Welcome to Langenile

[email protected]
Contact Us

Category Archives: Technology experiences

  1. Home / 
  2. Archive by category "Technology experiences"
Jul 31, 2024
Managing and monitoring Microsoft 365 license allocations– Planning and Managing Azure AD Identities

If identity is the foundation for security in the Microsoft 365 platform, licensing is the entitlement engine that is used to grant identities access to the tools and applications.

Every Microsoft 365 service is tied to a license—whether that’s individual product licenses for Exchange Online or SharePoint Online or bundled offerings such as Microsoft 365 E3, which include multiple services.

In Microsoft terminology, there are a number of key terms to be aware of:

  • Licensing plans: In broad terms, a licensing plan is any purchased licensing item. For example, standalone Exchange Online P2 and Microsoft 365 E3 are both examples of licensing plans.
  • Services: Also known as service plans, these are the individual services that exist inside of a licensing plan. For example, Exchange Online P2 has a single Exchange Online P2 service plan, while Microsoft 365 E3 has an Exchange Online service plan, a Microsoft 365 Apps service plan, a SharePoint Online service plan, and so on.
  • Licenses: This is the actual number of individual license plans of a particular type that you have purchased. For example, If you have 5 subscriptions to Exchange Online P2 and 5 subscriptions to Microsoft 365 E3, you have 10 licenses (or 5 each of Exchange Online P2 and Microsoft 365 E3). Licenses are frequently mapped 1:1 with users or service principals, though some users may have more than one license plan associated with them.
  • SkuPartNumber: When reviewing licensing in PowerShell, the SkuPartNumber is the keyword that maps to a licensing plan. For example, Office 365 E3 is represented by the ENTERPRISEPACK SkuPartNumber.
  • AccountSkuId: The AccountSkuId is the combination of your tenant name (such as Contoso) and the SkuPartNumber or licensing plan. For example, the Office 365 E3 licensing plan belonging to the contoso.onmicrosoft.com tenant has an AccountSkuId of contoso:ENTERPRISEPACK.
  • ConsumedUnits: Consumed units represent the number of items in a licensing plan that you have assigned to users. For example, if you have assigned a Microsoft 365 E3 licensing plan to three users, you have three ConsumedUnits of the Microsoft 365 E3 licensing plan. If reviewing licensing from the Azure AD portal, this field is sometimes displayed as Assigned.
  • ActiveUnits: Number of units that you have purchased for a particular licensing plan. If reviewing licensing from the Azure AD portal, this field is sometimes displayed as Total.
  • WarningUnits: Number of units that you haven’t renewed purchasing for in a particular license plan. These units will be expired after the 30-day grace period. If reviewing licensing in the Azure AD portal, this field is also sometimes displayed as Expiring soon.

You can easily view purchased licensing plan details in the Microsoft 365 admin center under Billing | Licenses:

Figure 5.22 – License details in the Microsoft 365 admin center

You can assign licenses in many ways:

  • Through the Licenses page in the Microsoft 365 admin center (Microsoft 365 admin center | Billing | Licenses)
  • In the properties of a user on the Active users page in the Microsoft 365 admin center (Microsoft 365 admin center | Users | Active Users | User properties)
  • To users through the Licenses page in the Azure AD portal (Azure AD Portal | Azure AD | Licenses | Licensed users)
  • To users through the User properties page in the Azure AD portal (Azure AD Portal | Azure AD | Users | User properties)
  • To groups through group-based licensing (Azure AD Portal | Azure AD | Licenses | Licensed groups)
  • Through PowerShell cmdlets such as Set-MsolUserLicense

Each licensing method provides you with similar options for assigning license plans to users, including assigning multiple license plans or selectively enabling service plans inside an individual license plan.

For example, in the Microsoft 365 admin center, you can view and modify a user’s licenses on the Licenses and apps tab of their profile.

Figure 5.23 – User license management

As you can see in Figure 5.23, the user has the Office 365 E5 licensing plan enabled as well as individual services such as Common Data Service, Common Data Service for Teams, and Customer Lockbox, while the Azure Rights Management service plan for this licensing plan is disabled.

More Details
Mar 24, 2024
MORE ABOUT GUESTS– Planning and Managing Azure AD Identities

While guests are typically part of an invitation process, with the new Azure AD cross-tenant synchronization feature (currently in preview), you can automate the provisioning of guest objects between trusted tenants similar to how you would with your own directory synchronization. Microsoft recommends this feature only for Azure AD tenants that belong to the same organization. For more information on the new cross-tenant sync feature, see https://learn.microsoft.com/en-us/azure/active-directory/multi-tenant-organizations/cross-tenant-synchronization-overview.

While guest users can be viewed and edited in the Microsoft 365 admin center, they can only be provisioned through the Azure AD portal. Clicking Add a guest user in the Microsoft 365 admin center transfers you over to the Azure AD portal to complete the invitation process.

Figure 5.7 – Guest users administration in Microsoft 365 admin center

After either logging in to the Azure AD portal or being redirected there by the Microsoft 365 admin, center you can begin the process of inviting guests. To invite a new guest user from the Azure AD portal, click New user and then select Invite external user.

Figure 5.8 – Inviting a new guest user

The user interface elements for inviting a guest user are very similar to those for creating a new cloud user. The main differences are in the selection of the template and, in the case of a guest user, you have the opportunity to supply message content (which will be included as part of the email invitation sent). See Figure 5.9.

Figure 5.9 – Configuring the guest invitation

Once a guest has been invited, take note of the properties:

  • The guest identity’s User principal name value is formatted as emailalias_domain.com#EXT#@tenantname.onmicrosoft.com
  • User type is set to Guest
  • Initially, the Identities property on the Overview tab is set to tenant.onmicrosoft.com
  • The invitation state is set to PendingAcceptance

See Figure 5.10 for reference.

Figure 5.10 – Newly invited guest user

Upon receiving and accepting the invitation, the recipient is prompted to read and accept certain terms and grant permissions:

  • Receive profile data including name, email address, and photo
  • Collect and log activity including logins, data that has been accessed, and content associated with apps and resources in the inviting tenant
  • Use profile and activity data by making it available to other apps inside the organization
  • Administer the guest user account

Figure 5.11 – Invitation redemption consent

After consenting, the invitation state in the Azure portal is updated from PendingAcceptance to Accepted. Additionally, depending on what identity source the guest user is authenticated against, the Identity property could be updated to one of several possible values:

  • External Azure AD: An Azure AD identity from another organization
  • Microsoft Account: An MSA account ID associated with Hotmail, Outlook.com, Xbox, LiveID, or other Microsoft consumer properties
  • Google.com: A user identity associated with Google’s consumer products (such as Gmail) or a Google Workspace offering
  • Facebook.com: A user identity authenticated by the Facebook service
  • {issuer URI}: Another SAML/WS-Fed-based identity provider

Guest users can be assigned licenses, granted access to apps, and delegated administrative roles inside the inviter’s tenant.

More Details
Nov 14, 2023
Attribute mapping– Implementing and Managing Identity Synchronization with Azure AD

Another customization option available involves mapping attribute values between on-premises and cloud objects. As with Azure AD Connect, you can configure how cloud attributes are populated – whether it’s from a source attribute, a constant value, or some sort of expression.
Azure AD Connect cloud sync comes with a default attribute mapping flow, as shown in Figure 4.33:

Figure 4.33 – Azure AD Connect cloud sync attribute mappings
You can select an existing attribute to modify or create a new attribute flow. One of the basic configuration features for many attributes is to configure a default value (if the on-premises value is blank), allowing you to make certain that cloud attributes are populated with values.
In Figure 4.34, the Country attribute has been selected and updated with the default value, US. This ensures that if a user’s on-premises Country attribute is blank, the corresponding cloud attribute will be populated with a valid entry.

Figure 4.34 – Edit attribute mappings in Azure AD Connect cloud sync
Azure AD Connect cloud sync also features an expression builder, allowing you to create your own custom attribute flows.
Unlike Azure AD Connect, however, attribute mappings and expressions cannot be used to merge attributes from different domains or forests, nor does Azure AD Connect cloud sync support synchronization rules or attribute flow precedence. If you require that level of customization, you should deploy Azure AD Connect instead.
Once you have finished customizing the scoping filters and attribute flows, you can return to the Overview page and enable synchronization by selecting Review and enable.
Summary
In this chapter, you built on the skills from Chapter 3 and learned how to deploy identity synchronization and authentication solutions. You learned how to configure filtering for both Azure AD Connect and Azure AD Connect cloud sync, as well as deploy and manage the health agents for diagnostics and troubleshooting.
In the next chapter, we’ll learn how to manage identities, groups, and licensing.
Knowledge check
In this section, we’ll test your knowledge of some key elements from this chapter.
Questions

  1. When installing Azure AD Connect cloud sync, which two roles, rights, or permissions are necessary for the on-premises Active Directory environment? Each answer represents a complete solution.
    • Hybrid Identity Administrator
    • Server Administrator
    • Domain Administrator
    • Enterprise Administrator
  2. Azure AD Connect cloud sync supports group-based scoping filters.
    • True
    • False
  3. You are trying to install the agent for Azure Active Directory Health for sync. Where is it located?
    • In the Azure AD Health portal
    • In the Azure AD Connect installation package
    • In the Microsoft Download Center
    • In the Microsoft 365 admin center
  4. You have determined that you need to run the Azure AD Connect troubleshooting tool. Where do you launch it?
    • In the Azure portal
    • In the Azure AD Connect Health portal
    • In the Azure AD Connect configuration wizard
    • In the Azure AD Connect synchronization service
  5. You have deployed Azure AD Connect and want to prevent it from synchronizing an organizational unit with test objects. Where can you do this easily?
    • The Azure AD portal
    • The Microsoft 365 admin center
    • The Azure AD Synchronization Rules Editor
    • The Azure AD Connect configuration wizard
    Answers
    C: Domain Administrator and D: Enterprise Administrator
    A: True
    B: In the Azure AD Connect installation package
    C: The Azure AD Connect configuration wizard
    D: The Azure AD Connect configuration wizard
More Details
Aug 15, 2023
Azure AD Connect Health for AD FS– Implementing and Managing Identity Synchronization with Azure AD

In addition to gathering and reporting information for your on-premises Active Directory and synchronization services, Azure AD Connect Health also supports AD FS.
To get the most out of Azure AD Connect Health for AD FS, you’ll need to enable auditing, which involves three steps:

  1. Ensure that the AD FS farm service account has been granted the Generate security audits right in the security policy (Local Policies | User Rights Assignment | Generate security audits).
  2. From an elevated command prompt, run the following command: auditpol.exe /set /subcategory:{0CCE9222-69AE-11D9-BED3-505054503030} /failure:enable /success:enable.
  3. On the AD FS primary farm server, open an elevated PowerShell prompt and run the following command: Set-AdfsProperties -AuditLevel Verbose.
    Then, you can deploy the agents to your servers.
    After deploying the agents to your federation and proxy servers, you will see information reported in the Azure AD Connect Health portal under Active Directory Federation Services, as shown in Figure 4.21:

Figure 4.21 – Azure AD Connect Health for AD FS
In addition to diagnostic information, the health services for AD FS can also provide usage analytics and performance monitoring, as well as failed logins and information regarding risky sign-ins.

Figure 4.22 – Azure AD Connect Health for AD FS
Azure AD Connect Health is a valuable premium service that can help keep you on top of the health and performance aspects of your hybrid identity deployment.
Troubleshooting Azure AD Connect synchronization
While things normally operate smoothly, there may be times when objects become misconfigured or services go offline unexpectedly. You can troubleshoot common issues with Azure AD Connect’s built-in troubleshooting tools.
To launch the troubleshooting tool, follow these steps:

  1. Launch the Azure AD Connect configuration tool on the desktop of the server where Azure AD Connect is installed.
  2. Click Configure.
  3. On the Additional tasks page, select Troubleshoot and then click Next.
  4. On the Welcome to AADConnect Troubleshooting page, select Launch.

Figure 4.23 – Launching the AADConnect Troubleshooting tool

  1. Select the appropriate troubleshooting options from the menu shown in Figure 4.24:

Figure 4.24 – The AADConnect Troubleshooting menu
The AADConnect Troubleshooting tool provides several specific troubleshooters, such as diagnosing attribute or group membership synchronization, password hash synchronization, as well as service account permissions.
Most object or attribute troubleshooting routines will require the object’s DN to continue.
FURTHER READING
For more information on the tests that can be performed by the AADConnect Troubleshooting tool, see https://learn.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-objectsync.
Configuring and managing directory synchronization by using Azure AD Connect cloud sync
Azure AD Connect cloud sync is a new synchronization platform that allows you to manage directory synchronization from the Azure portal. Depending on your organization’s goals and environments, Azure AD Connect cloud sync can be a lightweight, flexible option that allows you to begin directory synchronization quickly.
EXAM TIP
To perform the installation, you’ll need either a Domain Administrator or Enterprise Administrator credential to the on-premises Active Directory forest so that the installer can create the group Managed Service Account (gMSA). You’ll also need an account that has either the Global Administrator or Hybrid Identity Administrator role in Azure AD.
Microsoft recommends configuring a unique identity in Azure AD with the Hybrid Identity Administrator role for Azure AD Connect cloud sync.

More Details
Jul 24, 2023
Password hash synchronization– Planning Identity Synchronization

Password hash synchronization (commonly referred to as PHS) is the Microsoft-recommended identity solution. In addition to synchronizing the core identity object data, PHS also synchronizes password hash values to the account objects in Azure AD. This ensures that users can use the same password to access local Active Directory resources, as well as Azure AD services.

Further reading

The security behind Azure AD Password Hash Synchronization is complex, involving multiple hashing algorithms. For a deeper understanding of how Password Hash Synchronization protects user data, see https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization.

When a user logs in to a tenant that has PHS configured, every part of the authentication takes place in Azure AD. This is advantageous because the organization has no reliance on the availability of any on-premises infrastructure for ongoing authentication. Once an identity and its password hash have been synchronized, the on-premises directory isn’t needed until the on-premises object is updated again (such as an additional email address, a change in the display name, or a new password).

In addition, PHS enables an advanced Azure AD Premium P2 security feature: leaked credential detection. With this feature, Microsoft continuously checks various dark websites for organizational identity data that may have been compromised.

As mentioned in the Accounts and security section, password hash synchronization requires the service account to have the Replicating Directory Changes and Replicating Directory Changes All rights in the on-premises directory.

Password hash synchronization is a cloud authentication solution.

Pass-through authentication

Similar to password hash synchronization, pass-through authentication (PTA) relies on synchronizing objects to Azure AD. Unlike PHS, however, the actual password validation happens on-premises. PTA relies upon an agent installed on-premises, which periodically checks Azure for an authentication request.

When Azure AD Connect is configured with PTA, a secure channel is established between the Azure Service Bus and the lightweight PTA agent. For redundancy, you can deploy multiple PTA agents in your environment.

Note

From a networking perspective, Azure AD Connect’s communication is outbound only to the Azure Service Bus. Unlike federation, PTA does not require inbound connectivity.

When a user requests access to an Azure AD resource, the logon request is stored on the Azure Service Bus. This request is encrypted with the public key of each of the PTA agents. The agents check the Service Bus for a request, bring the request back on-premises, decrypt it with the agent’s private key, and then process the request against an on-premises domain controller. The result of the validation (either success or failure) is then sent back to the Azure Service Bus, where Azure AD retrieves the response and then either grants or denies the logon request.

PTA is a potential solution for organizations that want as much benefit from cloud authentication as possible but may have organizational requirements for on-premises credential validation or the enforcement of Active Directory logon hours.

Due to its on-premises password validation component, if none of the on-premises authentication agents can connect to both the Azure Service Bus and local Active Directory, users will be unable to log in.

Microsoft categorized PTA as a cloud authentication solution.

More Details
Jun 4, 2023
Federation– Planning Identity Synchronization

With federated identity solutions, Azure AD is configured to refer authentication requests to an on-premises service to validate login data. When a federated user attempts to log on to an Azure AD resource, Azure AD redirects the login session to an organization-managed web service. Users then enter their credentials in this organization-managed application, which, in turn, validates the logon details against the on-premises directory.

Some organizations may require federated identity due to specific regulations, the need to use smartcard-based login, or third-party multi-factor authentication products. Due to its on-premises password validation component, if on-premises services (such as federation farm servers, load balancers, web application proxy servers, or domain controllers) are unavailable, users will be unable to log in to Azure AD.

You can use the following flowchart to understand which solution is appropriate for you:

`

Figure 3.6 – Authentication selection decision flowchart

Once you have selected an identity and authentication mechanism for your tenant, you can begin preparing your environment for hybrid authentication. Regardless of the method selected for authenticating hybrid identity, Azure AD Connect can be used to configure it.

Summary

In this chapter, you learned how to plan for a hybrid identity deployment, including choosing an authentication method (such as password hash sync, pass-through authentication, or federation) and understanding the various requirements and capabilities of identity synchronization tools. You also learned the basic terminology associated with the Azure AD Connect synchronization engine.

In the next chapter, we will begin configuring Azure AD Connect.

Knowledge check

In this section, we’ll test your knowledge of some key elements from this chapter.

Questions

Answer the following questions:

  1. Which two authentication or sign-in methods validate user passwords on-premises?
    • Password hash synchronization
    • Pass-through authentication
    • Federation
    • Hybrid identity
  1. Which two rights are necessary for password hash synchronization?
    • Replicating Directory Changes
    • Replicating Directory Changes Password
    • Replicating Directory Changes All
    • Replicating Directory Changes Advanced
  2. Which feature, service, or component is a consolidated view of all objects from the connected systems?
    • Connector space
    • sourceAnchor
    • Connected system
    • Metaverse
  3. You have 75,000 objects in your Active Directory environment and need to recommend a solution for Azure AD Connect. You should recommend the simplest option that supports your environment.
    • An Azure AD Connect server with local SQL Server Express
    • An Azure AD Connect server with local or remote SQL Server Analysis Services
    • Azure AD Connect with database stored in a local or remote standalone SQL server
    • Azure AD Connect configured with WID database
  4. Azure AD Connect setup can configure which two federation services?
    • Azure Active Directory Federation Services
    • Active Directory Federation Services
    • OKTA Federation Services
    • PingFederate

Answers

The following are the answers to this chapter’s questions:

  1. B: Pass-through authentication; C: Federation
  2. A: Replicating Directory Changes; C: Replicating Directory Changes All
  3. D: Metaverse
  4. A: Azure AD Connect with local SQL Server Express
  5. B: Active Directory Federation Services; D: PingFederate
More Details
May 22, 2023
Preparing for identity synchronization by using IdFix– Implementing and Managing Identity Synchronization with Azure AD

IdFix is Microsoft’s tool for detecting common issues with on-premises AD identity data. While it doesn’t fix all errors, it is able to identify and remediate data formatting errors so that objects have valid data to synchronize.
IdFix supports the following features:
• Transaction rollback
• Verbose logging
• Exporting data to the CSV and LDF formats for offline review and editing
To get started with the tool, follow these steps:

  1. Navigate to https://aka.ms/idfix.
  2. Scroll to the bottom of the page and click Next.
  3. Review the prerequisites for the tool. Scroll to the bottom of the page and click Next.
  4. Click setup.exe to download the file and start the installation.
  5. After the installation wizard starts, click Install.
  6. Acknowledge the IdFix privacy statement by clicking OK.
  7. IdFix, by default, targets the entire directory. You can select Settings (the gear icon) to change the options for IdFix. You can edit the filter to scope to certain object types. You can also select the search base to specify a starting point for IdFix to begin its query. After modifying any settings, click OK.

Figure 4.1 – The IdFix settings

  1. Click Query to connect to AD and begin the analysis.
    SCHEMA WARNING
    If you receive a schema warning, such as the one in Figure 4.2, you can click Yes to proceed or click No to return to the IdFix tool. The schema warning is generally presented when attributes are present in the AD schema but have not been marked for replication (usually because Exchange Server has not been installed or replication hasn’t completed successfully in your organization for an extended period of time). If you receive this error, you should check to ensure that you have at least run the Exchange Server setup with the /PrepareSchema and /PrepareAD switches and have validated that AD replication is working correctly.

Figure 4.2 – The IdFix schema warning
After IdFix has analyzed the environment, results are returned to the data grid, shown in Figure 4.3. The DISTINGUISHEDNAME column shows the full path to the object in question, while the ATTRIBUTE column shows the attribute or property impacted. The ERROR column shows what type of error was encountered (such as an invalid character or duplicate object value). The VALUE column shows the existing value and the UPDATE column shows any suggested value.

Figure 4.3 – The IdFix data grid
After you have investigated an object, you can choose to accept the suggested value in the UPDATE column (if one exists). You can also choose to either enter or edit a new value in the UPDATE column.
Once you’re done investigating or updating an object, you can use the dropdown in the ACTION column to mark an object:
• Selecting EDIT indicates that you want to configure the object attribute with the value in the UPDATE column
• Selecting COMPLETE indicates that you want to leave the object as is
• Selecting REMOVE instructs IdFix to clear the offending attribute
In addition, you can select Accept to accept any suggested values in the UPDATE column. Choosing this option will configure all objects with a value in the UPDATE column to EDIT, indicating that the changes are ready to be processed.
Once you have configured an action for each object, select Apply to instruct IdFix to make the changes.

  1. IdFix will process the changes. Transactions are written to a log that can be imported and used to roll back any mistakes.
  2. Once you have ensured that your on-premises directory data is ready to synchronize to Azure AD, you can deploy and configure one of the Azure AD Connect synchronization products.
More Details
Apr 9, 2023
Configuring and managing directory synchronization by using Azure AD Connect– Implementing and Managing Identity Synchronization with Azure AD

Azure AD Connect has a long history, originally starting as DirSync to support the deployment of Microsoft Business Productivity Online Suite (BPOS) in 2007.
If you are familiar with Microsoft Identity Manager (MIM), you’ll notice a lot of similarities between that and the current Azure AD Connect platform. As you learned in Chapter 3, Azure AD Connect allows you to connect to multiple directory sources and provision those objects to Azure AD.


Installing the synchronization service
The first step to deploying Azure AD Connect is gathering the requirements of your environment, as outlined in Chapter 3. These requirements can impact the prerequisites for deployment (such as additional memory or a standalone SQL Server environment). As part of the planning process, you’ll also want to identify which sign-in method will be employed (password hash synchronization, pass-through authentication, or federation).


EXAM TIP
To perform the express installation, you’ll need an Enterprise Administrator credential to the on-premises Active Directory forest so that the installer can create a service account and delegate the correct permissions. By default, the on-premises service account is created in the CN=Users container and named MSOL_.
You’ll also need an account that has either the Global Administrator or Hybrid Identity Administrator role in Azure AD, which Azure AD Connect will use to create a cloud synchronization service account. By default, the cloud service account is named Sync_.
With that information in hand, it’s time to start deploying Azure AD Connect:

  1. On the server where Azure AD Connect will be deployed, download the latest version of the Azure AD Connect setup files (https://aka.ms/aad-connect) and launch the installer.
  2. Agree to the installation terms and select Continue.

Figure 4.4 – The Azure AD Connect welcome page

  1. Review the Express Settings page. You can choose Customize if you want to configure Azure AD Connect to use the pass-through or federated authentication methods, group-based filtering, or a custom SQL Server installation. While the sign-in methods and other features can be changed after installation, it is not possible to enable group-based filtering or change the SQL Server location after setup.

Figure 4.5 – The Azure AD Connect Express Settings page
INSTALLATION NOTES
If you have other domains in your AD forest, they must all be reachable from the Azure AD Connect server or installation will fail. You can perform a custom installation to specify which domains to include in synchronization.

  1. On the Connect to Azure AD page, enter a credential that has either the Global Administrator or Hybrid Identity Administrator role in Azure AD. Click Next.
  2. On the Connect to AD DS page, enter an Enterprise Administrator credential and click Next.
  3. Verify the configuration settings. By default, the Exchange hybrid scenario is not enabled. If you have an on-premises Exchange environment that you will migrate to Microsoft 365, select the Exchange hybrid deployment option to include the Exchange-specific attributes. If you want to perform additional configuration tasks before synchronizing users, clear the Start the synchronization process when configuration completes. checkbox.

Figure 4.6 – The Azure AD Connect Ready to configure page

  1. Click Install.
  2. Review the Configuration complete page and click Exit.

Figure 4.7 – The Azure AD Connect Configuration complete page
If you selected the Start the synchronization process when configuration completes. checkbox, you can review the Azure AD portal to verify that users have been synchronized.

More Details
Feb 7, 2023
Attribute-based filtering– Implementing and Managing Identity Synchronization with Azure AD

Another way to filter objects to Azure AD is through the use of an attribute filter. This advanced method requires creating a custom synchronization rule in the Azure AD Connect Synchronization Rules Editor.
To create an attribute-based filtering rule, select an attribute that isn’t currently being used by your organization for another purpose. You can use this attribute as a scoping filter to exclude objects.
The following procedure can be used to create a simple filtering rule:

  1. On the server running Azure AD Connect, launch the Synchronization Rules Editor.
  2. Under Direction, select Inbound, and then click Add new rule.

Figure 4.11 – Synchronization Rules Editor

  1. Provide a name and a description for the rule.
  2. Under Connected System, select the object that represents your on-premises Active Directory forest.
  3. Under Connected System Object Type, select user.
  4. Under Metaverse Object Type, select person.
  5. Under Link Type, select Join.
  6. In the Precedence text field, enter an unused number (such as 50). Click Next.

Figure 4.12 – Creating a new inbound synchronization rule

  1. On the Scoping filter page, click Add group and then click Add clause.
  2. Under Attribute, select extensionAttribute1 (or whichever unused attribute you have selected).
  3. Under Operator, select EQUAL.
  4. In the Value text field, enter NOSYNC and then click Next.

Figure 4.13 – Configuring a scoping filter for extensionAttribute1

  1. On the Join rules page, click Next without adding any parameters.
  2. On the Transformations page, click Add transformation.
  3. Under FlowType, select Constant.
  4. Under Target Attribute, select cloudFiltered.
  5. In the Source text field, enter the value True. Click Add transformation.

Figure 4.14 – Adding a transformation for the cloudFiltered attribute

  1. Acknowledge the warning that a full import will be required by clicking OK.

Figure 4.15 – The warning for full import and synchronization
After modifying a synchronization rule, a full import and full synchronization is required. You don’t have to perform any special steps, however; Azure AD Connect is aware of the update and will automatically perform the necessary full imports and synchronizations.
Monitoring synchronization by using Azure AD Connect Health
Azure AD Connect Health is a premium feature of the Azure AD license. Azure AD Connect Health has separate agent features for Azure AD Connect, Azure AD Health for Directory Services, and Azure AD Health for Active Directory Federation Services (AD FS).

More Details
Nov 16, 2022
Choosing between Azure AD Connect and Azure AD Connect Cloud Sync– Planning Identity Synchronization

Azure AD Cloud Sync is the next evolution of the directory synchronization product. While it does not yet have full parity with Azure AD Connect features, Azure AD Connect Cloud Sync (sometimes referred to as Cloud Sync) can provide additional features and benefits that Azure AD Connect cannot:

  • While Azure AD Connect requires on-premises connectivity between the Azure AD Connect server and all connected forests, Azure AD Connect Cloud Sync can import identities from forests that do not have site-to-site connectivity. This makes Cloud Sync advantageous when dealing with mergers and acquisitions as well as organizations that have multiple, disconnected business units.
  • Lightweight on-premises provisioning agents with cloud-managed sync configuration. Multiple sync agents can be installed to provide fault tolerance and redundancy for password hash synchronization customers.

However, Cloud Sync provides fewer overall features. The following list identifies the core feature gaps:

  • Cloud Sync does not support on-premises LDAP directories.
  • Cloud Sync does not support device objects.
  • Pass-through authentication is unavailable with Cloud Sync.
  • Advanced filtering and scoping (such as by using object attributes) are not supported with Cloud Sync, nor are advanced configurations of custom synchronization rules.
  • Azure AD Connect Cloud Sync does not support more than 150,000 objects per AD domain, nor does it support Azure AD Domain Services (Azure AD DS). Since Cloud Sync is limited to 150,000 objects, it does not support large groups (up to 250,000 members).
  • Cloud Sync does not support Exchange hybrid writeback or group writeback.
  • Cloud Sync cannot merge object attributes from multiple source domains.

A full comparison of features is available at https://learn.microsoft.com/en-us/azure/active-directory/cloud-sync/what-is-cloud-sync. As you can see from the previous lists, Azure AD Connect Cloud Sync is potentially a good option for organizations that don’t have more than 150,000 objects in any single domain, don’t require object or property writeback, and don’t need to heavily customize synchronization rules.

Planning user sign-in

The final step in planning your hybrid identity solution is around what type of sign-in experience you want to deploy for your users. As discussed briefly in the Designing synchronization solutions section, there are three core methods for managing user sign-in:

  • Password hash synchronization
  • Pass-through authentication
  • Federation

While all three of these solutions utilize some sort of identity synchronization technology, knowing the features and capabilities of each will help you choose the option that’s right for your organization.

Let’s explore each of these options in a little more detail.

More Details