Azure AD Connect

Last updated

Azure AD Connect is a tool for connecting on-premises identity infrastructure to Microsoft Entra ID. The wizard deploys and configures prerequisites and components required for the connection, including synchronization scheduling and authentication methods. [1] Azure AD Connect encompasses functionality that was previously released as Dirsync and AAD Sync. These tools are no longer being released individually, and all future improvements will be included in updates to Azure AD Connect. [2] [3]

Contents

Azure AD Connect synchronizes on-premises objects present in Active Directory to a corresponding Azure AD service within a Microsoft 365 tenant. [4] Supported on-premise objects include user accounts, group memberships, and credential hashes. [5] Synchronization can be configured to operate in two directional flow configurations. In a one-way configuration changes to an object on-premise updates the corresponding object in Azure AD. Two-way or bidirectional synchronization configurations allow for object changes to be made either on-premise or within Azure AD/Microsoft 365 and update the corresponding object on the opposite end. [6]

Azure AD Connect GA was released to the public on 24 June 2015 [7] and is currently on Version 2.1.16.0. [8] On 31 August 2022 all 1.x versions of Azure AD Connect were retired. On 15 March 2023 Versions 2.0.3.0 through 2.0.91.0 will be retired.

The current release offers the following high level options: [9]

Dirsync Upgrade

Organizations with an existing Dirsync deployment can upgrade in place (for directories with less than 50,000 objects) or otherwise migrate their Dirsync settings to Azure AD Connect.

Express Settings

Express Settings is the default option and deploys sync with the password hash sync option for a single-domain, single-forest on-premise Active Directory domain. This allows for authentication and authorization to resources in Azure/Microsoft 365 based on Active Directory passwords.

Custom Settings

With custom settings, the administrator can connect one or multiple Active Directory domains and forests and choose between password hash sync, pass-through authentication, and Active Directory Federation Services (AD FS) for authentication. Custom settings also allows the administrator to choose sync options such as password reset write back and Exchange hybrid deployments.

Key Features

FeatureDescription
Password WritebackIn bidirectional synchronization configurations passwords changed in the Azure/Microsoft 365 cloud will apply to corresponding on-premise users when the next synchronization takes place [10]
Bidirectional SynchronizationBidirectional synchronization configurations allow for certain object changes in the cloud to apply to the corresponding on-premise object. With one-way synchronizations object changes in Azure AD/Microsoft 365 such as Full Name and proxyAddresses can not take place and instead require the changes to be made on-premise first.
Simplifying Identity ManagementWithout Azure AD Connect the user accounts and groups located on-premise will be separate objects from ones in the Azure AD/Microsoft 365 cloud even if the cloud objects were configured similarly. By synchronizing objects between on-premise and the cloud, Azure AD Connect allows administrators to maintain less separate user identities. When used in combination with SSO, such as with Azure Enterprise Applications, user identities can be centralized further. [11]

What it does

When an administrator installs and runs the Azure AD connect wizard, it performs the following steps:

  1. Installs pre-requisites like the .NET Framework, Azure Active Directory Powershell Module and Microsoft Online Services Sign-In Assistant
  2. Installs and configures the sync component (formerly named AAD Sync), for one or multiple Active Directory forests, and enables synchronization in the Azure AD tenant
  3. Configures either password hash sync or AD FS with Web Application proxy, depending on which authentication option the administrator has chosen, and including any required configuration in Azure

Use with PowerShell

The Azure AD PowerShell module allows administrators granular control over synchronization behaviors. [12] To begin working with the Azure AD PowerShell module it must be imported:

Import-ModuleAzureAD

To manually run a synchronization with current configurations:

#Specify Delta to only synchronize objects that have been updated since the most recent synchronizationStart-AADSyncSyncCycle-PolicyTypeDelta#Specify Initial to synchronize all objectsStart-AADSyncSyncCycle-PolicyTypeInitial

To retrieve current synchronization schedule settings:

#Display synchronization schedule configuration settingsGet-ADSyncScheduler<#AllowedSyncCycleInterval                : hh:mm:ssCurrentlyEffectiveSyncCycleInterval     : hh:mm:ssCustomizedSyncCycleInterval             : hh:mm:ssNextSyncCyclePolicyType                 : Delta/InitialNextSyncCycleStartTimeInUTC             : MM/DD/YYY hh:mm:ss AM/PMPurgeRunHistoryInterval                 : DD:hh:mm:ssSyncCycleEnabled                        : True/FalseMaintenanceEnabled                      : True/FalseStagingModeEnabled:                     : True/FalseSchedulerSuspended:                     : True/False#>

To change the current synchronization schedule settings:

Set-ADSyncScheduler-$Setting$Value

Related Research Articles

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. Windows Server operating systems include it as a set of processes and services. Originally, only centralized domain management used Active Directory. However, it ultimately became an umbrella title for various directory-based identity-related services.

Kerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed it primarily at a client–server model, and it provides mutual authentication—both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks.

passwd Tool to change passwords on Unix-like OSes

passwd is a command on Unix, Plan 9, Inferno, and most Unix-like operating systems used to change a user's password. The password entered by the user is run through a key derivation function to create a hashed version of the new password, which is saved. Only the hashed version is stored; the entered password is not saved for security reasons.

The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista, Windows 7, 8.1, 10 and 11 that stores users' passwords. It can be used to authenticate local and remote users. Beginning with Windows 2000 SP4, Active Directory authenticates remote users. SAM uses cryptographic measures to prevent unauthenticated users accessing the system.

Integrated Windows Authentication (IWA) is a term associated with Microsoft products that refers to the SPNEGO, Kerberos, and NTLMSSP authentication protocols with respect to SSPI functionality introduced with Microsoft Windows 2000 and included with later Windows NT-based operating systems. The term is used more commonly for the automatically authenticated connections between Microsoft Internet Information Services, Internet Explorer, and other Active Directory aware applications.

The Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.0 of NTFS that provides filesystem-level encryption. The technology enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer.

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.

On Microsoft Servers, a domain controller (DC) is a server computer that responds to security authentication requests within a Windows domain. A domain is a concept introduced in Windows NT whereby a user may be granted access to a number of computer resources with the use of a single username and password combination.

LAN Manager is a discontinued network operating system (NOS) available from multiple vendors and developed by Microsoft in cooperation with 3Com Corporation. It was designed to succeed 3Com's 3+Share network server software which ran atop a heavily modified version of MS-DOS.

<span class="mw-page-title-main">Group Policy</span> Feature of the Microsoft Windows NT family of operating systems

Group Policy is a feature of the Microsoft Windows NT family of operating systems that controls the working environment of user accounts and computer accounts. Group Policy provides centralized management and configuration of operating systems, applications, and users' settings in an Active Directory environment. A set of Group Policy configurations is called a Group Policy Object (GPO). A version of Group Policy called Local Group Policy allows Group Policy Object management without Active Directory on standalone computers.

Windows Services for UNIX (SFU) is a discontinued software package produced by Microsoft which provided a Unix environment on Windows NT and some of its immediate successor operating-systems.

Apple Open Directory is the LDAP directory service model implementation from Apple Inc. A directory service is software which stores and organizes information about a computer network's users and network resources and which allows network administrators to manage users' access to the resources.

In a Windows network, NT LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN), an older Microsoft product. The NTLM protocol suite is implemented in a Security Support Provider, which combines the LAN Manager authentication protocol, NTLMv1, NTLMv2 and NTLM2 Session protocols in a single package. Whether these protocols are used or can be used on a system which is governed by Group Policy settings, for which different versions of Windows have different default settings.

Windows Vista contains a range of new technologies and features that are intended to help network administrators and power users better manage their systems. Notable changes include a complete replacement of both the Windows Setup and the Windows startup processes, completely rewritten deployment mechanisms, new diagnostic and health monitoring tools such as random access memory diagnostic program, support for per-application Remote Desktop sessions, a completely new Task Scheduler, and a range of new Group Policy settings covering many of the features new to Windows Vista. Subsystem for UNIX Applications, which provides a POSIX-compatible environment is also introduced.

CrushFTP is a proprietary multi-protocol, multi-platform file transfer server originally developed in 1999. CrushFTP is shareware with a tiered pricing model. It is targeted at home users on up to enterprise users.

A roaming user profile is a file synchronization concept in the Windows NT family of operating systems that allows users with a computer joined to a Windows domain to log on to any computer on the same domain and access their documents and have a consistent desktop experience, such as applications remembering toolbar positions and preferences, or the desktop appearance staying the same, while keeping all related files stored locally, to not continuously depend on a fast and reliable network connection to a file server.

Exchange ActiveSync is a proprietary protocol designed for the synchronization of email, contacts, calendar, tasks, and notes from a messaging server to a smartphone or other mobile devices. The protocol also provides mobile device management and policy controls. The protocol is based on XML. The mobile device communicates over HTTP or HTTPS.

SAP Logon Tickets represent user credentials in SAP systems. When enabled, users can access multiple SAP applications and services through SAP GUI and web browsers without further username and password inputs from the user. SAP Logon Tickets can also be a vehicle for enabling single sign-on across SAP boundaries; in some cases, logon tickets can be used to authenticate into 3rd party applications such as Microsoft-based web applications.

In computer security, pass the hash is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LanMan hash of a user's password, instead of requiring the associated plaintext password as is normally the case. It replaces the need for stealing the plaintext password to gain access with stealing the hash.

Microsoft Entra ID is a cloud-based identity and access management (IAM) solution. It is a directory and identity management service that operates in the cloud and offers authentication and authorization services to various Microsoft services such as Microsoft 365, Dynamics 365, and Microsoft Azure. Entra ID provides users with single sign-on experience, regardless of whether their applications are cloud-based or on-premises.

References

  1. Mary Jo Foley article on Azure AD Connect , ZDNet, 15 December 2014
  2. Active Directory Team Blog article on Azure AD Connect Preview , Microsoft, 15 December 2014
  3. Windows IT Pro article on Azure AD Connect Preview , Microsoft, 15 December 2014
  4. "What is Azure Active Directory?". Microsoft Ignite. 14 September 2022. Retrieved 2022-09-28.
  5. "How synchronization works in Azure AD Domain Services". Microsoft Ignite. 23 August 2022. Retrieved 2022-09-28.
  6. "Azure AD Connect sync: Understand and customize synchronization". Microsoft Ignite. 21 September 2022. Retrieved 2022-09-28.
  7. Active Directory Team Blog article on Azure AD Connect GA , Microsoft, 24 June 2015
  8. "Azure AD Connect: Version release history". Microsoft Ignite. 19 September 2022. Retrieved 2022-09-28.
  9. Microsoft Azure Documentation on Azure AD Connect , Microsoft, 6 August 2015
  10. "Enable Azure Active Directory password writeback". Microsoft Ignite. 9 September 2022. Retrieved 2022-09-28.
  11. "What is application management?". Microsoft Ignite. 20 September 2022. Retrieved 2022-09-28.
  12. "AzureAD Module". Microsoft Ignite. Retrieved 2022-09-28.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.