Azure AD Connect provides a simplified way to set up hybrid identity between on-premises Active Directory and Azure Active Directory. It can be configured using Express settings for a quick setup in four steps, or using Custom settings to address more complex scenarios. The tool consolidates previous identity bridge components like DirSync and Azure AD Sync. It also allows enabling additional features like password synchronization, device writeback, and extending directories with custom attributes. Admins can monitor their hybrid identity configuration using Azure AD Connect Health.

1. Azure AD Connect
Get your Hybrid Identity
in four steps!
Ronny de Jong
Consultant & MVP | Inovativ
@ronnydejong

2. Agenda
 Making Hybrid Identity Simple
 More topologies, more scenarios
 Walk through Express & Custom Setup
 Monitor your Hybrid Identity

3. Making Hybrid Identity Simple? - Today

4. Self-service Single
sign on
•••••••••••
Username
Identity as the control plane
Simple
connection
Cloud
SaaS
Azure
Office 365Public
cloud
Other
Directories
Windows Server
Active Directory
On-premises Microsoft Azure Active Directory

5. Going beyond on-premises
IDC predicts that 70 percent of organizations will embrace a
cloud-first strategy by 2016, getting there on their own pace
over a number of years, with many living in a hybrid
environment for quite some time. That flexibility— living in both
worlds—even with a cloud-first strategy, is nonnegotiable.1
1 Source: IDC CIO Agenda Webinar, 2013.

6. Making hybrid identity simple!
Azure Active Directory
Connect
Consolidated
deployment assistant
for your identity
bridge components

7.  DirSync – supported, available in Office 365 portal
 There is no announcement of deprecation yet.
 Once that announcement occurs, at least 1 year of support
remains.
 Azure AD Sync – supported.
 Guide new deployments to Azure AD Connect.
 Azure AD Connect is GA – available in Azure AD
Portal. New deployments should use this!
Which tools are supported?

8.  DirSync (<50k objects)
 In-place migration of all supported custom configurations.
 Will not migrate unsupported configurations (such as removed
attribute flows).
Upgrade from DirSync & Azure AD Sync

9.  DirSync (>50k objects)
 Side-by-side deployment. Export DirSync configuration and
import in Azure AD Connect.
 On DirSync box, wizard prompts you to export config file.
 On new box, @ cmd prompt run AzureADConnect.exe /migrate,
specify config file.
 Once full import and full sync complete, uninstall dirsync on old
box, on new box run wizard second time to turn off staging mode
 Azure AD Sync
 In-place upgrade.
Upgrade from DirSync & Azure AD Sync

10. Making Hybrid Identity Simple
Azure AD Connect with Express Settings  Use one tool
instead of many
 Get up and
running quickly (4
clicks)
 Start here, then
scale up or add
options
 Custom options to
address more
complex scenarios

11. Demo
Express Setup

12. More topologies,
more scenarios

13.  Multi forest topologies
 Use a full SQL Server edition for sync
 Deploy a pilot using just a few users in a group
 Don’t start sync right away (‘staging mode’)
 Sign on using federation
 Azure AD Premium features (write back passwords, users,
groups, and devices from the cloud)
 Sync custom directory attributes to the cloud
Custom settings allow more advanced options

14.  For all scenarios (Express Settings or Custom)
 Office 365 or Azure AD subscription – free trial is OK
 For custom Azure AD domains, configure your public DNS records
 AD users have UPNs (IDFix)
 Just for AD FS
 SSL certificate is trusted on all ADFS+WAP host (Use a certificate based on a key
pair generated by a legacy Cryptographic Service Provider (CSP). Certificates with the CNG
private key are not supported).
 Enable WinRM on all remote targets
 Federation service name resolves
 For write-back scenarios
 AAD Premium, prepare Active Directory
Make sure you do first

16.  Choose Password sync for the most common deployment
needs
 Federation with ADFS is an option for customers that have
more unique needs
Choosing Password Sync or AD FS for Sign On
• You already have AD FS or a 3rd party federation provider
• Security policy prohibits password hashes being sync’d to the cloud
• You require desktop SSO from domain joined machines on the corporate network
• You require some specific capabilities AD FS has
1. on premises multi-factor authentication or smart card support for sign on
2. soft account lockout or AD work hours policy
3. conditional access for both on premises and cloud resources

17.  Synchronizes a hash of the password hash
 The actual password never leaves on-premises and is not known by Azure
AD
 When enabled, on-premises password policies apply
 Password complexity policy
 Password expiration policy
 Protects password against pass the hash attacks
 Cannot be used to access any on-premises resources
 Can be used as a backup for federation
 If password hashes are present in Azure AD, allows for a quick fail-over
Sign-in – password sync

18. Common multi-forest topologies
Separate forests
Each object in every forest will be represented in Azure
AD.
Forests with GALSync
Users and Contacts should join on mail attribute and be
represented only once.
Account-Resource forests
One or many Account forests with enabled accounts
and one Resource forest with disabled accounts. Joined
on objectSID and msExchMasterAccountSID

21.  Intended to make it easy to pilot and evaluate
Azure AD and Office 365
 In from AD for User, Group, and Contact -> sets cloudFiltered to TRUE if
NOT in group
 When you add/remove users from group -> they are added/removed in
AAD
 Only objects which are direct members of the group will be present in
Azure AD
 Remove the filter when ready to ‘go live’
 2nd pass Wizard option under Customize Synchronization Options
Filter users and devices based on group

23.  Password write-back
 Change and set password in Azure AD and have the password policy
verified with on-premise Windows Server Active Directory.
 User write-back
 A user created in Azure AD is created in on-premise AD.
Optional Features – Write-back

24.  Group write-back
 “Groups in Office 365” will be written back to your on-premise Exchange
forest (you need Exchange 2013 CU8 or later)
 These groups are mastered in Azure AD
 Does not support security groups or distribution groups
 Device write-back
 Requires Windows Server 2012 R2 AD schema, create
configuration object and container
Optional Features – Write-back cont’d

25.  Bring your own AD attributes to Azure AD
 Attributes defined on users and groups
 Single-valued attributes only
 Integer, LargeInteger, DateTime, Binary, Boolean, String
 Limit of 100 extension values written to a single object
 Limit of 256 characters per string extension value
 Limit of 256 bytes per binary extension value
Optional Features – Directory Extensions

27.  An active sync server which is not exporting
 Includes password sync and password write-back
 Moving from one server (e.g. DirSync) to another
 Warm stand-by for rapid disaster recovery
 Also used for FIM+Azure AD Connector to Azure AD
Connect migration
Staging mode

28.  Change sync options
 Remove group filter
 Enable/disable staging mode
 Enable/disable write-backs
 Add additional domains and forests
 Forests for sync
 Domains for federation
Second Pass – Run the wizard a 2nd time

29. Demo
Custom Setup: Enable Federation

30.  Multiple Azure AD Connect to same tenant
 Sync: not supported - use same Azure AD Connect instance
for multiple (untrusted) forests.
 AD FS: deploy separate farms for untrusted forests, supported
 Same Azure AD Connect to multiple tenants
 Not officially supported for sync – previously there was a ‘side-
by-side’ workaround for DirSync
Common questions

31.  Included in Azure AD/Office 365 license:
 The installation wizard
 Synchronize from on-premises to Azure AD regardless of
source directory
 Write-back for Exchange hybrid deployment
 Requires Azure AD Premium:
 Write-back (password, user, group, ….)
 Additional licenses required for:
 SQL Server if needed
Licensing

32.  Accidental delete prevention
 On by default
 Cannot export more than 500 deletes (default)
 Can be configured with:
 Enable-ADSyncExportDeletionThreshold
 Disable-ADSyncExportDeletionThreshold
 Configuration stored in Azure AD
Export Deletion Threshold

33. Monitor Your Hybrid Identity!

34. Azure AD Connect Health
• Monitor ADFS service for reliable
& highly available authentication
• Email notification for critical alerts
• Analyze ADFS logins for usage &
capacity planning based on app,
authentication, network location &
failures
• Perform forensic analysis on top
users with bad passwords
• Troubleshoot with easy access to
critical performance counters

35. How does it work?
• Download & install agent on all
ADFS/proxy servers
• Health agent runs locally on the server &
collects data and performs configuration
checks
• Includes synthetic transactions
• Health agent pushes data to the health
service
• Requires certain URL’s in MSFT cloud to be
accessible from the ADFS or proxy servers
• Health service processes data to generate
alerts, trends & reports
• Azure portal provides view to reports
ADFS/ADFS Proxy/WAP
Servers
Microsoft Azure AD
Connect Health
View Alerts, Reports and
Login trends

36. Demo
Azure AD Connect Health

37.  Session Objective(s):
 Understand the default configurations the wizard creates
 Understand what can be done with the wizard and what
requires additional config
 Azure AD Connect is the (sync+authn) tool going
forward for connecting on premise directories to
Azure AD / O365
Session Objectives And Takeaways

38. Q & A Time...
Next Session 14:30 – 15:30:
"Azure Automation – Introduction
Jakob Gottlieb Svendsen"

39. Thanks To All Our Sponsors

40. We Need Your Feedback
 SCU Europe session planner planning.systemcenteruniverse.ch
 SCU Europe WP app
 Watch out for a survey invitation after the conference