Archives 2022

Attribute Mapping Azure AD Connect Health Microsoft MS-102 Exam On-premises integration

Summary– Implementing and Managing Identity Synchronization with Azure AD

Don Caldwell 0 Comment

In this chapter, you learned how to deploy identity synchronization and authentication solutions. You learned how to configure filtering for both Azure AD Connect and Azure AD Connect Cloud Sync, as well as deploying and managing the health agents for diagnostic and troubleshooting.

The next chapter will discuss methods to manage authentication.

Exam Readiness Drill – Chapter Review Questions

Benchmark Score: 75%

Apart from a solid understanding of key concepts, being able to think quickly under time pressure is a skill that will help you ace your certification exam. That’s why, working on these skills early on in your learning journey is key.

Chapter review questions are designed to improve your test-taking skills progressively with each chapter you learn and review your understanding of key concepts in the chapter at the same time. You’ll find these at the end of each chapter.

Before You Proceed

You need to unlock these resources before you start using them. Unlocking takes less than 10 minutes, can be done from any device, and needs to be done only once. Head over to thestart of Chapter 7, Managing Security Reports and Alerts by Using the Microsoft 365 Defender Portal in this book for instructions on how to unlock them.

To open the Chapter Review Questions for this chapter, click the following link:

https://packt.link/MS102E1_CH04. Or, you can scan the following QR code:

Figure 4.35 – QR code that opens Chapter Review Questions for logged-in users

Once you login, you’ll see a page similar to what is shown in Figure 4.36:

Figure 4.36 – Chapter Review Questions for Chapter 4

Once ready, start the following practice drills, re-attempting the quiz multiple times:

Exam Readiness Drill

For the first 3 attempts, don’t worry about the time limit.

ATTEMPT 1

The first time, aim for at least 40%. Look at the answers you got wrong and read the relevant sections in the chapter again to fix your learning gaps.

ATTEMPT 2

The second time, aim for at least 60%. Look at the answers you got wrong and read the relevant sections in the chapter again to fix any remaining learning gaps.

ATTEMPT 3

The third time, aim for at least 75%. Once you score 75% or more, you start working on your timing.

Tip

You may take more than 3 attempts to reach 75%. That’s okay. Just review the relevant sections in the chapter till you get there.

Working On Timing

Target: Your aim is to keep the score the same while trying to answer these questions as quickly as possible. Here’s an example of how your next attempts should look like:

Table 4.4 – Sample timing practice drills on the online platform

Note

The time limits shown in the above table are just examples. Set your own time limits with each attempt based on the time limit of the quiz on the website.

With each new attempt, your score should stay above 75% while your time taken to complete should decrease. Repeat as many attempts as you want till you feel confident dealing with the time pressure.

Attribute Mapping Azure AD Connect Health Configuring Windows Hello Microsoft MS-102 Exam

Windows Hello for Business– Implementing and Managing Authentication

Don Caldwell 0 Comment

Microsoft’s recommended solution for passwordless authentication is Windows Hello for Business (WHFB). It’s designed for users that have their own dedicated PC. When logging on, the user presents a biometric or PIN code to unlock the device.

WHFB supports a variety of biometric logons, including facial recognition and fingerprint scanners. Devices configured to use Windows Hello (such as the one shown in Figure 5.1) can be recognized because they have the Windows Hello smiley face greeting at the top:

Figure 5.1 – Windows Hello for Business sign-on screen

After configuring Windows Hello, the sign-in flow follows this sequence, as depicted in Figure 5.2:

Figure 5.2 – Windows Hello authentication sequence

1. The user signs in with either a biometric or PIN (if the configured biometric input can’t be accessed), which unlocks the WHFB private key. The key is then passed to the Cloud Authentication security support provider, also known as the Cloud AP, part of the on-device security package.

    2. The Cloud AP requests a nonce (single-use random number) from Azure AD.

    3. Azure AD sends the nonce to the Cloud AP on the endpoint.

    4. The Cloud AP signs the nonce with the user’s private key and returns the signed nonce to Azure AD.

    5. Azure AD decrypts and validates the signed nonce with the user’s public key. After it’s validated, Azure AD issues a primary refresh token (PRT) with the session key, encrypts it using the device’s public transport key, and sends that to the Cloud AP.

    6. The Cloud AP decrypts the PRT/session key using the device’s transport private key and then uses the Trusted Platform Module (TPM) to store the session key.

    7. The Cloud AP returns a success response to Windows, allowing the user to log in to complete.

    WHFB is available to be deployed as a cloud-only or hybrid identity solution and can be used for both Windows logon as well as logon to Microsoft 365 services. Windows Hello-based authentication is tied to a unique device, meaning you have to set it up individually for each device that you will be using.

    Microsoft Authenticator App

    Many administrators and users are already familiar with the Microsoft Authenticator mobile device app, after using it for multifactor authentication. The Authenticator app can also be used as a passwordless sign-in option. When used as a passwordless option, Microsoft Authenticator can use number-matching, where the sign-in screen displays a number that the user enters and confirms with their PIN or biometric data. See Figure 5.3:

    Figure 5.3 – Passwordless authentication dialog with Microsoft Authenticator

    The data flow using the Authenticator app follows the same general pattern as Windows Hello, as shown in Figure 5.4:

    Figure 5.4 – Microsoft Authenticator authentication sequence

    1.The user enters their username on the device.

      2. Azure AD detects that the user is configured for passwordless authentication.

      3. Azure AD sends a notification to the Authenticator app on the user’s configured Apple or Android device.

      4. The user launches the Authenticator app.

      5. The Authenticator app connects to Azure AD and receives the proof-of-presence challenge and the nonce.

      6. The user completes the challenge on their mobile device and then confirms their identity with biometric data or a PIN, unlocking the private key.

      7. The private key is used to sign the nonce and the Authenticator app returns the data to Azure AD.

      8. Azure AD decrypts the data with the user’s public key, performs validation, and then returns the sign-in token to the original device where the logon was started.

      Whereas WHFB has specific hardware requirements (such as a Windows Hello-compatible camera or fingerprint reader), passwordless using Microsoft Authenticator has a very low barrier to entry. The Authenticator app is free for iOS and Android devices and works not only with Microsoft 365 services but also any service that supports a soft-token app or device.

      Further Reading

      In addition to the traditional Microsoft Authenticator application, Microsoft has also released Authenticator Lite as part of Outlook. For more information, see https://learn. microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-authenticator-lite.

      Attribute Mapping Azure AD Connect Health Configuring Windows Hello Microsoft MS-102 Exam Microsoft Purview

      Attribute Mapping– Implementing and Managing Identity Synchronization with Azure AD

      Don Caldwell 0 Comment

      Another customization option available involves mapping attribute values between on-premises and cloud objects. As with Azure AD Connect, you can configure how cloud attributes are populated—whether it’s from a source attribute, a constant value, or some sort of expression.

      Azure AD Connect sync comes with a default attribute mapping flow, as shown in Figure 4.33:

      Figure 4.33 – Azure AD Connect Cloud Sync attribute mappings

      You can select an existing attribute to modify or create a new attribute flow. One of the basic configuration features for most attributes is to configure a Default value (if the on-premises value is blank), allowing you to make certain that cloud attributes are populated with values.

      In Figure 4.34, the Country attribute has been selected and updated with the default value US. This ensures that in the event a user’s on-premises country attribute is blank, the corresponding cloud attribute will be populated with a valid entry.

      Figure 4.34 – Edit attribute mappings in Azure AD Connect Cloud Sync

      Azure AD Connect Cloud Sync also features an expression builder, allowing you to create your own custom attribute flows.

      Unlike Azure AD Connect, however, attribute mappings and expressions cannot be used to merge attributes from different domains or forests, nor does Azure AD Connect Cloud Sync support synchronization rules or attribute flow precedence. If you require that level of customization, you should deploy Azure AD Connect instead.

      Once you have finished customizing the scoping filters and attribute flows, you can return to the Overview page and enable synchronization by selecting Review and enable.

      Troubleshooting Azure AD Connect Cloud Sync Synchronization

      Just as Azure AD Connect may experience issues with synchronizing identity, Azure AD Connect Cloud Sync can as well. Successful synchronization depends on several factors:

      • Agent functionality: Is the agent installed and functioning normally?
      • Network communications: Can the agent reach all of the required endpoints and resolve DNS for Azure AD services?
      • Service account issues: Does the service account have the appropriate rights to the on-premises objects?

      When troubleshooting the Azure AD Connect Cloud Sync service, you should start with the Windows Event Viewer to determine whether there are any errors related to the service, such as invalid credentials or missing privileges.

      While Microsoft generally recommends bypassing proxy and content filtering services for Microsoft 365 endpoints, your organization may still choose to deploy them. In the event that the server for the Azure AD Connect Cloud Sync agent is located behind a proxy server or appliance, it may become necessary to modify the service configuration file with the proxy’s information.

      The Azure AD Connect Cloud Sync provisioning agent utilizes a configuration file stored in

      C:\Program Files\Microsoft Azure AD Connect Provisioning Agent\ AADConnectProvisioningAgent.exe.config. To add proxy configuration information, edit this file, and before the closing </configuration> tag, enter the following data (replacing

      [proxy-server] and [proxy-port]) with the proxy server or appliance address and network port:

      <system.net><defaultProxyenabled=”true”useDefaultCredentials=”true”><proxyusesystemdefault=”true”proxyaddress=”http://[proxy-server]:[proxy-port]”bypassonlocal=”true”/></defaultProxy></system.net>

      If you need to perform deeper troubleshooting for the agent, you can install the AADCloudSyncTools PowerShell module. The AADCloudSyncTools module has a number of functions in it for configuringand gathering verbose logging data, configuring the sync schedule, and repairing the service account. For more information on the functions supported by the cmdlet, see https://learn.microsoft.com/ en-us/azure/active-directory/hybrid/cloud-sync/reference-powershell.

      Configuring Windows Hello Microsoft MS-102 Exam Microsoft Purview On-premises integration

      Configuring Azure AD Connect Filters– Implementing and Managing Identity Synchronization with Azure AD

      Don Caldwell 0 Comment

      If you need to exclude objects from Azure AD Connect’s synchronization scope, you can do that through a number of different methods:

      • Domain and organizational unit-based filtering
      • Group-based filtering
      • Attribute-based filtering

      Let’s quickly examine these.

      Domain and Organizational Unit-Based Filtering

      With this method, you can deselect large portions of your directory by modifying the list of domains or organizational units that are selected for synchronization. While there are several ways to do this, the easiest way is through the Azure AD Connect setup and configuration tool:

      1.To launch the Azure AD Connect configuration tool, double-click the Azure AD Connect icon on the desktop of the server where Azure AD Connect is installed. After it launches, click Configure.

        2. On the Additional tasks page, as shown in Figure 4.8, select Customize synchronization options and then click Next.

        Figure 4.8 – Additional tasks page

        3. On the Connect to Azure AD page, enter credentials for either the Global Administrator or Hybrid Identity Administrator role and click Next.

        4. On the Connect your directories page, click Next.

        5. On the Domain and OU filtering page, as shown in Figure 4.9, select the Sync selected domains and OUs radio button and then select or clear objects to include or exclude from synchronization.

        Figure 4.9 – Azure AD Connect Domain and OU filtering page

        6. Click Next.

        7. On the Optional features page, click Next.

        8. On the Ready to configure page, click Configure.

        After synchronization is completed, verify that only objects from in-scope organizational units or domains are present in Azure Active Directory.

        Group-Based Filtering

        Azure AD Connect only supports the configuration of group-based filtering if you choose to customize the Azure AD Connect setup. Group-based filtering is not available if you perform an express installation.

        If you’ve chosen a custom installation, you can choose to limit the synchronization scope to a single group. On the Filter users and devices page of the configuration wizard, select the default radio button, Synchronize all users and devices, to continue without group filtering. You can also choose the Synchronize selected radio button and then enter the name or distinguishedName (DN) of a group that contains the users and devices to be synchronized.

        Figure 4.10 – Filter users and devices page

        With group-based filtering, only direct members of the group are synchronized. Users, groups, contacts, or devices nested inside other groups are not resolved or synchronized.

        Note

        Microsoft recommends group-based filtering for piloting purposes only.

        Azure AD Connect Health Microsoft MS-102 Exam Microsoft Purview On-premises integration

        Azure AD Connect Health– Implementing and Managing Identity Synchronization with Azure AD

        Don Caldwell 0 Comment

        You can browse the Azure AD Connect Health portal at https://aka.ms/aadconnecthealth. From there, you will be able to view basic details about your environment as well as obtain agent installation packages. See Figure 4.16:

        Figure 4.16 – Azure Active Directory Connect Health

        While Azure AD Connect Health Agent for Sync is included in the Azure AD Connect installation, the health agents for DS and AD FS are separate installations and must be downloaded separately:

        If you do not have AD FS deployed in your environment, you do not need to deploy the AD FS agents.

        Azure AD Connect Health for Sync

        The core health product, Azure AD Connect Health for Sync, shows the current health of your synchronization environment, including object synchronization problems and data-related errors.

        You can view the health status and identified errors by selecting Sync errors under Azure Active Directory Connect (Sync) in the Azure AD Connect Health portal (https://aka.ms/aadconnecthealth), as shown in Figure 4.17:

        Figure 4.17 – Azure AD Connect Health Sync errors

        Selecting an error type will allow you to drill down into individual errors. Figure 4.18 shows an example where Azure AD Connect Health has detected two objects with the same address:

        Figure 4.18 – Azure AD Connect Health error details

        You can use this information to identify and troubleshoot on-premises objects.

        Azure AD Connect Health for Directory Services

        Microsoft recommends deploying Azure AD Connect Health for DS agents on all domain controllers you want to monitor, or at least one for each domain.

        The Azure AD Connect Health agent deployment is relatively straightforward, asking only for credentials to complete the installation. Once the installation is complete, you can review details about your domain controller’s health in the Azure AD Connect Health portal at https://aka. ms/aadconnecthealth.

        From the Azure AD Connect Health page, under Active Directory Domain Services, select AD DS services, as shown in Figure 4.19, and then select a domain to view its details:

        Figure 4.19 – Azure AD Connect Health AD DS services

        The health services agents display a variety of details about the environment, including replication errors, LDAP bind operations, NTLM authentication operations, and Kerberos authentication operations. See Figure 4.20:

        Figure 4.20 – Azure AD Connect Health for DS detail page

        Errors that are detected here should be resolved in your on-premises AD environment.

        Attribute Mapping Azure AD Connect Health Configuring Windows Hello Microsoft MS-102 Exam On-premises integration

        Configuring the Provisioning Service– Implementing and Managing Identity Synchronization with Azure AD

        Don Caldwell 0 Comment

        In order to complete the Azure AD Connect Cloud Sync deployment, you’ll need to set up a new configuration in the Azure portal:

        1.Navigate to the Azure portal (https://portal.azure.com) and select Active Directory | Azure AD Connect.

          2. Select Cloud sync from the navigation menu, and then on the Configurations tab, select New configuration.

          3. On the New cloud sync configuration page, select which domains you would like to synchronize to Azure AD. If desired, select the Enable password hash sync checkbox. The password hash sync checkbox on this page only enables the feature—it does not configure password hash sync as a sign-in method. See Figure 4.30.

          Exam Tip

          Azure AD Connect Cloud Sync does not support using password hash sync for

          InetOrgPerson objects.

          Figure 4.30 – Creating a new Azure AD Connect Cloud Sync configuration

          4. Scroll to the bottom of the page and click Create to complete the basic configuration.

          The Azure AD Connect Cloud Sync configuration has been completed but it is not yet enabled and ready to start provisioning users. In the next series of steps, you can customize the service before fully enabling it.

          Customizing the Provisioning Service

          Like the on-premises Azure AD Connect service, Azure AD Connect Cloud Sync features the ability to perform scoping (including or excluding objects from synchronization) as well as attribute mapping.

          After creating a new configuration, you should be redirected to the properties of the configuration, as shown in Figure 4.31:

          Figure 4.31 – Provisioning agent overview page

          From this page, you can set up the scoping filters and attribute mappings for customizing your environment. By default, Azure AD Connect Cloud Sync will include all objects in the connected forest and domains for synchronization.

          Scoping Filters

          By selecting Scoping filters under Manage, you can configure which objects should be synchronized to Azure AD. You can specify a list of security groups or select organizational units, but not both. See Figure 4.32:

          Figure 4.32 – Azure AD Connect Cloud Sync scoping filters

          There are a few important caveats when using scoping filters with Azure AD Connect Cloud Sync:

          • When using group-based scoping, nested objects beyond the first level will not be included in the scope
          • You can only include 59 separate OUs or security groups as scoping filters

          It’s also important to note that using security groups to perform scoping is only recommended for piloting scenarios.

          Microsoft MS-102 Exam Microsoft Purview On-premises integration

          Installing the Provisioning Agent– Implementing and Managing Identity Synchronization with Azure AD

          Don Caldwell 0 Comment

          Before you begin the installation, you should make sure that the server where the provisioning agent will be installed can communicate with the various Azure AD services. Table 4.3 highlights ports and URLs that are required for the cloud sync agent to function correctly:

          EndpointPort/ProtocolDescription 
              
          *.msappproxy.net443/HTTPSAzure Application Proxy cloud 
          *.servicebus.windows.net service endpoints 
             
              
          crl3.digicert.com80/HTTPCertificate Revocation List 
          crl4.digicert.com (CRL) endpoints 
             
          ocsp.digicert.com   
          crl.microsoft.com   
          oneocsp.microsoft.com   
          ocsp.msocsp.com   
              
          EndpointPort/ProtocolDescription
             
          login.windows.net443/HTTPSAgent configuration and registration
          secure.aadcdn.  
          microsoftonline-p.com  
          *.microsoftonline.com  
          *.microsoftonline-p.com  
          *.msauth.net  
          *.msauthimages.net  
          *.msecnd.net  
          *.msftauth.net  
          *.msftauthimages.net  
          *.phonefactor.net  
          enterpriseregistration.  
          windows.net  
          management.azure.com  
          policykeyservice.dc.ad.  
          msft.net  
          ctldl.windowsupdate.com  
          www.microsoft.com/pkiops  
             
          ctldl.windowsupdate.com80/HTTPAgent configuration and registration
             

          Table 4.3 – Required endpoints for Azure AD Connect Cloud Sync service

          To begin configuring Azure AD Connect Cloud Sync, follow these steps:

          1.Log on to a server where you wish to install the Azure AD Connect Cloud Sync provisioning agent.

            2. Navigate to the Azure portal (https://portal.azure.com) and select Active Directory | Azure AD Connect.

            Figure 4.25 – Azure AD Connect in the Azure portal

            3. From the navigation menu, select Cloud Sync.

            4. Under Monitor, select Agents.

            5. Select Download on-premises agent.

            Figure 4.26 – Download on-premises agent for Azure AD Connect Cloud Sync

            6. On the Azure AD Provisioning Agent flyout, select Accept terms & download to begin the download.

            7. Open the AADConnectProvisioningAgentSetup.exe file to begin the installation.

            8. Agree to the licensing terms and click Install to deploy the Microsoft Azure AD Connect provisioning package.

            9. After the software installation is complete, the configuration wizard will launch. Click Next on the splash page to begin the configuration.

            10. On the Select Extension page, choose the HR-driven provisioning (Workday and SuccessFactors) / Azure AD Connect Cloud Sync radio button and click Next. See Figure 4.27:

              Figure 4.27 – Azure AD Connect Cloud Sync Select Extension page

              11. On the Connect Azure AD page, click Authenticate to sign in to Azure AD.

              12. On the Configure Service Account page, select the Create gMSA radio button to instruct the setup process to provision a new gMSA. Enter either Domain Admin or Enterprise Admin credentials and click Next. See Figure 4.28:

                Figure 4.28 – Configure Azure AD Connect Cloud Sync service account

                13. On the Connect Active Directory page, click Add Directory and provide the domain credentials to add the directory to the configuration. When finished, click Next. See Figure 4.29:

                  Figure 4.29 – Adding a directory to Azure AD Connect Cloud Sync

                  14. Review the details on the Agent configuration page and click Confirm to deploy the provisioning agent. When finished, click Exit.

                    After the agent has been deployed, you will need to continue the configuration in the Azure AD portal.