Configure & Manage Synchronized Identities (part 4 of 4)

By Ashwin Venugopal -

 




To read part 1, please click here
To read part 2, please click here
To read part 3, please click here




Manage Groups with Directory Synchronization

Like user writeback feature, the group writeback feature can also write Microsoft 365 groups from Azure AD to on-premises AD. This feature is present as an optional feature in Azure AD Connect. In order to enable this feature, following pre-requisites must be achieved:
  • Azure AD premium licenses for your tenant.
  • A configured hybrid deployment between your Exchange on-premises organization as well as Office 365 and verify its functioning correctly. 
  • Installed a supported version of Exchange on-premises. 
  • Configured single sign-on using Azure AD Connect.

You can see Microsoft 365 group in the selected on-premises container after the successful completion of synchronization represented as distribution groups in an on-premises AD.  

Synchronizing Groups

If you are planning to synchronize groups from AD to Azure AD, then, you should be aware of the following:
  • Azure AD Connect excludes built-in security groups from directory synchronization.
  • Azure AD Connect does not support synchronizing Primary Group memberships to Azure AD.
  • Azure AD Connect does not support synchronizing Dynamic Distribution Group memberships to Azure AD.
  • To synchronize an AD group to Azure AD as a mail-enabled group-
  1. If the group's proxyAddress attribute is empty, its mail attribute must have a value.
  2. If the group's proxyAddress attribute is non-empty, it must contain at least one SMTP proxy address value. 

Azure AD Connect Sync Security Group

Azure AD Connect can automatically create Azure AD Connect Sync Security Groups that can be used to delegate control in Azure AD Connect to other users. 

Group Name

Description

AdSyncAdmins

Administrators Group- Members of this group have Full Access to do anything in the Azure AD Connect Sync Service Manager.

AdSyncOperators

Operators Group- Members of this group have access to the operations of the Azure AD Connect Sync Service Manager, including:

·       Execution of Management Agents.

·       View of Synchronization Statistics for each run.

·       Ability to save the Run History (operations tab) to a file.

Members of this group must be a member of AdSyncBrowse Group.

AdSyncBrowse

Browse Group- Members of this group have permission to gather information about a user’s lineage when resetting passwords.

AdSyncPasswordSet

Password Reset Group- Members of this group have permission to perform all operations by using the password management interface.

Members of this group must be a member of the AdSyncBrowse Group.
   

If you are planning to create domain groups on member servers, then you have to choose the Specify Custom Sync Groups option during set up and specify the groups by Domain\Group Name.






To read part 1, please click here
To read part 2, please click here
To read part 3, please click here


Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different...
Read more

Deployment (Part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Azure Resources Microsoft Sentinel needs following resources to be created: Subscription (if a dedicated subscription(s) will be used) Resource group(s) Log Analytics workspace(s) Automation rules/playbook Alert rules Workbooks Microsoft Sentinel offers hundreds of alert rules, workbooks, and automation playbook templates along with hunting scripts. The templates can be used to activate/deploy schedule alerts, create customized dashboards, create automation playbooks and perform threat-hunting activities. Generally, once deployed, the resources created have to be adjusted to match the existing environment, configure local credentials, etc. Methods of deployment: Manual- Administrator can manually configures the Microsoft Sentinel resources with the help of Azure portal. Any manual process has the inherent risks of human operator error, lack of compliance with potential change control procedures, and u...
Read more

Deployment (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 3, please click  here Microsoft Sentinel Content Hub Content in Microsoft Sentinel includes any of the following types: Data connectors offer log ingestion from different sources into Microsoft Sentinel. Parsers give log formatting/transformation into ASIM formats, supporting usage across various Microsoft Sentinel content types and scenarios. Workbooks provide monitoring, visualization, and interactively with data in Microsoft Sentinel, highlighting meaningful insights for users.  Analytics rules give alerts that point to relevant SOC actions via incidents.  Hunting Queries are used by SOC teams to proactively hunt for threats in Microsoft Sentinel. Notebooks help SOC teams in using advanced hunting features in Jupyter and Azure Notebooks. Watchlists support the ingestion of specific data for enhanced threat detection and reduced alert fatigue.  Playbooks and Azure Logic Apps Custom Connectors provide featu...
Read more