AZURE AD CONNECT CLOUD SYNC โ AZURE AD CONNECT CLOUD SYNC INTEGRATION WITH ON-PREMISES ACTIVE DIRECTORY
(HYBRID INDENTITY MANGEMENT)
(Azure Project 9)
ร Project
An IT services Provider Company PRAfect Systems Inc. is engaged into providing software development solutions. Currently, they are working on Hybrid model so some of the legacy applications are running on On-Premises and some workload running on Azure Cloud.
There are numerous applications which are trying to access few of the services from SAAS which is part of Hybrid infrastructure model and, hence the IAM plays an essential role here to grant access and do integration.
At the present, management is struggling to find a Hybrid IAM access management solution which allows and sync an On-Premises identity with Microsoft Azure Cloud and thatโs where the Azure AD Connect Cloud Sync comes to rescue.
ร Solution:
What is Azure AD Connect cloud sync?
Azure Active Directory (Azure AD) is a cloud-based multi-tenant directory and identity service. This reference architecture shows best practices for integrating on-premises Active Directory domains with Azure AD to provide cloud-based identity authentication.
Organizations can use Azure AD if they are โpure cloud,โ or as a โhybridโ deployment if they have on-premises workloads. A hybrid deployment of Azure AD can be part of a strategy for an organization to migrate its IT assets to the cloud, or to continue to integrate existing on-premises infrastructure alongside new cloud services.
Historically, โhybridโ organizations have seen Azure AD as an extension of their existing on-premises infrastructure. In these deployments, the on-premises identity governance administration, Windows Server Active Directory or other in-house directory systems, are the control points, and users and groups are synced from those systems to a cloud directory such as Azure AD. Once those identities are in the cloud, they can be made available to Microsoft 365, Azure, and other applications
Azure AD Connect cloud sync is a new offering from Microsoft designed to meet and accomplish your hybrid identity goals for synchronization of users, groups, and contacts to Azure AD. It accomplishes this by using the Azure AD cloud provisioning agent instead of the Azure AD Connect application. However, it can be used alongside Azure AD Connect sync and it provides the following benefits:
ยท Support for synchronizing to an Azure AD tenant from a multi-forest disconnected Active Directory forest environment: The common scenarios include merger & acquisition (where the acquired companyโs AD forests are isolated from the parent companyโs AD forests), and companies that have historically had multiple AD forests.
ยท Simplified installation with light-weight provisioning agents: The agents act as a bridge from AD to Azure AD, with all the sync configuration managed in the cloud.
ยท Multiple provisioning agents can be used to simplify high availability deployments, particularly critical for organizations relying upon password hash synchronization from AD to Azure AD.
ยท Support for large groups with up to 50,000 members. Itโs recommended to use only the OU scoping filter when synchronizing large groups.
Cloud Sync โ How it works
Cloud sync is built on top of the Azure AD services and has 2 key components:
Provisioning agent: The Azure AD Connect cloud provisioning agent is the same agent as Workday inbound and built on the same server-side technology as app proxy and Pass Through Authentication. It requires an outbound connection only and agents are auto-updated.
Provisioning service: Same provisioning service as outbound provisioning and Workday inbound provisioning which uses a scheduler-based model. In case of cloud sync, the changes are provisioned every 2 mins.
Ref: https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/concept-how-it-works
Synchronization flow
Once you have installed the agent and enabled provisioning, the following flow occurs.
1. Once configured, the Azure AD Provisioning service calls the Azure AD hybrid service to add a request to the Service bus. The agent constantly maintains an outbound connection to the Service Bus listening for requests and picks up the System for Cross-domain Identity Management (SCIM) request immediately.
2. The agent breaks up the request into separate queries based on object type.
3. AD returns the result to the agent and the agent filters this data before sending it to Azure AD.
4. Agent returns the SCIM response to Azure AD. These responses are based on the filtering that happened within the agent. The agent uses scoping to filter the results.
5. The provisioning service writes the changes to Azure AD.
6. If this is a delta Sync as opposed to a full sync, then cookie/watermark is used. New queries will get changes from that cookie/watermark onwards.
ร Description
This project was a challenge project for to deploy Hybrid identity management on Azure. The task was to manage On-Premises identity to integrate with Azure Cloud using Hybrid Identity Management service using Microsoft Azure AD Connect Cloud Sync.
Task 1: In order to deploy and configure domain controller one has to require a registered and verified domain. DNS: prafect.cloud
Task 2: Once the domain is registered needs to go to Azure Cloud Active Directory service and verify the custom domain using the appropriate service.
Task 3: There has to deploy a Windows Server 2019 Datacenter on VMware machine which would On-Premises domain controller host machine which is hosting a DNS server and managing On-Premises Active Directory services.
Task 4: Thereafter install a Azure AD Connect Cloud Sync provisioning agent on to On-Premises windows server which would be installing an agent for AD Connect Cloud sync service feature, and then needs to configure Active Directory Service installation.
Task 5: Then it has to create some user group and users which would be synced from On-Premises to Azure Cloud using Azure AD Connect service.
Task 6: Once users are created it has to configure Azure AD Connect Cloud Sync and configure a new forest using custom DNS: prafect.cloud and select a active directory service for sync, and finish the process which would start syncing the On-Premises users to Azure Cloud.
Task 7: Go to Azure Cloud and verify that the On-Premises groups and users have been synced successfully and displayed under the respective section.
Task 8: Once users have synced successfully, verify that using on-premises user credentials the synced user is successfully logged into azure portal.
ร Project Cost Estimation:
(Note: This cost is Not any actual cost, itโs just an estimation based on high level requirement. Price may be vary based on adding and removing services based on requirement.)
Ref: https://azure.microsoft.com/en-us/pricing/details/active-directory/
ร Tools & Technologies covered:
VMware Hypervisor
Windows Server 2019 Datacenter
Azure Cloud
Azure AD Tenant
Azure AD Connect
On-Premises AD DNS Server
On-Premises Active Directory Service
Azure AD Connect Cloud sync
ร Solution Architecture:
This migration project will be completed in following implementation phases.
ร Project implementation Phase:
Phase 1: Verify DNS on Azure Portal
Phase 2: Create Azure cloud test users on Azure Portal
Phase 3: Deploy Azure AD Connect provisioning agent on On-Premises DC
Phase 4: Create On-Premise groups and users
Phase 5: Deploy Azure AD Connect Cloud sync on On-Premise DC
Phase 6: Verify and validate that On-Premise Group and users have synced to Azure Cloud
Phase 7: Verify that On-Premises user successfully logged into Azure Portal after Azure AD Cloud sync
ร Pre-requisite:
1) Azure Cloud Admin User 1 โ Role โGlobal admin on azure AD tenant
2) Azure Cloud ADadmin User 2 โ Role โ Hybrid Identity Administrator
3) Registered domain custom DNS: Prafect.cloud
4) On-Premises server โ Windows Server 2016 xxx
5) On-Premise Windows Domain Controller running on the domain name
6) On-Premise Test users on Windows DC server
7) Azure portal account
o Active Directory Admin user: Global Administrator
ร Implementation:
Phase 1: Verify DNS on Azure Portal
1. Go to Azure Active Directory โ custom domain
2. Add TXT record to Domain registrar account
3. Verify DNS from Azure Portal custom domain
Phase 2: Create Azure cloud test users on Azure Portal
1. Create Global Admin active directory user
2. Create few azure cloud test users
Phase 3: Deploy Azure AD Connect provisioning agent on On-Premises DC
1. Go to vmware Windows server machine
2. Sign in to Azure Portal
3. Go to Active Directory โ Azure AD Connect โ Azure AD Cloud sync
4. Download Agent โ Install the agent
5. Verify that AD DS service is installed
6. Add New forest โ prafect.cloud and finish the installation
Phase 4: Create On-Premise groups and users
1. Go to Tools โ Active Directory Users and Computers
2. Create a new group name: office365
3. Create a new users
a. Praful Patel
b. Alex Smith
c. John Doe
4. Assign users to group: office365
Phase 5: Verify and validate that On-Premise Group and users have synced to Azure Cloud
1. Go to On-Premise Windows 2019 DC server
2. Go to My PC โ Properties โ validate that custom domain displayed
3. Go to Azure Portal โ Active Directory service
4. Validate that new Group: office365 synced from On-Premise to Azure cloud
5. Validate that new users synced from On-Premise to Azure Cloud
a. Praful Patel
b. Alex Smith
c. John Doe
Phase 6: Verify that On-Premises user successfully logged into Azure Portal after Azure AD Cloud sync
1. Go to Azure portal โ active directory -users
2. Select user which is synced from On-Premises โ Alex365@prafect.cloud
3. Open a new azure portal sign in โ Login as Alex365@prafect.cloud
4. Verify that user is successfully logged in using same credentials
ร Implementation in an Action:
Phase 1: Verify DNS on Azure Portal
4. Go to Azure Active Directory โ custom domain
5. Add TXT record to Domain registrar account
6. Verify DNS from Azure Portal custom domain
Search for Azure Active Directory
Go to option: Custom domain names
Go to Domain Registrar where your domain is registered
Click to Add custom domain
MS=ms11437186
Go to DNS hosted zone account and add TXT record
Verify Domain from Azure
Phase 2: Create Azure cloud test users on Azure Portal
Create Global Admin active directory user
User name: adadmin
Pass: test@123456
Click to โ Group: Global Administrator
Click to Create
Create Global Admin active directory user
Users created
User: prafulaz
Pass:test@123456
Phase 3: Deploy Azure AD Connect provisioning agent on On-Premises DC
1. Go to vmware Windows server machine
2. Sign in to Azure Portal
3. Go to Active Directory โ Azure AD Connect โ Azure AD Cloud sync
4. Download Agent โ Install the agent
5. Verify that AD DS service is installed
6. Add New forest โ prafect.cloud and finish the installation
Install the Azure AD Connect provisioning agent
Sign in to the domain joined server. If you are using the Basic AD and Azure environment tutorial, it would be DC1.
Sign in to the Azure portal using cloud-only global admin credentials.
On the left, select Azure Active Directory, click Azure AD Connect and in the center select Manage cloud sync.
Go to On-Premises Windows Server 2019
Login to Azure Portal
Go to Azure AD Connect
Provide the crednetials of Azure user which has permission to manage hybrid identity
User: azadmin@cloudprafuloutlook.onmicrosoft.com
passw:Cloud@123456
Connect to your custom domain: prafect.cloud
Create a new user in Azure Portal under custom domain: prafect.cloud
prafulaz@prafect.cloud
User: prafulaz
Pass:test@123456
Provide your On-Premises DC server credentials
Provide AD Domain Account:
DC- Windows Server 2019 Admin account
User: Administrator
Passw:
Connect Active Directory
Verify that AD DS service installed
Verify agent installation on azure portal
Go to Azure Portal
Active Directory
Click to Azure AD Connect
Manage Azure AD Cloud sync
Click Review All agents
Verify that On-Premises agent displayed and active
Go to Tools > Services
1. Log on to the server with an administrator account
2. Open Services by either navigating to it or by going to Start/Run/Services.msc.
3. Under Services, make sure Microsoft Azure AD Connect Agent Updater and Microsoft Azure AD Connect Provisioning Agent are present and the status is Running.
Phase 3: Deploy Azure AD Connect provisioning agent on On-Premises DC
1. Go to vmware Windows server machine
2. Sign in to Azure Portal
3. Go to Active Directory โ Azure AD Connect โ Azure AD Cloud sync
4. Download Agent โ Install the agent
5. Verify that AD DS service is installed
6. Add New forest โ prafect.cloud and finish the installation
Configure Azure AD Connect cloud sync
Use the following steps to configure provisioning
1. Sign in to the Azure AD portal.
2. Click Azure Active Directory
3. Click Azure AD Connect
4. Select Manage cloud sync
5. Click New Configuations
6. On the configuration screen, enter a Notification email, move the selector to Enable and click
Save
Verify that status: Healthy
Verify users are created and synchronization is occurring
You will now verify that the users that you had in our on-premises directory have been synchronized and now exist in our Azure AD tenant. Be aware that this may take a few hours to complete. To verify users are synchronized do the following.
1. Browse to the Azure portal and sign in with an account that has an Azure subscription.
2. On the left, select Azure Active Directory
3. Under Manage, select Users.
4. Verify that you see the new users in our tenant
Phase 4: Create On-Premise groups and users
1. Go to Tools โ Active Directory Users and Computers
2. Create a new group name: office365
3. Create a new users
a. Praful Patel
b. Alex Smith
c. John Doe
4. Assign users to group: office365
Click to add โ Active Directory Users and Computers
Create Groups and Users
Phase 5: Verify and validate that On-Premise Group and users have synced to Azure Cloud
1. Go to On-Premise Windows 2019 DC server
2. Go to My PC โ Properties โ validate that custom domain displayed
3. Go to Azure Portal โ Active Directory service
4. Validate that new Group: office365 synced from On-Premise to Azure cloud
5. Validate that new users synced from On-Premise to Azure Cloud
a. Praful Patel
b. Alex Smith
c. John Doe
New Users synced successfully
Verify logs
Phase 6: Verify and validate that On-Premise Group and users have synced to Azure Cloud
1. Go to Azure portal โ active directory -users
2. Select user which is synced from On-Premises โ Alex365@prafect.cloud
3. Open a new azure portal sign in โ Login as Alex365@prafect.cloud
4. Verify that user is successfully logged in using same credentials
Test User Login
User Alex successfully logged in using on-premises Active Directory Credentials
Congratulations!!!
Monitor Sync process using PoweShell
1.Verify that sync process time.
Get-ADSyncScheduler
2. Manually start the synchronization To start the initial synchronization run this cmdlet: Start-ADSyncSyncCycle โ PolicyType Initial
New use synced successfully to Azure Cloud
Congratulations!!!! ๐ฅ๐