Azure AD Connect – Hybrid Bridge to the Cloud
Does your company have a mix of Cloud and On-premises data and applications? Do they have separate authentication for each one? Azure AD Connect is Microsoft’s tool that will bridge the company’s identity management across your cloud and on-premises environments
Many companies today rely on managing both an on-premises infrastructure while also utilizing the cloud platform for a number of key resources. Solutions such as Microsoft 365 – Microsoft Teams, OneDrive for Business, Exchange Online, and SharePoint Online, have become essential for effective collaboration, not just internally but also amongst geographically dispersed organizations with whom business is done.
However, many organizations still have to maintain an on-premises infrastructure for various reasons, such as running legacy applications, which may not be able to migrate to the cloud environment, or due to security and regulatory compliance policies which may require highly sensitive data to be stored locally.
For most organizations, it is simply not practical to maintain and manage two separate identities. We can only imagine the burden of calls this will generate to the IT team and the negative impact it may have for several, if not all end users. Azure AD Connect is the light at the end of the tunnel that prevents this disaster by outfitting organizations with security and productivity through a unified identity across their cloud and on-premises environments.
What is Azure AD Connect?
Azure AD Connect was designed with hybrid infrastructure environments in mind. This tool automatically synchronizes the organization’s user identity data between its on-premises Active Directory environment and the Azure AD cloud platform, allowing users to utilize the same credentials to access both on-premises applications and cloud services, such as Microsoft 365.
Azure AD Connect is free and is included with your Azure Subscription. It is bundled with several features to support hybrid identities, such as:
- Synchronization Services
- Password Hash Synchronization
- Pass-through Authentication
- Federation Integration
- Health Monitoring (included in the Azure AD Premium P1 Plan)
Onboarding with Azure AD Connect
The Azure AD Connect tool can be installed on any domain-joined Windows Server 2016 and later operating system in the on-premises environment. The most common configuration when getting started with Azure AD Connect is the synchronization services of data between a single on-premises forest, which can contain one or more domains, to a single Azure AD tenant.
By default, the sync is one-way from the on-premises AD to Azure AD. However, depending on your Azure Subscription, you may have additional features available to you, such as the Password Writeback function, which syncs the changes from Azure AD back to the on-premises AD.
As you can see, integrating the on-premises environment with Azure AD allows your users to work more efficiently and effectively by simply providing one common identity for accessing all resources, regardless of being located in the on-premises or cloud environment.
With Azure AD connect organizations, and by extension, its users, can take advantage of the following benefits:
- Allows for a common hybrid identity across on-premises or cloud-based services, leveraging Windows Server Active Directory, and then connecting to Azure Active Directory. Users are able to leverage a common identity through accounts across Azure AD to Office 365, Intune, SaaS apps, and third-party applications
- Administrators can define policies for conditional access based on application resources, device and user identity, network location, and multifactor authentication
- Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications
Wait! How do I merge existing users on Microsoft 365 to on-premises AD you ask?
Since Microsoft 365 has taken off and changed the way we work, there are instances whereby you may require merging your Active Directory user accounts with an existing Microsoft 365 tenant that is already populated with cloud accounts. So, if you have started with an Azure AD tenant, populated it with users and other objects, and now want to use Azure AD Connect to sync and merge with accounts back to your on-premises Active Directory, have no fear as this is possible and we got you covered.
We have provided some scenarios that may lead to organizations requiring this ability:
- Some organizations start with a cloud-only solution using Azure AD, as they may not have had an on-premises AD or may have chosen to keep it separate at that point in time. Eventually, the time will come when these organizations decide to integrate on-premises resources and or build an on-premises AD based on Azure AD data
- Some organizations may have a situation whereby the server that was hosting their on-premises Active Directory crashes, and after rebuilding will require managing all accounts via this new Active Directory server
An object in Azure AD is either managed in the cloud (Azure AD) or by the on-premises AD. A single object cannot have some attributes managed on-premises and other attributes managed in Azure AD. Each object contains a flag indicating where the object is managed. However, you can manage some users on-premises and others in the cloud, which is known as a Hybrid implementation.
If your organization started to manage users in Azure AD and also maintain active accounts in the organizations on-premises AD, Azure AD Connect can merge these accounts seamlessly without any fallout to the user, but there are some additional concerns you need to consider to accomplish this without any major interruptions.
Sync with existing users in Azure AD
When Azure AD Connect is installed the synchronization occurs immediately unless you specify not to synchronize after the configuration. Once the service is fully configured and running the default sync will occur at 30-minute intervals.
The Azure AD sync service checks each new object being synchronized to find an existing object to match. There are three attributes used when syncing between on-premises AD and Azure AD:
- User Principal Name
- Proxy Addresses
A match against User Principal Name and Proxy Addresses is known as a soft match, and this is the first default method used by Azure AD Connect. A match on sourceAnchor is known as a hard match. For the Proxy Addresses attribute, only the value with “SMTP”, that is the primary email address, is used for the evaluation.
Soft Matching using the SMTP address
To create soft matches, which will be adequate in 95% of situations, you will need to first ensure that all the UPN suffixes match between on-premises and cloud-based accounts. What do we mean by this? It means that your users’ sign-in needs to be tied to the domain of your primary email address in both the local AD and Azure AD.
First, when you open the properties of a user account object, the object should have the email address field filled out (the primary SMTP address for the user). Now take a look under the Account tab, and you should see the user logon name followed by a suffix.
The goal is to have this logon name be firstname.lastname@example.org (that is the email address), and not the local domain name email@example.com. Note that you can also bulk-select accounts and make this suffix change on many objects at once using another of Microsoft’s nifty tools, the AD Modify Tool.
Let’s wrap it up
So, after reading how easy Azure AD Connect makes this integration and simplifies the management of your on-premises and cloud identity infrastructure, we hope you are ready to onboard, if you have not done so already.