Configure & Manage Synchronized Identities (part 1 of 4)

By Ashwin Venugopal -

 




To read part 2, please click here
To read part 3, please click here
To read part 4, please click here 





Configure Azure AD Connect Prerequisites

If you want to install Azure AD Connect, then, you will require following-

Azure AD

  • An Azure AD tenant is available with an Azure free trial and you can use either The Azure Portal or The Office Portal to manage Azure AD Connect.
  • You have to add and verify the domain you want to use in Azure AD.
  • By default, an Azure AD tenant allows 50k objects and when you verify your domain, the limit is automatically increased to 300k objects. However, if you require more than 500k objects, then must possess a license like Office 365, Azure AD Basic, Azure AD Premium, or Enterprise Mobility and Security.  

On-premises AD

  • Windows 2003 or later must be AD schema version and forest functional level and as long as their requirements are met, domain controllers can run any version.
  • If you are using password writeback feature, then the Domain Controllers should be on Windows Server 2008 R2 or later.
  • The domain controller used by Azure AD must be writable as RODC (Read-Only Domain Controller) is not supported and Azure AD does not follow any write redirects.
  • Use of on-premises forests/domains having "dotted" NetBios names is not supported. 
  • It is recommended to enable the AD Recycle Bin.

Azure AD Connect Server

It must be treated as Tier 0 component and as it contains critical identity data, you must ensure that administrative access to this server is properly secured. 

SQL Server used by Azure AD Connect

  • Azure AD Connect requires an SQL Server database to store identity data containing SQL Server 2012 Express LocalDB by default which has a 10GB size limit that allows you to manage 100,000 objects approximately. However, if you want to manage a higher volume of directory objects, then, you have to point the installation wizard to a different installation of SQL Server.

  • If you are using different installation of SQL Server, then, you have to fulfill the following requirements:  

  1. Although Azure AD Connect supports all versions of Microsoft SQL Server from 2012 to SQL Server 2019, it does not support Microsoft Azure SQL Database as a database.
  2. A case-insensitive SQL collation identified as CI in their name must be used as case-sensitive collation identified by CS are not supported.
  3. You can only have one sync engine per SQL instance and sharing of an SQL instance with FIM/MIM Sync, DirSync, or Azure AD Sync is not supported.

Accounts

  • An Azure AD Administrator account for the Azure AD tenant you want to integrate with must be a school or organization account and cannot be a Microsoft account.
  • If you want want to use express settings or upgrade from DirSync, then you must have an Enterprise Administrator account for your on-premises AD.
  • The custom settings installation path offers you more options. 

Connectivity

  • The Azure AD Connect server requires DNS resolution for both intranet and internet which is capable of resolving names of both to your on-premises AD and the Azure AD endpoints. 
  • If you have firewalls on your intranet and you want to open ports between the Azure AD Connect servers and your domain controllers, then you have to look for Azure AD Connect ports for more information. 







To read part 2, please click here
To read part 3, please click here
To read part 4, please click here 

Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different...
Read more

Deployment (Part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Azure Resources Microsoft Sentinel needs following resources to be created: Subscription (if a dedicated subscription(s) will be used) Resource group(s) Log Analytics workspace(s) Automation rules/playbook Alert rules Workbooks Microsoft Sentinel offers hundreds of alert rules, workbooks, and automation playbook templates along with hunting scripts. The templates can be used to activate/deploy schedule alerts, create customized dashboards, create automation playbooks and perform threat-hunting activities. Generally, once deployed, the resources created have to be adjusted to match the existing environment, configure local credentials, etc. Methods of deployment: Manual- Administrator can manually configures the Microsoft Sentinel resources with the help of Azure portal. Any manual process has the inherent risks of human operator error, lack of compliance with potential change control procedures, and u...
Read more

Deployment (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 3, please click  here Microsoft Sentinel Content Hub Content in Microsoft Sentinel includes any of the following types: Data connectors offer log ingestion from different sources into Microsoft Sentinel. Parsers give log formatting/transformation into ASIM formats, supporting usage across various Microsoft Sentinel content types and scenarios. Workbooks provide monitoring, visualization, and interactively with data in Microsoft Sentinel, highlighting meaningful insights for users.  Analytics rules give alerts that point to relevant SOC actions via incidents.  Hunting Queries are used by SOC teams to proactively hunt for threats in Microsoft Sentinel. Notebooks help SOC teams in using advanced hunting features in Jupyter and Azure Notebooks. Watchlists support the ingestion of specific data for enhanced threat detection and reduced alert fatigue.  Playbooks and Azure Logic Apps Custom Connectors provide featu...
Read more