ebook img

What is Azure AD Connect and Federation? PDF

395 Pages·2017·11.67 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview What is Azure AD Connect and Federation?

TTaabbllee ooff CCoonntteennttss Overview What is Azure AD Connect? What is Azure AD Connect Sync? Users and contacts Architecture Declarative Provisioning Default configuration What is Azure AD Connect and Federation? Get started Prerequisites Install Azure AD Connect Express settings Custom settings Upgrade from DirSync Upgrade from a previous version Install using an existing ADSync database How to Plan and design Design concepts Topologies for Azure AD Connect Active Directory Federation Services in Azure Special considerations for instances When you already have Azure AD Manage Azure AD Connect Renew certs for O365 and Azure AD Update the SSL certificate for an Active Directory Federation Services (AD FS) farm Enable device writeback User sign-on options Multiple domain support for federating Automatic upgrade Use a SAML 2.0 Identity Provider (IdP) for Single Sign On Manage Azure AD Connect Sync Prevent accidental deletes Password synchronization Azure AD service account Installation wizard Change the default configuration Configure Filtering Scheduler Directory extensions Changing the Azure AD Sync service account password Changing the AD DS account password Enable AD recycle bin Synchronization Service Manager Manage Federation Services Manage and customize Federate multiple instances of Azure AD with single instance of AD FS Troubleshoot Connectivity Errors during synchronization Object is not synchronized Password synchronization LargeObject error caused by userCertificate How to recover from LocalDB 10-GB limit Reference Code samples Identity synchronization and duplicate attribute resiliency Hybrid Identity Required Ports and Protocols Features in preview Version History Accounts and permissions Azure AD Connect Sync Attributes synchronized to Azure Active Directory Connector Version Release History Functions Reference Operational tasks and consideration Azure AD federation compatibility list Technical Concepts Service features Related Monitor your on-premises identity infrastructure and synchronization services in the cloud Hybrid Identity Design Guide Resources Azure Roadmap Azure AD Connect FAQ DirSync Deprecation Pricing calculator Integrate your on-premises directories with Azure Active Directory 1/3/2018 • 7 min to read • Edit Online Azure AD Connect will integrate your on-premises directories with Azure Active Directory. This allows you to provide a common identity for your users for Office 365, Azure, and SaaS applications integrated with Azure AD. This topic will guide you through the planning, deployment, and operation steps. It is a collection of links to the topics related to this area. IIMMPPOORRTTAANNTT Azure AD Connect is the best way to connect your on-premises directory with Azure AD and Office 365. This is a great time to upgrade to Azure AD Connect from Windows Azure Active Directory Sync (DirSync) or Azure AD Sync as these tools are now deprecated are no longer supported as of April 13, 2017. Why use Azure AD Connect Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. Users and organizations can take advantage of the following: Users can use a single identity to access on-premises applications and cloud services such as Office 365. Single tool to provide an easy deployment experience for synchronization and sign-in. Provides the newest capabilities for your scenarios. Azure AD Connect replaces older versions of identity integration tools such as DirSync and Azure AD Sync. For more information, see Hybrid Identity directory integration tools comparison. HHooww AAzzuurree AADD CCoonnnneecctt wwoorrkkss Azure Active Directory Connect is made up of three primary components: the synchronization services, the optional Active Directory Federation Services component, and the monitoring component named Azure AD Connect Health. Synchronization - This component is responsible for creating users, groups, and other objects. It is also responsible for making sure identity information for your on-premises users and groups is matching the cloud. AD FS - Federation is an optional part of Azure AD Connect and can be used to configure a hybrid environment using an on-premises AD FS infrastructure. This can be used by organizations to address complex deployments, such as domain join SSO, enforcement of AD sign-in policy, and smart card or 3rd party MFA. Health Monitoring - Azure AD Connect Health can provide robust monitoring and provide a central location in the Azure portal to view this activity. For additional information, see Azure Active Directory Connect Health. Install Azure AD Connect You can find the download for Azure AD Connect on Microsoft Download Center. SOLUTION SCENARIO Before you start - Hardware and prerequisites Steps to complete before you start to install Azure AD Connect. Express settings If you have a single forest AD then this is the recommended option to use. User sign in with the same password using password synchronization. Customized settings Used when you have multiple forests. Supports many on-premises topologies. Customize your sign-in option, such as ADFS for federation or use a 3rd party identity provider. Customize synchronization features, such as filtering and writeback. Upgrade from DirSync Used when you have an existing DirSync server already running. SOLUTION SCENARIO Upgrade from Azure AD Sync or Azure AD Connect There are several different methods depending on your preference. After installation you should verify it is working as expected and assign licenses to the users. NNeexxtt sstteeppss ttoo IInnssttaallll AAzzuurree AADD CCoonnnneecctt TOPIC LINK Download Azure AD Connect Download Azure AD Connect Install using Express settings Express installation of Azure AD Connect Install using Customized settings Custom installation of Azure AD Connect Upgrade from DirSync Upgrade from Azure AD sync tool (DirSync) After installation Verify the installation and assign licenses LLeeaarrnn mmoorree aabboouutt IInnssttaallll AAzzuurree AADD CCoonnnneecctt You also want to prepare for operational concerns. You might want to have a stand-by server so you easily can fall over if there is a disaster. If you plan to make frequent configuration changes, you should plan for a staging mode server. TOPIC LINK Supported topologies Topologies for Azure AD Connect Design concepts Azure AD Connect design concepts Accounts used for installation More about Azure AD Connect credentials and permissions Operational planning Azure AD Connect sync: Operational tasks and considerations User sign-in options Azure AD Connect User sign-in options Configure sync features Azure AD Connect comes with several features you can optionally turn on or are enabled by default. Some features might sometimes require more configuration in certain scenarios and topologies. Filtering is used when you want to limit which objects are synchronized to Azure AD. By default all users, contacts, groups, and Windows 10 computers are synchronized. You can change the filtering based on domains, OUs, or attributes. Password synchronization synchronizes the password hash in Active Directory to Azure AD. The end-user can use the same password on-premises and in the cloud but only manage it in one location. Since it uses your on-premises Active Directory as the authority, you can also use your own password policy. Password writeback will allow your users to change and reset their passwords in the cloud and have your on-premises password policy applied. Device writeback will allow a device registered in Azure AD to be written back to on-premises Active Directory so it can be used for conditional access. The prevent accidental deletes feature is turned on by default and protects your cloud directory from numerous deletes at the same time. By default it allows 500 deletes per run. You can change this setting depending on your organization size. Automatic upgrade is enabled by default for express settings installations and ensures your Azure AD Connect is always up to date with the latest release. NNeexxtt sstteeppss ttoo ccoonnffiigguurree ssyynncc ffeeaattuurreess TOPIC LINK Configure filtering Azure AD Connect sync: Configure filtering Password synchronization Azure AD Connect sync: Implement password synchronization Password writeback Getting started with password management Device writeback Enabling device writeback in Azure AD Connect Prevent accidental deletes Azure AD Connect sync: Prevent accidental deletes Automatic upgrade Azure AD Connect: Automatic upgrade Customize Azure AD Connect sync Azure AD Connect sync comes with a default configuration that is intended to work for most customers and topologies. But there are always situations where the default configuration does not work and must be adjusted. It is supported to make changes as documented in this section and linked topics. If you have not worked with a synchronization topology before you want to start to understand the basics and the terms used as described in the technical concepts. Azure AD Connect is the evolution of MIIS2003, ILM2007, and FIM2010. Even if some things are identical, a lot has changed as well. The default configuration assumes there might be more than one forest in the configuration. In those topologies a user object might be represented as a contact in another forest. The user might also have a linked mailbox in another resource forest. The behavior of the default configuration is described in users and contacts. The configuration model in sync is called declarative provisioning. The advanced attribute flows are using functions to express attribute transformations. You can see and examine the entire configuration using tools which comes with Azure AD Connect. If you need to make configuration changes, make sure you follow the best practices so it is easier to adopt new releases. NNeexxtt sstteeppss ttoo ccuussttoommiizzee AAzzuurree AADD CCoonnnneecctt ssyynncc TOPIC LINK All Azure AD Connect sync articles Azure AD Connect sync Technical concepts Azure AD Connect sync: Technical Concepts TOPIC LINK Understanding the default configuration Azure AD Connect sync: Understanding the default configuration Understanding users and contacts Azure AD Connect sync: Understanding Users and Contacts Declarative provisioning Azure AD Connect Sync: Understanding Declarative Provisioning Expressions Change the default configuration Best practices for changing the default configuration Configure federation features Azure AD Connect provides several features that simplify federating with Azure AD using AD FS and managing your federation trust. Azure AD Connect supports AD FS on Windows Server 2012R2 or later. Update SSL certificate of AD FS farm even if you are not using Azure AD Connect to manage your federation trust. Add an AD FS server to your farm to expand the farm as required. Repair the trust with Azure AD in a few simple clicks. ADFS can be configured to support multiple domains. For example you might have multiple top domains you need to use for federation. if your ADFS server has not been configured to automatically update certificates from Azure AD or if you use a non-ADFS solution, then you will be notified when you have to update certificates. NNeexxtt sstteeppss ttoo ccoonnffiigguurree ffeeddeerraattiioonn ffeeaattuurreess TOPIC LINK All AD FS articles Azure AD Connect and federation Configure ADFS with subdomains Multiple Domain Support for Federating with Azure AD Manage AD FS farm AD FS management and customization with Azure AD Connect Manually updating federation certificates Renewing Federation Certificates for Office 365 and Azure AD More information and references TOPIC LINK Version history Version history Compare DirSync, Azure ADSync, and Azure AD Connect Directory integration tools comparison Non-ADFS compatibility list for Azure AD Azure AD federation compatibility list TOPIC LINK Configuring a SAML 2.0 Idp Using a SAML 2.0 Identity Provider (IdP) for Single Sign On Attributes synchronized Attributes synchronized Monitoring using Azure AD Connect Health Azure AD Connect Health Frequently Asked Questions Azure AD Connect FAQ Additional Resources Ignite 2015 presentation on extending your on-premises directories to the cloud. Azure AD Connect sync: Understand and customize synchronization 1/17/2018 • 2 min to read • Edit Online The Azure Active Directory Connect synchronization services (Azure AD Connect sync) is a main component of Azure AD Connect. It takes care of all the operations that are related to synchronize identity data between your on-premises environment and Azure AD. Azure AD Connect sync is the successor of DirSync, Azure AD Sync, and Forefront Identity Manager with the Azure Active Directory Connector configured. This topic is the home for Azure AD Connect sync (also called sync engine) and lists links to all other topics related to it. For links to Azure AD Connect, see Integrating your on-premises identities with Azure Active Directory. The sync service consists of two components, the on-premises Azure AD Connect sync component and the service side in Azure AD called Azure AD Connect sync service. Azure AD Connect sync topics TOPIC WHAT IT COVERS AND WHEN TO READ Azure AD Connect sync fundamentals Understanding the architecture For those of you who are new to the sync engine and want to learn about the architecture and the terms used. Technical concepts A short version of the architecture topic and briefly explains the terms used. Topologies for Azure AD Connect Describes the different topologies and scenarios the sync engine supports. Custom configuration Running the installation wizard again Explains what options you have available when you run the Azure AD Connect installation wizard again. Understanding Declarative Provisioning Describes the configuration model called declarative provisioning. Understanding Declarative Provisioning Expressions Describes the syntax for the expression language used in declarative provisioning. Understanding the default configuration Describes the out-of-box rules and the default configuration. Also describes how the rules work together for the out-of-box scenarios to work. Understanding Users and Contacts Continues on the previous topic and describes how the configuration for users and contacts works together, in particular in a multi-forest environment.

Description:
great time to upgrade to Azure AD Connect from Windows Azure Active Azure Active Directory Connect is made up of three primary components: the
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.