Category Azure AD Connect Health

In this chapter, you learned how to evaluate passwordless sign-in options for your organization and deploy the ones that best suit your needs. Some passwordless options, such as Windows Hello or FIDO2 keys, may require specialized hardware such as cameras, USB devices, or fingerprint readers, while the Microsoft Authenticator app method requires only the Microsoft Authenticator app on any supported Android or iOS-based device.

You also learned about deploying features such as self-service password reset and Azure AD password protection to further reduce administrative overhead, helping your organization comply with security policies.

In the next chapter, you’ll learn about implementing secure access in the context of Microsoft 365.

Exam Readiness Drill – Chapter Review Questions Benchmark Score: 75%

Apart from a solid understanding of key concepts, being able to think quickly under time pressure is a skill that will help you ace your certification exam. That’s why, working on these skills early on in your learning journey is key.

Chapter review questions are designed to improve your test-taking skills progressively with each chapter you learn and review your understanding of key concepts in the chapter at the same time. You’ll find these at the end of each chapter.

Before You Proceed

You need to unlock these resources before you start using them. Unlocking takes less than 10 minutes, can be done from any device, and needs to be done only once. Head over to the start of Chapter 7, Managing Security Reports and Alerts by Using the Microsoft 365 Defender Portal in this book for instructions on how to unlock them.

To open the Chapter Review Questions for this chapter, click the following link:

https://packt.link/MS102E1_Ch05. Or, you can scan the following QR code:

Figure 5.34 – QR code that opens Chapter Review Questions for logged-in users

Once you login, you’ll see a page similar to what is shown in Figure 5.35:

Figure 5.35 – Chapter Review Questions for Chapter 5

Once ready, start the following practice drills, re-attempting the quiz multiple times:

Exam Readiness Drill
For the first 3 attempts, don’t worry about the time limit.

ATTEMPT 1
The first time, aim for at least 40%. Look at the answers you got wrong and read the relevant sections in the chapter again to fix your learning gaps.

ATTEMPT 2
The second time, aim for at least 60%. Look at the answers you got wrong and read the relevant sections in the chapter again to fix any remaining learning gaps.

ATTEMPT 3 The third time, aim for at least 75%. Once you score 75% or more, you start working on your timing.

Tip You may take more than 3 attempts to reach 75%. That’s okay. Just review the relevant sections in the chapter till you get there.

Working On Timing

Target: Your aim is to keep the score the same while trying to answer these questions as quickly as possible. Here’s an example of how your next attempts should look like:

Table 5.4 – Sample timing practice drills on the online platform

Note
The time limits shown in the above table are just examples. Set your own time limits with each attempt based on the time limit of the quiz on the website.

With each new attempt, your score should stay above 75% while your time taken to complete should decrease. Repeat as many attempts as you want till you feel confident dealing with the time pressure.

For most organizations, security defaults are a good choice for configuring broad baseline security policies. Security defaults make the following security changes:

• Requiring all users to register for multifactor authentication
• Requiring administrators to perform multifactor authentication upon sign-in
• Requiring users to do multifactor authentication when necessary
• Blocking basic authentication and other legacy authentication protocols
• Requiring administrators to perform multifactor authentication when accessing privileged resources, such as the Azure portal, Azure PowerShell, or the Azure CLI

Security defaults can be modified by users with the Global Administrator, Conditional Access administrator, or Security administrator roles. Security defaults can be enabled or disabled using the following process:

1. Navigate to the Azure portal (https://portal.azure.com).
2. Select Azure Active Directory.
3. Under Manage, click Properties.
4. Scroll to the bottom of the page and click Manage security defaults.
5. On the Security defaults flyout, select either Enabled or Disabled and click Save.

If you are going to configure Conditional Access policies, you should disable security defaults. If you are not going to configure Conditional Access policies, you should enable security defaults.

Further Reading
For more information on the impact of security defaults, see https://learn. microsoft.com/en-us/azure/active-directory/fundamentals/ concept-fundamentals-security-defaults.

Conditional Access

Conditional Access provides the most fine-grained control when managing the multifactor authentication requirements for your organization. Conditional Access policies can be configured from the Azure portal.

To access the Conditional Access configuration page, follow these steps:

1. Navigate to the Azure portal (https://portal.azure.com).
2. Select Azure Active Directory | Security | Conditional Access, and then choose Policies.

You can create new policies or use one of the Microsoft-provided 14 sample Conditional Access policy templates. Policies created with a template can be modified once they have been deployed to your tenant.

To configure a template-based policy, follow these steps:

1. From the Conditional Access | Policies page, as shown in Figure 5.28, select New policy from template (Preview):

Figure 5.28 – Creating a new Conditional Access policy from a template

2. Select one of the templates, such as Require multifactor authentication for all users, and click Review + create, as shown in Figure 5.29:

Figure 5.29 – Selecting a template

3. Review the settings and click Create.

Policies created through the templates cannot be modified during creation, with the exception of Enforcement mode. All template-based policies are configured in Report only mode, which can be toggled during creation. The user creating the policy is excluded from the policy to prevent accidental lockout.

After the template policies have been configured, you can edit the scope and conditions for the policy like manually created policies.

Further Reading

For more information on Conditional Access templates, see https://learn.microsoft. com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common.

With the exception of Windows Hello, passwordless sign-in methods (such as the Microsoft Authenticator app or FIDO2 security keys) will require users to register for multifactor authentication.

To enable users to sign in with FIDO2 security keys, you need to configure the authentication policy. Configuring the policy requires an account with the Global Administrator or Authentication Administrator role:

1. Navigate to the Azure portal (https://portal.azure.com).
2. Select Azure Active Directory | Security | Authentication methods and then select Policies.
3. Select Microsoft Authenticator.
4. On the Enable and Target tab of the FIDO2 security key settings page, slide the Enable toggle to On. See Figure 5.18:

Figure 5.18 – Enabling Microsoft Authenticator

5. Using the Include and Exclude tabs, specify which users the policy settings will apply to. Select the All users radio button to include all users in the policy or choose the Select groups radio button to specify which groups will be included or excluded.
6. Click Save to update the policy configuration.

The next step is to instruct users to register the security keys.

Registering Devices

Like Microsoft Authenticator-based authentication, FIDO2 authentication requires end users to register the compatible device they wish to use for authentication.

Note
In order to register a FIDO2 security key, the user must already have an Azure AD multifactor authentication method configured. If they do not have one, they must add one (such as Microsoft Authenticator or SMS). If that is not possible, an administrator can issue a Temporary Access Pass (TAP) to allow the user to complete registration. For more information on configuring a TAP, please see https://learn.microsoft.com/en-us/azure/active-directory/ authentication/howto-authentication-temporary-access-pass.

To register a FIDO2 security key, users must follow these steps:

1. Navigate to https://myprofile.microsoft.com or, from the Microsoft 365 portal, expand the profile icon and select View account:

Figure 5.19 – Accessing My account

2. Click Security Info.
3. Select Add method and click Security key.
4. Select either USB device or NFC device.
5. Ensure the key is ready and click Next.
6. In the dialog box, create and enter a PIN for the security key and then perform the required gesture (biometric/touch) to confirm.
7. Enter a Name value for the key and click Next.
8. Click Done.

After the key has been registered, users can sign in to Azure AD, Entra ID, or Microsoft 365 using their security key. At the sign-in page, after entering a username, users can select the Use Windows Hello or a security key option, which will cause the browser to issue a prompt to insert the key, as shown in Figure 5.20:

Figure 5.20 – Sign in with Windows Hello or a security key

Next, you’ll look at configuring a self-service password reset.

Implementing and Managing Self-Service Password Reset

Self-service password reset (SSPR) is a feature that allows users to change or reset passwords without administrator or service desk involvement. Self-service passwords can be configured for Azure AD cloud-only environments as well as enabling SSPR of hybrid identity through the Azure AD Connect Password Writeback feature.

After onboarding identity and configuring multifactor authentication requirements, you can begin deployment.

Exam Note

Full deployment and configuration of these methods are outside the scope of the MS-102 exam, but it would be good to spend a little bit of time reviewing the product documentation for deeper dives into how passwordless authentication works. See https://learn.microsoft. com/en-us/entra/identity/authentication/concept-authentication-passwordless for further information.

Let’s go through an overview of the configurations necessary to enable passwordless authentication methods.

Choosing an Authentication Mechanism

Everyone is familiar with using an identity and a corresponding password to log in to a device, service, application, or website—whether it’s a bank website, Facebook, Xbox Live, or even just a local computer. While Microsoft 365 supports traditional username and password authentication mechanisms, there are newer methods that provide fewer opportunities for malicious users to compromise identities, applications, and devices.

Microsoft has long advocated for using multifactor authentication as part of the logon process to help secure identities—that is, using some sort of supplementary logon tool (such as a token, authenticator app, phone call, or text message) to confirm the logon process. The weakest link in this chain is the password—and interfaces unable to leverage the multifactor authentication process are more susceptible to bad actors.

With Microsoft’s newest passwordless technologies, users get the advantage of multifactor authentication (something you have, something you know, or something you are) without the frustration of remembering complex passwords. Microsoft supports several different approaches to passwordless logon, including Windows Hello for Business (WHFB), the Microsoft Authenticator app, and Fast Identity Online 2 (FIDO2)-compatible security keys or tokens.

Microsoft passwordless options are based on apublic key infrastructure (PKI) design, comprising a private key (managed and stored by the user’s device) and a public key saved in Azure AD. The keys are linked and only work with each other. When an entity (be it a user or device) establishes a public/ private key pair, the public key can be broadly distributed to all other entities that the owner of the key pair wishes to communicate with.

Each key has two purposes:

• The public key is used to encrypt data. Only the corresponding private key can decrypt it.

• The private key is used to sign data. Only the corresponding public key can authenticate or verify the signature, offering proof that a particular private key produced it.

For example, let’s say you establish a public/private key pair and you wish to conduct secure email communication. You distribute the public key to everyone you will communicate with. You might even add it to your email signature, post it on a blog, or store it in a directory where others can look it up.

The following examples demonstrate possible uses for public key cryptography in the context of email:

• You’re sending out an important product announcement update on behalf of your organization and you want people to be certain it’s authentic. You sign the email with your private key. Recipients who already have your public key (or who can retrieve it from your website or a directory) can use the public key to check the signature on your email. Since only your private key matches that well-known public key, recipients can be assured that your private key was used to sign the content.

• You’re in the process of acquiring financing for a new business venture. The lender has prepared documents for you to review. Since they contain sensitive financial information, the lender wants to make sure that only you can open them. They encrypt the content with your public key and email you the documents. Since only your private key is able to decrypt the content, both entities can be assured that the content will be unreadable to anyone else.

Those types of scenarios are very analogous to what happens when using PKI-based sign-on methods such as Windows Hello—but instead of signing and encrypting email, it’s used for authentication data.

In this section, you’ll explore a little bit about each of these mechanisms to help you decide which is appropriate for your organization.

In this chapter, you learned how to deploy identity synchronization and authentication solutions. You learned how to configure filtering for both Azure AD Connect and Azure AD Connect Cloud Sync, as well as deploying and managing the health agents for diagnostic and troubleshooting.

The next chapter will discuss methods to manage authentication.

Exam Readiness Drill – Chapter Review Questions

Benchmark Score: 75%

Apart from a solid understanding of key concepts, being able to think quickly under time pressure is a skill that will help you ace your certification exam. That’s why, working on these skills early on in your learning journey is key.

Chapter review questions are designed to improve your test-taking skills progressively with each chapter you learn and review your understanding of key concepts in the chapter at the same time. You’ll find these at the end of each chapter.

Before You Proceed

You need to unlock these resources before you start using them. Unlocking takes less than 10 minutes, can be done from any device, and needs to be done only once. Head over to thestart of Chapter 7, Managing Security Reports and Alerts by Using the Microsoft 365 Defender Portal in this book for instructions on how to unlock them.

To open the Chapter Review Questions for this chapter, click the following link:

https://packt.link/MS102E1_CH04. Or, you can scan the following QR code:

Figure 4.35 – QR code that opens Chapter Review Questions for logged-in users

Once you login, you’ll see a page similar to what is shown in Figure 4.36:

Figure 4.36 – Chapter Review Questions for Chapter 4

Once ready, start the following practice drills, re-attempting the quiz multiple times:

Exam Readiness Drill

For the first 3 attempts, don’t worry about the time limit.

ATTEMPT 1

The first time, aim for at least 40%. Look at the answers you got wrong and read the relevant sections in the chapter again to fix your learning gaps.

ATTEMPT 2

The second time, aim for at least 60%. Look at the answers you got wrong and read the relevant sections in the chapter again to fix any remaining learning gaps.

ATTEMPT 3

The third time, aim for at least 75%. Once you score 75% or more, you start working on your timing.

Tip

You may take more than 3 attempts to reach 75%. That’s okay. Just review the relevant sections in the chapter till you get there.

Working On Timing

Target: Your aim is to keep the score the same while trying to answer these questions as quickly as possible. Here’s an example of how your next attempts should look like:

Table 4.4 – Sample timing practice drills on the online platform

Note

The time limits shown in the above table are just examples. Set your own time limits with each attempt based on the time limit of the quiz on the website.

With each new attempt, your score should stay above 75% while your time taken to complete should decrease. Repeat as many attempts as you want till you feel confident dealing with the time pressure.

Microsoft’s recommended solution for passwordless authentication is Windows Hello for Business (WHFB). It’s designed for users that have their own dedicated PC. When logging on, the user presents a biometric or PIN code to unlock the device.

WHFB supports a variety of biometric logons, including facial recognition and fingerprint scanners. Devices configured to use Windows Hello (such as the one shown in Figure 5.1) can be recognized because they have the Windows Hello smiley face greeting at the top:

Figure 5.1 – Windows Hello for Business sign-on screen

After configuring Windows Hello, the sign-in flow follows this sequence, as depicted in Figure 5.2:

Figure 5.2 – Windows Hello authentication sequence

1. The user signs in with either a biometric or PIN (if the configured biometric input can’t be accessed), which unlocks the WHFB private key. The key is then passed to the Cloud Authentication security support provider, also known as the Cloud AP, part of the on-device security package.

2. The Cloud AP requests a nonce (single-use random number) from Azure AD.

3. Azure AD sends the nonce to the Cloud AP on the endpoint.

4. The Cloud AP signs the nonce with the user’s private key and returns the signed nonce to Azure AD.

5. Azure AD decrypts and validates the signed nonce with the user’s public key. After it’s validated, Azure AD issues a primary refresh token (PRT) with the session key, encrypts it using the device’s public transport key, and sends that to the Cloud AP.

6. The Cloud AP decrypts the PRT/session key using the device’s transport private key and then uses the Trusted Platform Module (TPM) to store the session key.

7. The Cloud AP returns a success response to Windows, allowing the user to log in to complete.

WHFB is available to be deployed as a cloud-only or hybrid identity solution and can be used for both Windows logon as well as logon to Microsoft 365 services. Windows Hello-based authentication is tied to a unique device, meaning you have to set it up individually for each device that you will be using.

Microsoft Authenticator App

Many administrators and users are already familiar with the Microsoft Authenticator mobile device app, after using it for multifactor authentication. The Authenticator app can also be used as a passwordless sign-in option. When used as a passwordless option, Microsoft Authenticator can use number-matching, where the sign-in screen displays a number that the user enters and confirms with their PIN or biometric data. See Figure 5.3:

Figure 5.3 – Passwordless authentication dialog with Microsoft Authenticator

The data flow using the Authenticator app follows the same general pattern as Windows Hello, as shown in Figure 5.4:

Figure 5.4 – Microsoft Authenticator authentication sequence

1.The user enters their username on the device.

2. Azure AD detects that the user is configured for passwordless authentication.

3. Azure AD sends a notification to the Authenticator app on the user’s configured Apple or Android device.

4. The user launches the Authenticator app.

5. The Authenticator app connects to Azure AD and receives the proof-of-presence challenge and the nonce.

6. The user completes the challenge on their mobile device and then confirms their identity with biometric data or a PIN, unlocking the private key.

7. The private key is used to sign the nonce and the Authenticator app returns the data to Azure AD.

8. Azure AD decrypts the data with the user’s public key, performs validation, and then returns the sign-in token to the original device where the logon was started.

Whereas WHFB has specific hardware requirements (such as a Windows Hello-compatible camera or fingerprint reader), passwordless using Microsoft Authenticator has a very low barrier to entry. The Authenticator app is free for iOS and Android devices and works not only with Microsoft 365 services but also any service that supports a soft-token app or device.

Further Reading

In addition to the traditional Microsoft Authenticator application, Microsoft has also released Authenticator Lite as part of Outlook. For more information, see https://learn. microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-authenticator-lite.

Another customization option available involves mapping attribute values between on-premises and cloud objects. As with Azure AD Connect, you can configure how cloud attributes are populated—whether it’s from a source attribute, a constant value, or some sort of expression.

Azure AD Connect sync comes with a default attribute mapping flow, as shown in Figure 4.33:

Figure 4.33 – Azure AD Connect Cloud Sync attribute mappings

You can select an existing attribute to modify or create a new attribute flow. One of the basic configuration features for most attributes is to configure a Default value (if the on-premises value is blank), allowing you to make certain that cloud attributes are populated with values.

In Figure 4.34, the Country attribute has been selected and updated with the default value US. This ensures that in the event a user’s on-premises country attribute is blank, the corresponding cloud attribute will be populated with a valid entry.

Figure 4.34 – Edit attribute mappings in Azure AD Connect Cloud Sync

Azure AD Connect Cloud Sync also features an expression builder, allowing you to create your own custom attribute flows.

Unlike Azure AD Connect, however, attribute mappings and expressions cannot be used to merge attributes from different domains or forests, nor does Azure AD Connect Cloud Sync support synchronization rules or attribute flow precedence. If you require that level of customization, you should deploy Azure AD Connect instead.

Once you have finished customizing the scoping filters and attribute flows, you can return to the Overview page and enable synchronization by selecting Review and enable.

Troubleshooting Azure AD Connect Cloud Sync Synchronization

Just as Azure AD Connect may experience issues with synchronizing identity, Azure AD Connect Cloud Sync can as well. Successful synchronization depends on several factors:

• Agent functionality: Is the agent installed and functioning normally?

• Network communications: Can the agent reach all of the required endpoints and resolve DNS for Azure AD services?

• Service account issues: Does the service account have the appropriate rights to the on-premises objects?

When troubleshooting the Azure AD Connect Cloud Sync service, you should start with the Windows Event Viewer to determine whether there are any errors related to the service, such as invalid credentials or missing privileges.

While Microsoft generally recommends bypassing proxy and content filtering services for Microsoft 365 endpoints, your organization may still choose to deploy them. In the event that the server for the Azure AD Connect Cloud Sync agent is located behind a proxy server or appliance, it may become necessary to modify the service configuration file with the proxy’s information.

The Azure AD Connect Cloud Sync provisioning agent utilizes a configuration file stored in

C:\Program Files\Microsoft Azure AD Connect Provisioning Agent\ AADConnectProvisioningAgent.exe.config. To add proxy configuration information, edit this file, and before the closing </configuration> tag, enter the following data (replacing

[proxy-server] and [proxy-port]) with the proxy server or appliance address and network port:

<system.net><defaultProxyenabled=”true”useDefaultCredentials=”true”><proxyusesystemdefault=”true”proxyaddress=”http://[proxy-server]:[proxy-port]”bypassonlocal=”true”/></defaultProxy></system.net>

If you need to perform deeper troubleshooting for the agent, you can install the AADCloudSyncTools PowerShell module. The AADCloudSyncTools module has a number of functions in it for configuringand gathering verbose logging data, configuring the sync schedule, and repairing the service account. For more information on the functions supported by the cmdlet, see https://learn.microsoft.com/ en-us/azure/active-directory/hybrid/cloud-sync/reference-powershell.

You can browse the Azure AD Connect Health portal at https://aka.ms/aadconnecthealth. From there, you will be able to view basic details about your environment as well as obtain agent installation packages. See Figure 4.16:

Figure 4.16 – Azure Active Directory Connect Health

While Azure AD Connect Health Agent for Sync is included in the Azure AD Connect installation, the health agents for DS and AD FS are separate installations and must be downloaded separately:

• Azure AD Connect Health Agent for DS: https://go.microsoft.com/fwlink/?LinkID=820540

• Azure AD Connect Health Agent for AD FS: https://go.microsoft.com/fwlink/?LinkID=518973

If you do not have AD FS deployed in your environment, you do not need to deploy the AD FS agents.

Azure AD Connect Health for Sync

The core health product, Azure AD Connect Health for Sync, shows the current health of your synchronization environment, including object synchronization problems and data-related errors.

You can view the health status and identified errors by selecting Sync errors under Azure Active Directory Connect (Sync) in the Azure AD Connect Health portal (https://aka.ms/aadconnecthealth), as shown in Figure 4.17:

Figure 4.17 – Azure AD Connect Health Sync errors

Selecting an error type will allow you to drill down into individual errors. Figure 4.18 shows an example where Azure AD Connect Health has detected two objects with the same address:

Figure 4.18 – Azure AD Connect Health error details

You can use this information to identify and troubleshoot on-premises objects.

Azure AD Connect Health for Directory Services

Microsoft recommends deploying Azure AD Connect Health for DS agents on all domain controllers you want to monitor, or at least one for each domain.

The Azure AD Connect Health agent deployment is relatively straightforward, asking only for credentials to complete the installation. Once the installation is complete, you can review details about your domain controller’s health in the Azure AD Connect Health portal at https://aka. ms/aadconnecthealth.

From the Azure AD Connect Health page, under Active Directory Domain Services, select AD DS services, as shown in Figure 4.19, and then select a domain to view its details:

Figure 4.19 – Azure AD Connect Health AD DS services

The health services agents display a variety of details about the environment, including replication errors, LDAP bind operations, NTLM authentication operations, and Kerberos authentication operations. See Figure 4.20:

Figure 4.20 – Azure AD Connect Health for DS detail page

Errors that are detected here should be resolved in your on-premises AD environment.

In order to complete the Azure AD Connect Cloud Sync deployment, you’ll need to set up a new configuration in the Azure portal:

1.Navigate to the Azure portal (https://portal.azure.com) and select Active Directory | Azure AD Connect.

2. Select Cloud sync from the navigation menu, and then on the Configurations tab, select New configuration.

3. On the New cloud sync configuration page, select which domains you would like to synchronize to Azure AD. If desired, select the Enable password hash sync checkbox. The password hash sync checkbox on this page only enables the feature—it does not configure password hash sync as a sign-in method. See Figure 4.30.

Exam Tip

Azure AD Connect Cloud Sync does not support using password hash sync for

InetOrgPerson objects.

Figure 4.30 – Creating a new Azure AD Connect Cloud Sync configuration

4. Scroll to the bottom of the page and click Create to complete the basic configuration.

The Azure AD Connect Cloud Sync configuration has been completed but it is not yet enabled and ready to start provisioning users. In the next series of steps, you can customize the service before fully enabling it.

Customizing the Provisioning Service

Like the on-premises Azure AD Connect service, Azure AD Connect Cloud Sync features the ability to perform scoping (including or excluding objects from synchronization) as well as attribute mapping.

After creating a new configuration, you should be redirected to the properties of the configuration, as shown in Figure 4.31:

Figure 4.31 – Provisioning agent overview page

From this page, you can set up the scoping filters and attribute mappings for customizing your environment. By default, Azure AD Connect Cloud Sync will include all objects in the connected forest and domains for synchronization.

Scoping Filters

By selecting Scoping filters under Manage, you can configure which objects should be synchronized to Azure AD. You can specify a list of security groups or select organizational units, but not both. See Figure 4.32:

Figure 4.32 – Azure AD Connect Cloud Sync scoping filters

There are a few important caveats when using scoping filters with Azure AD Connect Cloud Sync:

• When using group-based scoping, nested objects beyond the first level will not be included in the scope

• You can only include 59 separate OUs or security groups as scoping filters

It’s also important to note that using security groups to perform scoping is only recommended for piloting scenarios.

Azure AD Connect has a long history, originally starting as DirSync to support the deployment of Microsoft Business Productivity Online Suite (BPOS) in 2007.

If you are familiar with Microsoft Identity Manager(MIM), you’ll notice a lot of similarities shared with the current Azure AD Connect platform. Azure AD Connect (rebranded as Microsoft Entra Connect) allows you to connect to multiple directory sources and provision those objects to Azure Active Directory.

Planning and Sizing

Depending on your organization’s requirements for onboarding to Microsoft 365, as well as additional features or services that are included with your subscription, you may want (or need) to enable or configure additional Azure AD Connect features.

Table 4.2 illustrates the features that can be enabled through an Azure AD Connect setup:

Feature	Description
Device writeback	Synchronizes Azure AD-joined devices back to on-premises
	Active Directory
Directory extensions	Enables the synchronization of additional on-premises attributes
Federation	Enables authentication federation with Microsoft  AD Federation
	Services (FS) or PingFederate
Hybrid Azure AD join	Enables on-premises domain-joined devices to be synchronized
	and automatically joined to Azure AD
Password hash synchronization	Enables the hash of an on-premises password to be synchronized
	to Azure AD; can be used for authentication, a backup option for
	authentication, or leaked credential detection
Pass-through authentication	Authentication method where passwords are validated on-premises
	through the Azure AD Connect service’s connection to Azure
	Service Bus
Unified group writeback	Enables cloud-based Microsoft 365 groups to be written back to
	on-premises Active Directory

Table 4.2 – Azure AD Connect features

There are several additional features available post-installation for Azure AD Connect, such as managing duplicate attribute resiliency and user principal name soft-matching, both of which are used to manage how Azure AD handles conflicts and connecting cloud accounts to on-premises accounts.

Further Reading

More detailed information about Azure AD Connect’s optional features, such as duplicate attribute resiliency, is available here: https://learn.microsoft.com/en-us/azure/ active-directory/hybrid/how-to-connect-syncservice-features.

Installing the Synchronization Service

The first step to deploying Azure AD Connect is gathering the requirements of your environment. These requirements can impact the prerequisites for deployment (such as additional memory or a standalone SQL Server environment). As part of the planning process, you’ll also want to identify which sign-in method will be employed (password hash synchronization, pass-through authentication, or federation).

Exam Tip

To perform the express installation, you’ll need Enterprise Administrator credentials to the on-premises Active Directory forest so that the installer can create a service account and delegate the correct permissions. You’ll also need an account that has either the Global Administrator or Hybrid Identity Administrator role in Azure AD, which Azure AD Connect will use to create a cloud sync service account.

With that information in hand, it’s time to start deploying Azure AD Connect:

1. On the server where Azure AD Connect will be deployed, download the latest version of the Azure AD Connect setup files (https://aka.ms/aad-connect) and launch the installer.

2. Agree to the installation terms and select Continue. See Figure 4.4:

Figure 4.4 – Azure AD Connect welcome page

3. Review the Express Settings page, as shown in Figure 4.5. You can choose Customize if you want to configure Azure AD Connect to use pass-through or federated authentication methods, group-based filtering, or a custom SQL Server installation. While the sign-in methods and other features can be changed after installation, it is not possible to enable group-based filtering or change the SQL Server location after setup.

Figure 4.5 – Azure AD Connect Express Settings page

Installation Notes

If you have other domains in your Active Directory forest, they must all be reachable from the Azure AD Connect server or installation will fail. You can perform a custom installation to specify which domains to include in synchronization.

4. On the Connect to Azure AD page, enter credentials for either the Global Administrator or Hybrid Identity Administrator role in Azure AD. Click Next.

5. On the Connect to AD DS page, enter Enterprise Administrator credentials and click Next.

6. Verify the configuration settings. By default, the Exchange hybrid scenario is not enabled. If you have an on-premises Exchange environment that you will be migrating to Microsoft 365, select the Exchange hybrid deployment option to include the Exchange-specific attributes. If you want to perform additional configuration tasks prior to synchronizing users, clear the Start the synchronization process when configuration completes. checkbox.

Figure 4.6 – Azure AD Connect Ready to configure page

7. Click Install.

8. Review the Configuration complete page, as shown in Figure 4.7, and click Exit:

Figure 4.7 – Azure AD Connect Configuration complete page

If you selected the Start the synchronization process when configuration completes checkbox, you can review the Azure AD portal to verify that users have been synchronized.