge check

In this section, we’ll test your knowledge of some key elements from this chapter.

Questions

Answer the following questions:

  1. What three insight areas does Adoption Score cover?
    1. Technology experiences
    1. Engagement experiences
    1. People experiences
    1. Special reports
    1. License consumption
  2. Service health data can be viewed in which location?
    1. Azure Monitor
    1. Microsoft Sentinel
    1. Log Analytics
    1. The health dashboard
  3. Which type of data is captured in the Azure AD Provisioning logs?
    1. Enterprise application provisioning activities
    1. Azure AD Connect user provisioning activities
    1. Microsoft Identity Manager provisioning activities
    1. Microsoft 365 Group provisioning activities
  4. Which two steps should be taken when creating an incident response plan?
    1. Validate the incident scope details and confirm that your environment is affected
    1. Migrate applications back on-premises
    1. Develop a backup solution in case the service outage or degradation lasts longer than the acceptable time frame for your organization
    1. Immediately begin restoring data from third-party backups or archive locations
  5. Microsoft Viva Insights Teamwork habits include suggestions for what two actions?
    1. Virtual happy hours
    1. Scheduling recurring 1:1 time with managed employees
    1. Establishing no-meeting days
    1. Encouraging after-hours work to lessen the workload of coworkers

Answers

The following are the answers to this chapter’s questions:

  1. A: Technology experiences; C: People experiences; D: Special reports
  2. D: The health dashboard
  3. A: Enterprise application provisioning activities
  4. A: Validate the incident scope details and confirm that your environment is affected; C: Develop a backup solution in case the service outage or degradation lasts longer than the acceptable time frame for your organization
  5. B: Scheduling recurring 1:1 time with managed employees; C: Establishing no-meeting days

Part 2: Planning and Managing User Identity and Roles

In this part, you will learn about the various types of user identity and provisioning strategies, including Azure AD Connect and Azure AD Connect cloud sync. You’ll also learn about Azure AD roles and privileged identity management.

This part has the following chapters:

  • Chapter 3, Planning Identity Synchronization
  • Chapter 4, Implementing and Managing Identity Synchronization with Azure AD
  • Chapter 5, Planning and Managing Azure AD Identities
  • Chapter 6, Planning and Managing Roles in Microsoft 365
More Details
Apr 26, 2021
Adoption Score– Monitoring Microsoft 365 Tenant Health

Formerly known as Productivity Score, Adoption Score is a metric that is used to help measure the success of an organization that is using the Microsoft 365 platform. Before Adoption Score can be used, it must be enabled in the Microsoft 365 admin center under Reports:

Figure 2.29 – Enabling Adoption Score

Adoption Score provides insights broken into three categories: people experiences, technology experiences, and special reports. When enabling the score, you can select how to calculate people experiences insights:

  • Include all users
  • Exclude specific users by group
  • Don’t calculate for any users

Technology experiences insights are shown automatically when you enable the adoption score. If you don’t want to collect that data, you can disable the Endpoint analytics scope property in the Intune data collection policy.

If you are performing a staged rollout of services using a pilot program, it may be beneficial to limit the reporting scope to groups of users that are part of the pilot.

People experiences

The people experiences insights focus on five categories that show how your users and organization are using the tools in the Microsoft 365 platform. These insight areas are as follows:

  • Communication: The Communication area measures how people communicate with each other, such as via sending emails, instant messages, or posting on communities in Yammer. This area highlights important practices such as using @mentions in emails and marking responses as answers in Yammer. Users need to be licensed for Yammer, Exchange Online, or Teams to be counted in this metric.
  • Content collaboration: This area measures how people use files in your organization, such as creating or sharing files in OneDrive for Business and SharePoint Online or how email attachments are used (attached files versus a cloud attachment—a link to a file shared in OneDrive or SharePoint). It also captures data about the number of files shared and whether the collaborators are internal or external to the organization. Users need to be licensed for OneDrive for Business, SharePoint, or Exchange Online to be counted in this metric.
  • Mobility: This area measures what devices and interfaces people use to accomplish their work. For example, a user sending an email from the Outlook desktop app and the Outlook mobile app would be regarded as an individual using the Microsoft 365 apps across multiple platforms. This measurement area also reports on what locations people are working from – whether they are onsite in one of your organization’s offices or working remotely. To be counted in this metric, users need to be licensed for Teams, Exchange Online, or Microsoft 365 apps.
  • Meetings: The Meetings area measures how effectively meetings are used across your organization. Meetings are evaluated against practices such as scheduling meetings at least 24 hours in advance, sharing agendas, and the percentage of invitees that show up to the meetings. Other features include measuring interactivity (hand-raising, chat, reactions, or sharing content) during the meeting, as well as whether or not attendees participate via audio or video. Users must be licensed for Microsoft Teams to be included in this metric.
  • Teamwork: This area is used to measure how people collaborate in Teams and use shared workspaces (such as Teams, channels, Microsoft 365 Groups, and SharePoint sites). To be counted for this metric, users must be licensed for Exchange Online, SharePoint, or Microsoft Teams.

In addition to users requiring licenses to be assigned, they also need to be active in a service at least once every 28 days to get counted for that service. You can use Adoption Score to review how people use the Microsoft 365 service and provide coaching on best practices to get the most out of the platform.

More Details