MS-500 Microsoft 365 Security Administration-Securing Microsoft 365 Hybrid Environments Part 3

  1. Performing cleanup to prepare for Azure AD connect

Okay? So as we move closer to being able to connect our onpremise Active Directory to Azure ad, there are some things you need to understand. First off, Active Directory allows certain things that Azure ad does not allow. And if you’re going to synchronize user information, group information out to the cloud so that you can do seamless SSO, you’ve got to fix some things. You got to make sure sure things are clean. So what we’re going to show you how to do now is I’m going to show you how to do a clean up on Active Directory to fix issues, okay? First we got to cause some problems. All right? So I’m going to go to Tools, active Directory users and Computers. We’ll pull that up, we’ll zoom in on that. And I’m going to create a couple of users.

Here what we’re going to do. We’re going to create a couple of users that the user names have spaces in their names, okay? Now a space is an invalid character. You’ll notice, like Jane Doe here has a space, but that’s not in her username. If you click on Jane Doe right here, you’ll notice that with Jane Doe, there’s no space there. We’re going to create a couple of users that do have a space. We’re going to put them in the Atlanta Ou. So we’re going to create a user. I’m going to call this user Jimmy Smith. Maybe this is John Smith’s brother. Okay. So his username is going to be called Jimmy Smith. And notice I put a space there that’s not allowed in Azure ad.

They will not allow that. If you tried to synchronize Azure ad with an account like this, it would just not synchronize that user. So we’re going to cause a problem. We’re going to create that user here, just give it a password, okay? And then notice it was able to create it. If I click on the account tab, you’ll notice that that tab will show that that user has a space in his name. You’ll notice my directory is moving a little slow. This virtual machine doesn’t have a ton of memory, so it goes a little bit slow. But here it is right here. If I click on the Account tab, you’ll see the space is there. Okay, so we’ve now got a user that would be a problem. It’s not going to stop all syncing in Azure ad, but it would stop this one user from synchronizing. I’m now going to go and I’m going to download a tool that’s going to scan Active Directory for these problems. Now granted, this is just one user.

He’s easy enough to fix. But imagine if you had tens of thousands of users and there was all sorts of problems, maybe invalid characters and things like that, that Active Directory has allowed over the years. And Azure ad is not going to allow. So Microsoft created us a little tool that can help us so here I am on Google. The tool is called the ID fix tool. So I’m going to say download ID fix. Okay. And then here it is right here. Actually, that’s just an article. This is the download page. We’re going to click the download page right here, and that’s going to bring us to this tool where we can actually download it, and we’ll copy it across to that domain controller. Okay, so here it is. I’m going to click download. All right.

It’s going to give me the option to download the tool. It’s going to pop up, and then I’m going to save the tool. So we’ll say save as. All right. And we’re going to save it over to our domain controller. Lundash. Sorry. NYC, DC. One c dollar sign. We’re just going to save it right there on the C drive. Okay. And now it has officially downloaded it. We’re going to jump over to the domain controller now. All right? We’re going to open up file Explorer. We’ll go to our C drive. And then there is the tool right there in a little zip file. We’re going to copy the exe file that’s inside the zip file. Let me zoom in for you. Copy that over to our desktop. So now the ID Fix tool is on our desktop, and we can run that tool by double clicking on it.

It’s going to give you a little message here about Microsoft’s privacy statement. That’s fine. We’ll click okay to that. And this is what the tool looks like. It’s very basic. Okay, very basic. Zooming in on it. I’m going to tell it to do a query. It’s going to query Active Directory and look for problems. And lucky there, Jimmy Smith, that user I just created has got a problem. He’s got an invalid character. So what I can do is I can go to action and I can say edit. And that’s going to allow us to edit that user and fix it. So we’re going to apply that change. Are you sure? Yes, it’s complete. And then I’m going to accept the change. Click yes. And of course, guys, again, if I had tens of thousands of users, you’d see a lot more users here.

You can kind of go one at a time and just verify that it wasn’t going to break anything big. Right? Okay, so that’s been fixed. Now I’m going to close out of the tool, and we’ll go back into Active Directory users and computers. There’s Jimmy Smith. Notice that he still has his space in his display name. That’s not a problem. The display name is not a problem. It’s the account name that’s the problem. So let’s go to account and look at there. It fixed it okay. So this ID Fix tool, it’s a very handy tool. It can indefinitely clean things up for you, Active Directory, and try to iron out any wrinkles before you start to do an Azure ad connect.

  1. Setting up a Hybrid environment using AzureAD Connect

So now that we’ve got our custom domain set up and we’ve got Active Directory cleaned up, we are now officially ready to start installing Azure Ad Connect and synchronize our on premise Active Directory with Azure ad. Okay, so here I am on my domain control right now, and I’m going to open up the Azure the Active Directory Users and Computers tool here, okay? Once we take a look at this tool, one thing that I want to look at here is consider this. Now, it is true that we could synchronize our entire domain. Maybe we got thousands of users or whatever we want to synchronize into the cloud. However, Microsoft recommends that you pilot this first.

Now, when I say Pilot, what I mean is you should move some users into the cloud and make sure everything works okay before you start moving your production over. Okay? So what I’m actually going to do is I’m going to create an organizational unit, and I’m going to call it Pilot. These are going to be the user accounts that are going to get moved into the cloud. Users groups, whatever. Okay? So I’m going to move some users in that. We’re going to move these users here. Jane Doe, Billy Williams, Alex Rogers and Joe Norman. We’re going to put them in Pilot. We’re going to move them into that Pilot Ou. And we’ll have a group here as well. Maybe these are our It people.

Who better to pilot this than the It people, right? Because your It people are the ones that are probably going to have to fix problems if something goes wrong, right? So we’re just going to create a group. We’re going to put these people in the It group, and then we’ll go from there. Okay, so here we go. We’re adding these users here into the group. All right, those users, I think that’s everybody, okay. And we’ll click okay. All right, so we got our group. Okay. We got our organizational unit. Even though the cloud does not have organizational units ous, it’s still going to store attribute information about it. And there’s a way to actually specify information based on Ou names, but not going to get into that right now.

The main thing is when I go to install Azure Ad Connect, which is going to synchronize my on prem domain with the cloud, I’m going to need to specify exactly what I want to synchronize. And I don’t want to synchronize the entire domain right now. I’m just going to synchronize these users. Now keep in mind that later down the road, I can always go back and I can synchronize everybody all at once. Okay? All right, so now what we’re going to do, we’re going to jump right over and we’re going to take a look at the Windows Ten computer. We’re going to download the tools we need on that Windows Ten computer. I’m not going to do it on this domain control because the domain control has a lot of restrictions on it on downloading software.

We’re going to do it on Windows Ten. Then we’ll move it onto the domain control. That right now. Okay, so here I am on Portal Azure. com. Okay? And I’ve logged on. All right? And I’m going to click on the little menu bar here. We’re going to go to Azure Active Directory. Azure active directory. And then I want to zoom in on something for you here. We’re going to zoom in on this, and we’re going to take a look at Azure Active Directory Connect. So we’re going to click that blade, all right. Once we get in there, notice that it says we can download the tool. So right now, synchronization has not been started. We have not begun to synchronize with our on prem act directory. So right now, the Azure ad and the Adds don’t know each other.

They have no connection with each other whatsoever. But that’s all going to change once I get this tool installed, okay? So we’re going to click to download the Azure Ad Connect tool. Zoom out for a second there. While that’s loading, here’s the tool right here. I’m going to click to download it. It’s going to ask, say, okay, it’s downloading. All right? So downloading pretty quickly. It’s almost done. And what we’re going to do, we’re going to move that over to that domain controller. We’re going to run azure ad connect. Now, keep in mind, you do not have to install Azure Ad Connect on a domain controller.

In fact, it is recommended in the real world that you install Azure Ad Connect on a dedicated server, okay? If you wanted to install it on the domain controller, you could, but it’s recommended installed on dedicated server.So I’m going to put it on my domain controller, though, because I don’t have a bunch of servers at my disposal in this little lab environment that I’ve got. But I’m going to copy this tool. Let me zoom in, and we’re just going to connect over to our domain controller Nycdc. One CDL sign, and that’s the C drive over there. We’re just going to paste it right onto the C drive so that I can get to it. Okay? So now that it’s over there, we’re going to jump back over to the domain controller, and we will go ahead and startto install it. So here we are. We’re on the domain controller. All right, I’m going to open up File Explorer, and I’ve installed it, or I’ve copied it onto the C drive here.

So there it is. I’m going to go ahead and install that. So we’re going to click install. All right? It’s installing Azure Ad Connect now. All right, we’ll zoom out. Here’s the Azure ad. Connect wizard. Okay, so let me zoom in on this. We’re going to go ahead and accept their license agreement here, all right? And I’m going to hit continue kit’s going to ask me if I would like to do an Express install here. So I could choose to do an Express install and it would just synchronize everything. I don’t want to do an Express install right now, so I’m going to choose customize and I’m going to then click Install because that’s going to let me customize some of the settings, okay, which I’ll go through and explain the settings to you here in just a second.

Okay. Going to pause the video for a second while that is synchronizing because it is going to take a few minutes to download everything that it needs because it is actually installing some files and synchronizing some things for Microsoft’s website before I can actually get the ball rolling on all this. Okay, so we’re going to pause and we’ll start right back. Okay, so the wizard has gotten done installing here and now we are officially at the section where we’re actually going to connect Azure Ad and Active Directory together. Okay, let’s take a look at these options real quick. All right, so there’s a few options we’ve got for synchronizing. We can do what’s called password hash synchronization, where it’s going to synchronize the password hashes, which are the encrypted versions of your password.

And those will go out to the Microsoft cloud. And this is going to help us achieve Seamless SSO in that when somebody logs on on premise, it’s going to synchronize to the cloud. The other cool thing is if somebody’s on the outside and they go to log on to the Microsoft 365 services, they can use the same password as we have on Prem. And the other thing that’s great about password hash synchronization is that if Active Directory on premise is not accessible at all from somebody on the outside world, they can still get access to all their cloud services. Hash synchronization is the one that Microsoft recommends that everybody use.

Now of course, if you are in a situation where maybe it’s against compliance rules for you guys to synchronize on premise with the cloud and make it where Microsoft has your password hashes, well then you would need to go with one of these other options, okay? Because this one is going to mean that Microsoft has a copy of your password hashes. And if that’s a compliance problem, then maybe that’s a problem I actually worked with, I did some work with a hospital in Texas one time and that was a situation they were in as they were moving into the cloud. But they actually for HIPAA compliance and all that, they couldn’t have their password synchronized to the cloud.

So there’s a couple of other options you have pass through authentication. This is going to install an agent on your server on premise, your Azure Ad Connect server. And what will happen is when people are on the inside trying to go out to the cloud, it’ll do Seamless SSO so they can log on on premise. It’ll synchronize them. They can immediately start accessing cloud resources, OneDrive SharePoint online exchange, all that. If they’re on the outside and they’re logging on to their account, the same accountthat they have on Prem is the same one they got outside, then what will happen is the Azure Ad service will talk to the pass through authentication PTA and it will authenticate them on the inside.

The downside to this one is, and you’re going to find this is the same downside with all these if you lose connectivity with your on premise environment, the person that’s on the outside cannot log on. So if you had somebody who’s trying to log on to their Microsoft 365 account from the outside and check email and all that, they wouldn’t be able to if for some reason the on premise domain was down. And again, that’s going to be the case with all these. Hash synchronization is the one that’s going to let you still get on even if your on Prem domain is not accessible. Federation Services this is an older solution. PTA is newer, ADFS is older. You have to set up an active directory federated server. And this is going to involve you having to have multiple servers.

The downside of this one is to be fault tolerant, you’re going to need two on premise ADFS servers, active Federated servers, and you’re going to have to have what are called proxies in your DMZ. This one’s a lot of set up, but there’s a benefit. This one right here can support multifactor authentication, third party, sorry, third party multifactor authentication, whereas these others only support Microsoft multifactor authentication. Same rule applies though. If you go this route, you set up these servers on premise. If somebody on the outside is trying to authenticate to the cloud and the domain is not accessible, they will not be able to authenticate.

They will not be able to log on. Ping Federer. We don’t talk about that in this class. This is a third party solution. Basically. In a nutshell, what it is, is Pink Federated is a third party company that Microsoft has to deal with. You can have them host your Federated services for you, okay? But this isn’t something we get in, nor is it something you need to worry about test wise, okay? Or you could just say do not worry about any of this and just move on with the wizard and you could come back and configure this at a later time. One thing I want to point out is everything I do here, none of this is really set in stone. I can run this wizard again if I want later down the road, okay? So if you don’t like something, if you didn’t choose the right setting, you can always run it again.

You can always change your synchronization options. I’m going to do hash synchronization. I’m also going to do single sign on because I want it to auto authenticate on prem with the outside world. Okay, now we’re going to click Next. At this point, it’s going to ask me for my global administrator in Azure 80. So I’m going to put that in. All right. It’s going to also verify that I put in the correct credentials. So you’ll see, it checking. Okay, it’s verified. Now it’s going to check everything on premise and make sure Active Directory on premise is set up properly and make sure that I have privileges to do this. So I’m going to say Add Directory says, okay, so you’re going to set up an account that’s going to synchronize on premise with Azure ad.

Okay, so it’s saying that, hey, I could create my own service account to do this, or I could let the wizard do it. It’s recommended that you let the wizard do it because the wizard is going to make sure that essentially it only has the rights to synchronize. It has no other rights, whereas if I was to do it, I might give out too many privileges by making it an admin. So it’s recommended that you say let it create an account. Then you’re going to put in your domain name and then whatever the administrator is that you want to use. Okay, so I’ll put the administrator in here. All right, it’s verifying, and it says, okay, everything looks good. Active directory is verified. All right, so I’m going to click Next. It’s checking the directory schema, checking to make sure everything’s good.

Now it is going to tell me that, hey, it found that I don’t really own this name, Abccorp. com. So it’s just warning me that I cannot assign users to that. If you remember my previous lesson I showed you about custom domains. That’s fine. I’m not going to use that domain anyway, so I’m going to leave it alone. It’s going to use the user principal name as the username and convention, which is the email address based name that we talked about earlier. So I’m going to say continue. Then I’m going to click next. Now it’s asking if I want to synchronize everything. So I’m going to say no, I don’t want to synchronize everything. I just want to synchronize the pilot.

Remember, those users are just going to synchronize the pilot. Okay. All right. From there, I could choose some other attributes. I don’t get into those. We don’t get into those and all these attributes in this course. But I’m going to go ahead and click Next. I’m just taking the defaults on that. And then from there, I can further filter by selecting specific groups maybe, that I would like to have synchronized. You can nest groups in Active Directory, but notice here that it says nested groups are not supported and will be ignored. So in other words, if you had groups inside of groups, it’s not going to synchronize all that. Right here, I’m just basically saying synchronize everybody that’s in that.

Ou. Now, if I was to hit synchronize selected, then I could specify a group and just say, synchronize the people that are in this one group. This is just a further way to filter. But I don’t want to do that. I’m synchronizing everybody that’s in the pilot ou. So I’m going to go ahead and hit Next. Okay? At that point, if I was going to do an Exchange hybrid where I was going to synchronize my Microsoft on Prem Exchange environment with the cloud, I would select to do these two things. I don’t have Exchange on premise in this environment, so I wouldn’t do that. You can filter Active Directory attributes that you would like to synchronize. I’m going to do password writeback. What that’s going to do is make it where when I change my password in the cloud, it’s going to synchronize back down to on Prem.

On Prem is going to synchronize to the cloud. You can also do group writeback, but that feature is not available at the moment or device right back just yet. So there’s a few things that got to happen before I can set those up. Okay, if I wanted to synchronize some other what are called extension attributes, these are things like additional attributes. Let’s say that we had a situation where you created some custom attributes like employee ID number or something that was stored in all of our user accounts, and we wanted that to synchronize as well. We could select this, and we can do some custom attributes. I’m not going to do that in this. I’m just going to click Next. And at that point, it’s checking a few things, and it says, okay, you’re going to enable single sign on.

You’re going to need a domain account to support single sign on. In other words, it’s got to have an account that can check authentication with your domain controllers to make sure that when somebody logs on on premise, it can authenticate to the cloud automatically. So I have to have an account that has the privileges to enable this feature. So I’m going to say, okay, that’s fine. I’m going to enable it by using my own credentials. So examlabpractice Administrator, and I’m going to put the password in. And there we go. It says, okay, you got the right credentials. In other words, the account that I put in had enough power to turn this feature on on my domain. So I’m going to click Next, says, okay, it’s checking for the components, making sure everything is in order.

And then once this is done, I’m going to be ready to pull the trigger, and Active Directory is going to start synchronizing. So here we go. And just like that, it’s it’s now officially synchronizing. All right? So I’m going to let that synchronize. And as we get further into this, we’re going to be looking at how we can also check the health of synchronization in our next little lesson. We’re going to look and see and make sure that things actually did synchronize.

  1. Verifying Azure AD Connect Health

Okay, so if you watched the last lesson, you saw me run Azure Ad Connect. And I’d like to show you guys now that my user accounts have been synchronized. As you can see, I’m here in the Portal Azure. com Under Azure ad, looking at my users. And there are the users that got synchronized. Notice that it says under source. It tells you that some of the users are Windows Server ad and some say Azure ad. So the ones that say Azure Ad, those are cloud only accounts. They’re just out in the cloud. But the ones that say Windows Server ad, obviously those are officially synchronizing between the two environments, the On Prem ad and the Azure ad. Okay? Now the next thing I want to show you is a little something called Azure Ad Connect Health.

This is a way for you to check your synchronization and make sure that your On Prem environment is synchronizing properly with the outside world. So I’m going to go over here to this little menu bar here, and I’m going to go back over here, Azure Ad. And you’ll notice I can go to Azure Ad Connect. So I’m going to click that, and I want you to notice that it says, the sync status is now enabled. Now, if you remember from my previous lesson, I showed you that this was not turned on by default. We actually had to download the tool and install it, and we did. And notice it’s telling you that password hash Synchronization is being used. I’m not using Federation right now. Okay? I do have Seamless SSO going, but if I scroll down, what I want to show you is this right here, health and analytics.

Okay, so let’s click on this. This is Azure ad connect health. So right here, first things first. We’ve got Azure Ad Connect installed on our server. And when you install that on your server, you’re already monitoring Synchronization health. But if you would like a domain controller to report its health information, then you can install the Adds agent right here on a domain controller. If you are using a Federated server, an ADFS server, and you would like it to send its health analytics to the cloud, you can install this guy right here, which is the Azure Ad Connect health agent for ADFS, which is Active Federated Services. Okay, I’m going to jump over now.

We’ll take a look at our sync errors and see if we have any. Hopefully, we don’t. Okay, perfect. This is what you want to see. You don’t want to see any errors. If you did have errors, you could export those and try and troubleshoot. And then here I’ve got sync services. This is telling me if I’m healthy or not. And as you can see, sync services are healthy. Okay. Looking down here, if I had ADFS, I could see this. Ads services. This is telling me if I’m if there’s any problems with synchronizing, with my activity services and the health there. You have to install the health agent on a domain controller to get that, though. And then you have to install the health agent on the ADFS server to get the statistics for that. But all in all, as you’ve seen, I’m healthy, which is a good thing.

And of course, you also got settings here if you want to configure some of the settings. You’ll notice that it says Use Auto Update automatically update your installed Azure Ad Connect Health Agent when the latest version comes out. So essentially what will happen is whenever there’s a new version, it’ll update that new version for you. Okay. I’ve also got a troubleshooting down troubleshooter down here where I could try to do some troubleshooting if I was having problems. But all in all, as you can see, Azure Ad Connect Health is pretty straightforward. It’s going to try to help you troubleshoot if there’s there was some synchronization problems happening between adds on premise and Azure ad.

img