Welcome to Langenile

[email protected]
Contact Us

  1. Home
Sep 15, 2022
AD FS– Planning Identity Synchronization

If you are using the Azure AD Connect installation wizard to configure AD FS, there are additional requirements that must be met:

  • If you are using Azure AD Connect to configure AD FS, the federation and web application proxy (WAP) servers must already have TLS/SSL certificates installed and the servers must be accessible via WinRM.
  • AD FS server hosts must be Windows Server 2012 R2 or later.
  • The AD FS farm servers must be domain-joined. The AD FS web application proxy servers must not be domain-joined.
  • AD FS also has specific name resolution requirements. The internal DNS domain must use A records for the federation server farm (external DNS can use A records or CNAME records).

Further information

While it is not covered by the MS-100 exam, per se, it’s important to note that externally, DNS will point to the AD FS WAP servers using the name deployed on the SSL/TLS certificate (such as sts.contoso.com or adfs.contoso.com). However, the AD FS WAP servers need to resolve the AD FS farm name to the internal farm servers, not to themselves. This is frequently accomplished by configuring a host’s file on the AD FS WAP servers.

Accounts and security

To successfully configure Azure AD Connect, you must have access to privileged accounts:

  • You must have either an Azure AD Global Administrator or Hybrid Identity Administrator account to configure synchronization. These credentials are used to create a service account in Azure AD that’s used to provision and synchronize objects.
  • If you use the Express setup option or upgrade from the legacy DirSync product, the installation account must be a member of Enterprise Admins in the local Active Directory.
  • If you are configuring Azure AD Connect with a service account, the account must have the following permissions delegated:
    • Write permissions to Active Directory (if any hybrid writeback features are enabled, such as Exchange hybrid writeback, password writeback, group writeback, or device writeback)
    • If password hash synchronization is deployed, the service account must be delegated the special permissions called Replicating Directory Changes and Replicating Directory Changes All to read the password data from Active Directory

Connectivity

Azure AD Connect needs to be able to communicate with both on-premises directories as well as Azure AD:

  • Azure AD Connect must be able to resolve DNS for both internet and intranet locations.
  • Azure AD Connect must be able to communicate with the root domain of all configured forests.
  • If your network requires a proxy to connect to the internet, you must update the .NET Framework’s machine.config file with the appropriate proxy server address and port. If your proxy server requires authentication, you must use a custom installation and specify a domain-member service account.

If your environment meets the minimum requirements for deploying Azure AD Connect, you can download the components and begin the installation. You can download the most recent version of Azure AD Connect from https://aka.ms/aadconnect.

More Details
Aug 1, 2022
On-premises Active Directory– Planning Identity Synchronization

Before you install Azure AD Connect, you will also need to make sure that Active Directory meets certain requirements as well:

  • You must have at least one on-premises Active Directory environment with Windows Server 2003 or later forest functional level and schema. The NetBIOS name of the forest or domain cannot have a period in it.
  • The domain controller that Azure AD Connect uses must be writeable. Read-only domain controllers (RODCs) are not supported for use with Azure AD Connect. RODCs are permitted in the environment, but Azure AD Connect should be installed in an Active Directory site without RODCs.

SQL Server

In addition to the core prerequisites to install and configure Azure AD Connect, you should be aware of limitations regarding the size of the database.

By default, Azure AD Connect installs SQL Server 2019 Express for use with the Azure AD Connect database. Express editions of SQL are limited to a 10 GB database, which is sufficient for managing synchronization for approximately 100,000 objects. If the sum of objects in all of your connected directories is larger than 100,000 objects, you will need to configure Azure AD Connect during installation to connect to a full version of SQL Server.

Exam tip

SQL database server sizing and performance requirements are outside the scope of the MS-100 exam.

As previously mentioned, Azure AD Connect deployments that are used to synchronize more than 100,000 objects will require their own SQL Server. The memory and disk space requirements in Table 3.3 are for Azure AD Connect only and do not reflect the additional SQL Server sizing requirements.

Azure AD Connect server software components

Azure AD Connect has requirements specific to the minimum operating system versions, as well as other software components:

  • Currently, you can deploy to Windows Server 2016 or Windows Server 2019 (but not Server 2022 yet). You cannot deploy to Small Business Server or Windows Server Essentials editions before 2019.
  • The PowerShell execution policy for the server should be set to RemoteSigned or Unrestricted.
    • You must not have PowerShell Transcription enabled through Group Policy if you plan on using Azure AD Connect to configure Active Directory Federation Services (AD FS).

Note

This is a change from the original product documentation. Previously, PowerShell Transcription would cause the installation to abort.

  • The server used for Azure AD Connect must have a full GUI installed. It doesn’t support deployment to any edition of Windows Server Core.
  • Ensure you have PowerShell 5.0 or later as well as .NET Framework 4.5.1 or later installed.
  • Azure AD Connect checks for the MachineAccessRestriction, MachineLaunchRestriction, and DefaultLaunchPermission values in the Distributed COM (DCOM) configuration. If those values are missing or corrupt, the installation will fail.

While it is not required, Microsoft recommends forcing the use of TLS 1.2 for .NET Framework components. This can be configured by setting the HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto registry value to DWORD:00000001.

More Details
May 14, 2022
FURTHER READING– Planning Identity Synchronization

You can learn more about the required and supported values for attributes at https://learn.microsoft.com/en-us/powershell/module/exchange/set-mailbox and https://learn.microsoft.com/en-us/microsoft-365/enterprise/prepare-for-directory-synchronization.

When preparing to synchronize your directory, Microsoft recommends performing the following procedures:

  • Use the IdFix tool (https://aka.ms/idfix) to detect errors such as invalid characters in on-premises identities. Values that contain invalid characters will cause object synchronization errors.
  • Configure a user’s userPrincipalName (UPN) to be the same as their primary SMTP address. While it’s not required to have parity between UPN and SMTP addresses, it is recommended to help minimize the number of unique values that users have to remember.

You shouldn’t install and configure directory synchronization until you have resolved the issues identified by IdFix.

Identifying required Azure AD Connect features

Depending on your organization’s requirements for onboarding to Microsoft 365 as well as additional features or services that are included with your subscription, you may want (or need) to enable or configure additional Azure AD Connect features.

There are several additional features available post-installation for Azure AD Connect, such as managing duplicate attribute resiliency and user principal name soft-matching, both of which are used to manage how Azure AD handles conflicts and connect cloud accounts to on-premises accounts.

Further reading

More detailed information about the Azure AD Connect optional features, such as duplicate attribute resiliency, is available here: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-syncservice-features.

Understanding the prerequisites for Azure AD Connect

The Azure AD Connect synchronization has several prerequisites, including supported hardware and software, as well as permissions required for various synchronization options.

The Azure AD prerequisites can be broken down into seven sections:

  • Azure AD
  • On-premises Active Directory
  • SQL Server
  • Azure AD Connect server hardware requirements
  • Azure AD Connect server software requirements
  • Accounts and security
  • Connectivity

Let’s quickly review the requirements.

Azure AD

The first set of requirements surrounds your Azure AD environment:

  • You must have an Azure AD tenant (any Azure AD or Microsoft 365 subscription is sufficient)
  • You should have one or more verified domains in Azure AD

Note

The Microsoft Azure AD Connect documentation (https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-prerequisites) lists a verified domain as a requirement, but functionally, you can install and configure Azure AD Connect synchronization without a verified domain. The user interface will display a warning, but you can proceed. Objects will receive a managed domain name (onmicrosoft.com) suffix when they are synchronized.

More Details
Mar 22, 2022
Understanding Azure AD Connect with multi-tenant scenarios– Planning Identity Synchronization

In more complex scenarios, you can synchronize objects from one (or more) on-premises forests to one (or more) Azure AD tenants, as shown in Figure 3.5:

Figure 3.5 – Synchronization to multiple Azure AD tenants

This is relatively new, from a supported topologies perspective. This is a potential solution if you need to support multiple tenants in your organization. Microsoft, however, recommends trying to consolidate to a single tenant where possible.

There are some important caveats with this design, primarily the following:

  • You need to deploy an Azure AD Connect server to communicate with each tenant.
  • While the same object can be in scope for multiple Azure AD Connect instances, Exchange hybrid writeback, device writeback, and group writeback are only supported by one tenant. If you configure those writeback features for more than one tenant and have the same object in scope for those Azure AD Connect servers, you will enter a race condition where the object will get continuously updated errantly.
  • You can have Password Write-back enabled on multiple tenants for the same user object.
  • Hybrid Azure AD Join and Seamless SSO can only be configured with one tenant.
  • You cannot configure the same custom domain in more than one tenant.

As previously mentioned, Microsoft recommends trying to consolidate into a single tenant to get the best experience. And, regardless of the Azure AD Connect topologies selected, it is not supported to deploy more than one active Azure AD Connect server to a single tenant. If you need to connect multiple on-premises systems to a single Azure AD tenant, you can achieve that with a single Azure AD Connect server.

Identifying object source requirements

Since the purpose of Azure AD Connect is synchronizing user, group, contact, and device objects to Azure AD, you’ll need to make sure your objects meet the minimum requirements.

Microsoft has guidance surrounding preparing user objects for synchronization. Some attributes (specifically those that are used to identify the user throughout the system) must be unique throughout the organization. For example, you cannot have two users that have the same userPrincipalName value.

As you can see, very few attributes are required for an object to synchronize. Each attribute that is synchronized does have some core requirements around formatting, including length and allowed characters. Several attributes (such as mailNickname, userPrincipalName, mail, sAMAccountName, and proxyAddresses) must contain unique values – that is, no other object in the directory of any type can share those values.

More Details
Jan 24, 2022
Understanding Azure AD Connect with multi-forest scenarios– Planning Identity Synchronization

Azure AD Connect also supports several multi-forest scenarios.

In a basic multi-forest scenario, you have one or more on-premises Active Directory forests all contributing unique objects to a single Azure AD tenant.

You might need to support a configuration like this if you have multiple business units within your organization with their own autonomous Active Directory environments that all want to share a single Microsoft 365 environment:

Figure 3.2 – Multiple Active Directory forests contributing to a single Azure AD tenant

There are other organizational scenarios where you may need to support multiple forests. Large organizations sometimes configure multiple directories in what’s called a resource forest configuration.

In this structure, application resources (such as Microsoft Exchange) are configured in one forest (called the resource forest). A trust relationship is established with another forest containing accounts (intuitively called the account forest). The trust allows objects from the account forest to access applications and services in the resource forest. The user objects in the account forests are linked to a corresponding security principal account in the resource forest, thereby granting access to the resource forest. See Figure 3.3:

Figure 3.3 – Account forests and a resource forest contributing to a single Azure AD tenant

Another common multi-forest scenario involves two or more on-premises organizations that utilize some other form of directory synchronization (such as MIM GALSync) to ensure that each organization’s Exchange environment contains a full list of the objects in their partner’s directories. This example is shown in Figure 3.4:

Figure 3.4 – Multiple forests with on-premises synchronization to a single Azure AD tenant

In this scenario, users have a single primary account that they use for accessing services and resources. That account is represented in the partner organization’s directory as a contact object.

Multiple forests, multiple users, multiple options

Multi-forest configurations can be quite tricky. During the Azure AD Connect setup, you’ll be prompted to select how your users are represented across the organization. You have two core options: Users are represented only once across all directories and User identities exist across multiple directories.

The first option is straightforward – it’s a scenario where users only have one object.

The second option, though, has two additional choices: to match using Mail attribute or ObjectSID and msExchangeMasterAccountSID attributes.

In an on-premises directory synchronization scenario (which Microsoft refers to as full mesh), users may be represented by several objects, such as a security principal (user account), as well as a contact object in other forests. For this scenario, you would choose to match users based on the mail attribute.

In a resource forest configuration, users typically have more than one identity: an identity in the account forest that is linked to a corresponding account in the resource forest. Typically, the account in the resource forest is set to disabled. In an Exchange resource forest scenario, the objects are linked by copying the ObjectSID value from the user object in the account forest to the msExchangeMasterAccountSID value of the user object in the resource forest. With an Exchange resource forest design, you’ll want to select the ObjectSID and msExchangeMasterAccountSID attributes option.

More Details
Dec 27, 2021
Transformation– Planning Identity Synchronization

As part of the synchronization process, Azure AD performs certain computations or evaluations on objects. This process is called transformation. Transformations (sometimes called transforms) are the actions configured inside synchronization rules and are used to determine how attributes are mapped between objects and what (if any) additional calculations are done between the source and target objects.

For example, you may wish to change the order of a person’s name from Firstname, Lastname to Lastname, Firstname. You can perform this update by using a transformation inside a synchronization rule.

Export

The export process is responsible for writing objects (or their updates) to a particular connected directory.

Scope

The term scope is used in a few different places in the context of Azure AD Connect. Scope is broadly used to determine what objects are eligible to be managed as part of Azure AD Connect. Scope can be used in the Azure AD connector configuration to limit which organizational units or domains are imported or exported in the directory. Scope, in the context of an Azure AD synchronization rule, can be used to limit which objects can be affected by a particular synchronization rule.

Metaverse

The metaverse, in simple terms, is a consolidated view of all the objects from connector spaces.

Staging server

Azure AD Connect supports a form of redundancy called a staging server. This server should be configured with the same features, options, settings, and customizations that the primary server has. If the primary server is unavailable for an extended period, you can enable the staging server to continue providing identity synchronization services.

Note

The staging server is passive and does not actively process exports to Azure AD. Having two active Azure AD Connect servers in a single tenant is not supported.

Now that you understand the basic terminology surrounding Azure AD Connect, let’s move on to working with directories.

Understanding Azure AD Connect with a single forest and single tenant

Of all the potential architectures available between Active Directory, Azure AD, and Azure AD Connect, the most common (and easiest) is when Azure AD Connect is used to synchronize data from a single Active Directory forest (including one or more domains in the same forest) into a single Azure Active Directory tenant. This example is depicted in Figure 3.1:

Figure 3.1 – Single forest to single tenant synchronization

Exam tip

If you choose the express installation choice during setup, this is the only supported Azure AD Connect topology. The express installation will automatically configure Password Hash Synchronization.

More Details
Sep 8, 2021
Designing synchronization solutions– Planning Identity Synchronization

We’ve already touched on the fact that Microsoft 365 is an identity-driven platform. This means you need to provision some sort of identity for your users to begin accessing the tools and features of the service.

When discussing Azure AD, it’s important to understand where identities are stored and how authentication is performed. With Azure AD, three basic identity models are available:

  • Cloud authentication: Cloud authentication is a model where identities are created in (or synchronized to) Azure AD and the authentication is processed by Azure AD
  • Federated identity: With federated identity, user objects are synchronized to Azure AD, but the authentication happens in the identity source’s directory
  • External identity: Commonly used for business-to-business (B2B) or business-to-consumer (B2C) scenarios, external identity is used when a tenant stores a type of reference or a guest object that represents an external user in another directory, such as a business partner’s Azure AD environment, Facebook, or Google

For the exam objective, however, we’re going to focus on identity models that involve directory synchronization and working with the features surrounding those solutions. Hybrid identity is an identity and authentication model that involves both an on-premises identity and a corresponding synchronized cloud identity. With Microsoft 365, you can deploy a hybrid identity solution using Azure Active Directory Connect (most commonly referred to as Azure AD Connect).

Overview of Azure AD Connect

Azure AD Connect is a directory synchronization tool that has steadily evolved over the past several years to provide increased capabilities in the identity synchronization and authentication management areas. The current Azure AD Connect platform is built on Microsoft Identity Manager (MIM).

At a high level, Azure AD Connect works by connecting to various on-premises and cloud directories, reading in objects such as users and groups, and then provisioning them to another directory. There are several key terms to understand when working with Azure AD Connect, which we’ll discuss in this section.

Connected system

Sometimes referred to as a connected directory, a connected system is any directory source that has been configured for use with Azure AD Connect.

Connector

A connector is a logical object that represents the configuration necessary to communicate with a connected directory. For example, the Azure AD Connector stores the configuration necessary for Azure AD Connect to read and write data to Azure Active Directory. A connector can contain information about what attributes are available from the connected directory or what server is used when accessing the directory.

Connector space

You can think of the connector space as a database table that is used to hold all the objects related to a particular connector. Each connector has its own connector space.

sourceAnchor

Each object has a unique, immutable attribute that stays with it throughout its lifetime. The sourceAnchor is an attribute you can use to trace the lineage of an object as it moves between connector spaces and is represented in various connected directories. No two objects can share the same sourceAnchor.

Import

To populate each connector’s connector space, Azure AD Connect must read the object data from a source directory. Objects commonly include users, contacts, groups, and devices. The process for reading data is called import.

Synchronization

Once objects have been imported into the connector space, a synchronization job is executed. Synchronization is responsible for executing logic (called rules) that can be used to connect (or join, in Azure AD Connect terminology) objects from different directories together or map attributes from between directory objects.

For example, a synchronization rule is responsible for mapping a user’s Department property in Active Directory to the Department property in Azure AD. If you have users who are represented in more than one source directory, a synchronization rule can be used to join the two objects together and map their attributes accordingly.

Synchronization also has the idea of precedence, meaning that the order of the synchronization rules can (and will) affect the outcome of the processing. Rules configured with higher precedence (which translates to a lower ordinal number when looking at the rules list) means that the outcome of their processing overrides that of lower-precedence (higher-numbered) rules.

More Details
Jun 6, 2021
Technology experiences– Monitoring Microsoft 365 Tenant Health

The technology experiences category focuses on areas relating to the devices that people are using to access Microsoft 365 services:

  • Endpoint analytics: This area provides insights into the overall performance data of devices that are enrolled in Intune or Configuration Manager with tenant attach. The performance metrics include things such as boot time, how long it takes to sign in and get to a responsive desktop, how much time is spent processing Group Policy, how often applications hang or crash, and the number of active devices that have launched a particular app during the past 14 days. The endpoint analytics reporting has special requirements, such as particular operating system versions of endpoints being either Azure AD joined or hybrid Azure AD joined, as well as licensed for Intune or Microsoft Endpoint Configuration Manager.
  • Network connectivity: This area provides insights into factors involving network communication between your endpoints and the Microsoft 365 platform. Specific network requirements must be met, such as configuring networks in the Microsoft 365 admin center and enabling location data collection features. For more information on the prerequisites for enabling network connectivity reporting, see https://learn.microsoft.com/en-us/microsoft-365/enterprise/office-365-network-mac-perf-overview?view=o365-worldwide.
  • Microsoft 365 Apps: In this area, you can view insights on how many devices across your organization are up-to-date with their Microsoft 365 app deployments.

The technology experiences score reports can help you gain insight into how devices may affect the overall adoption and satisfaction with Microsoft 365 services.

Special reports

Finally, there is a lightweight version of the Business Resilience report (from Viva Insights), which is available to organizations that have at least 100 active Exchange and Viva Insights licenses. This report helps organizational leaders understand how to utilize remote work, how to maintain a work-life balance, the effectiveness of virtual meetings, and how to participate in Yammer communities.

Summary

In this chapter, you learned about a variety of different types of data that is available in the Microsoft 365 environment, including service health, audit and security log data, and adoption and usage metrics. You were also introduced to Viva Insights as part of an employee experience platform to help organizations understand and manage effective employee communications and well-being.

In the next chapter, we will start planning for identity synchronization.

Knowledge check

In this section, we’ll test your knowledge of some key elements from this chapter.

Questions

Answer the following questions:

  1. What three insight areas does Adoption Score cover?
    1. Technology experiences
    1. Engagement experiences
    1. People experiences
    1. Special reports
    1. License consumption
  2. Service health data can be viewed in which location?
    1. Azure Monitor
    1. Microsoft Sentinel
    1. Log Analytics
    1. The health dashboard
  3. Which type of data is captured in the Azure AD Provisioning logs?
    1. Enterprise application provisioning activities
    1. Azure AD Connect user provisioning activities
    1. Microsoft Identity Manager provisioning activities
    1. Microsoft 365 Group provisioning activities
  4. Which two steps should be taken when creating an incident response plan?
    1. Validate the incident scope details and confirm that your environment is affected
    1. Migrate applications back on-premises
    1. Develop a backup solution in case the service outage or degradation lasts longer than the acceptable time frame for your organization
    1. Immediately begin restoring data from third-party backups or archive locations
  5. Microsoft Viva Insights Teamwork habits include suggestions for what two actions?
    1. Virtual happy hours
    1. Scheduling recurring 1:1 time with managed employees
    1. Establishing no-meeting days
    1. Encouraging after-hours work to lessen the workload of coworkers

Answers

The following are the answers to this chapter’s questions:

  1. A: Technology experiences; C: People experiences; D: Special reports
  2. D: The health dashboard
  3. A: Enterprise application provisioning activities
  4. A: Validate the incident scope details and confirm that your environment is affected; C: Develop a backup solution in case the service outage or degradation lasts longer than the acceptable time frame for your organization
  5. B: Scheduling recurring 1:1 time with managed employees; C: Establishing no-meeting days

Part 2: Planning and Managing User Identity and Roles

In this part, you will learn about the various types of user identity and provisioning strategies, including Azure AD Connect and Azure AD Connect cloud sync. You’ll also learn about Azure AD roles and privileged identity management.

This part has the following chapters:

  • Chapter 3, Planning Identity Synchronization
  • Chapter 4, Implementing and Managing Identity Synchronization with Azure AD
  • Chapter 5, Planning and Managing Azure AD Identities
  • Chapter 6, Planning and Managing Roles in Microsoft 365
More Details
Apr 26, 2021
Adoption Score– Monitoring Microsoft 365 Tenant Health

Formerly known as Productivity Score, Adoption Score is a metric that is used to help measure the success of an organization that is using the Microsoft 365 platform. Before Adoption Score can be used, it must be enabled in the Microsoft 365 admin center under Reports:

Figure 2.29 – Enabling Adoption Score

Adoption Score provides insights broken into three categories: people experiences, technology experiences, and special reports. When enabling the score, you can select how to calculate people experiences insights:

  • Include all users
  • Exclude specific users by group
  • Don’t calculate for any users

Technology experiences insights are shown automatically when you enable the adoption score. If you don’t want to collect that data, you can disable the Endpoint analytics scope property in the Intune data collection policy.

If you are performing a staged rollout of services using a pilot program, it may be beneficial to limit the reporting scope to groups of users that are part of the pilot.

People experiences

The people experiences insights focus on five categories that show how your users and organization are using the tools in the Microsoft 365 platform. These insight areas are as follows:

  • Communication: The Communication area measures how people communicate with each other, such as via sending emails, instant messages, or posting on communities in Yammer. This area highlights important practices such as using @mentions in emails and marking responses as answers in Yammer. Users need to be licensed for Yammer, Exchange Online, or Teams to be counted in this metric.
  • Content collaboration: This area measures how people use files in your organization, such as creating or sharing files in OneDrive for Business and SharePoint Online or how email attachments are used (attached files versus a cloud attachment—a link to a file shared in OneDrive or SharePoint). It also captures data about the number of files shared and whether the collaborators are internal or external to the organization. Users need to be licensed for OneDrive for Business, SharePoint, or Exchange Online to be counted in this metric.
  • Mobility: This area measures what devices and interfaces people use to accomplish their work. For example, a user sending an email from the Outlook desktop app and the Outlook mobile app would be regarded as an individual using the Microsoft 365 apps across multiple platforms. This measurement area also reports on what locations people are working from – whether they are onsite in one of your organization’s offices or working remotely. To be counted in this metric, users need to be licensed for Teams, Exchange Online, or Microsoft 365 apps.
  • Meetings: The Meetings area measures how effectively meetings are used across your organization. Meetings are evaluated against practices such as scheduling meetings at least 24 hours in advance, sharing agendas, and the percentage of invitees that show up to the meetings. Other features include measuring interactivity (hand-raising, chat, reactions, or sharing content) during the meeting, as well as whether or not attendees participate via audio or video. Users must be licensed for Microsoft Teams to be included in this metric.
  • Teamwork: This area is used to measure how people collaborate in Teams and use shared workspaces (such as Teams, channels, Microsoft 365 Groups, and SharePoint sites). To be counted for this metric, users must be licensed for Exchange Online, SharePoint, or Microsoft Teams.

In addition to users requiring licenses to be assigned, they also need to be active in a service at least once every 28 days to get counted for that service. You can use Adoption Score to review how people use the Microsoft 365 service and provide coaching on best practices to get the most out of the platform.

More Details