Microsoft 365 Business Technical Fundamentals Series Welcome back to the Microsoft 365 Business Technical Fundamental Series
Hybrid Identity In this module, we will be discussing hybrid identity. If you are unfamiliar with this term it means having an traditional on-premises Active Directory account synchronizing into Azure Active Directory This allows users to leverage the same credentials to access on premises resources such as traditional file and print solutions, and also seamlessly access cloud based resources including those provided by Microsoft 365 Business.
Hybrid Identity Authentication Options Let’s start with an overview of the different authentication options Microsoft provides for hybrid identity, to help you choose the one that is most appropriate for you.
John Doe lllllll I want to provide employees access to every app from any location and any device As mentioned, the main idea with hybrid identity is to allow users to have a single identity which can be used across a range of business related services, including being able to leverage almost 3000 integrated SaaS applications. What you can see here is that while we tend to talk about on-premises Active Directory, the reality is that you may already be hosting this in a cloud environment, such as running virtual machines with the domain controller role in an Azure network. For the content we will be covering in this slide, the term on-premises Active Directory will be used as the default term for traditional Active Directory. Microsoft Azure Active Directory Hybrid made easy Azure AD Connect 1 Identity Thousands of apps On-premises / Private cloud
Windows Server Active Directory Hybrid made easy Self Service MFA Single sign-on When we start looking at the different solutions available for enabling hybrid identity, the key component that is required is the center component – Azure Active Directory Connect. You may be aware of earlier names for this tool – originally it was known as DirSync, and then as AADSync. This is a small download with a wizard driven installation to help you configure it quickly and easily. It requires Windows Server 2008 Standard edition or higher, and it is not supported on Small Business Server or Windows Server Essentials. While it’s normally not a best practice in larger organisations, in a smaller environment with a single server that is the domain controller, installing AAD Connect onto a DC is supported. The URL at the bottom of the screen is a link that further details what the system requirements are. Azure AD Connect Windows Server Active Directory On-premises / Private cloud Microsoft Azure Active Directory docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-prerequisites
1 Identity Microsoft Azure Active Directory Seamless authentication Sync engine As mentioned, one of the benefits of hybrid identity is that we can use one identity to access traditional and cloud based resources, and this simplifies the user experience while also helping to improve security based identity. Self Service MFA Single sign-on Azure AD Connect Windows Server Active Directory On-premises / Private cloud Microsoft Azure Active Directory
Azure AD Connect authentication options Password Hash synchronization Part 2 of 4 Azure AD Connect authentication options Password Hash synchronization Microsoft Azure Active Directory Office 365, SaaS, and LoB apps The preferred option that we have for most Microsoft 365 Business customers that require hybrid identity is to use the password hash sync capability. The reason why we recommend this option is that you can probably install AAD Connect onto an existing server or virtual machine. Password hash synchronization is a feature used to synchronize user passwords from an on-premises Active Directory instance to a cloud-based Azure AD instance. Use this feature to sign in to Azure AD services such as Microsoft 365 Business and the underlying components of the suite. You sign in to the service by using the same password you use to sign in to your on-premises Active Directory instance. The Active Directory domain service stores passwords in the form of a hash value representation of the actual user password. A hash value is a result of a one-way mathematical function known as the hashing algorithm. There is no method to revert the result of a one-way function to the plain text version of a password. You cannot use a password hash to sign in to your on-premises network. To synchronize your password, Azure AD Connect sync extracts your password hash from the on-premises Active Directory instance. Extra security processing is applied to the password hash before it is synchronized to the Azure Active Directory authentication service. Password Hash synchronization Windows Server Active Directory On-premises / Private cloud
Azure AD Connect authentication options Pass-through authentication Part 1 of 4 Azure AD Connect authentication options Pass-through authentication Microsoft Azure Active Directory Office 365, SaaS, and LoB apps Passthrough authentication doesn’t require the synchronisation of the hashed password details into Azure Active Directory, instead user authentication against a cloud service is redirected back through AAD Connect to your on-premises domain controllers. You will notice that I said domain controllers, plural. The reason why I mention this is that you need to have a running and responding domain controller to allow the user authentication. This also means that network reliability and congestion can also have an impact on the user experience, so you really need to plan for highly available infrastructure to deploy this in a recommended way. It also has a minimum requirement of Windows Server 2012 R2 or later to run Azure AD Connect, and a second for running another instance of the pass-through authentication agent to help with availability. The reason why someone would go down this path is that they may have additional restrictions that require the user to be authenticated against an on prem Domain Controller rather than against Azure Active Directory. Pass-through authentication Pass-through authentication agent Windows Server Active Directory On-premises / Private cloud
Azure AD Connect authentication options Federation via ADFS Part 3 of 4 Azure AD Connect authentication options Federation via ADFS Microsoft Azure Active Directory Office 365, SaaS, and LoB apps The final option here is Active Directory Federation Services. This solution requires even more infrastructure, and isn’t usually recommended for organisations that would be considering Microsoft 365 Business. Federation Windows Server Active Directory On-premises / Private cloud
Considerations For Microsoft 365 Business Customers with an existing Active Directory environment Password Hash Synchronisation has the lowest footprint Azure Active Directory (AAD) Connect can be installed on an existing server if requirements are met, including on Domain Controller if required AAD Connect can be used for short term migration needs, or longer term hybrid coexistence AAD Connect has recently been updated to assist with enabling hybrid domain join scenarios. To bring some of these previous points together, the recommendation is to use Password Hash Synchronisation due to the low footprint and ease of deployment. For small customer that may only have a single server that is a domain controller, provided that it’s Windows Server 2008 or later you may be able to install AAD Connect on that server. While larger organisations would generally be using AAD Connect for longer term integration scenarios, for smaller customers, it could be used as a tool to assist with migrations as it won’t just synchronise users, but it will also synchronise other objects such as security groups and their members. This is important because even a small organisation can have an extensive number of groups that are in use to control access to resources, and you probably want to leverage them immediately rather than creating them again from scratch. Finally, one of the important updates that was made recently to AAD connect is that it has been updated to assist with enabling Active Directory joined PCs to register with Azure Active Directory, and we will discuss this in more detail on the next slide.
Hybrid Domain Join Benefit from integrating cloud benefits with existing investments Azure AD lights up new experiences in Windows 10 AD domain joined devices Single Sign On (SSO) from anywhere including SSO to AAD apps Enterprise compliant roaming of user settings across joined devices Access to Microsoft Store for Business using work (AAD) account Windows Hello for Business for secure and convenient access to work resources. Domain Join and Azure Active Directory Windows Server Active Directory (AD) is the most widely used corporate directory deployed by over 90% of enterprises in the world. In the last 15+ years, Domain Join has connected millions of computers to Active Directory for secure access to applications and centralized device management via Group Policy. T he Integrated Windows Authentication stack (Kerberos/NTLM) gives users single-sign-on (SSO) to on-premises applications and resources like file servers and printers. Azure AD lights up new experiences in Windows 10 AD domain joined devices: SSO from anywhere including SSO to Azure AD apps from the extranet. Enterprise compliant roaming of user settings across joined devices. Access to Windows Store for Business using work account. Windows Hello for Business for secure and convenient access to work resources. AAD Connect is a fundamental piece to enabling this functionality. It does three things in particular: It Creates an object in Active Directory (a Service Connection Point) that enables domain joined devices to know the Azure AD tenant to which it belongs. It sync’s computers in AD to Azure AD as device objects. This enables computers to securely authenticate upon automatic registration with Azure AD. https://cloudblogs.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/ https://docs.microsoft.com/en-us/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup
Demonstration Setting up Azure Active Directory Connect Let’s jump on to a domain controller so we can see some AAD Connect capabilities.
Thank you.