Configure & Manage Synchronized Identities (part 3 of 4)
Manage Users with Directory Synchronization
You have to perform some management tasks as the Security and Compliance Administrator so that users can efficiently synchronize as well as successfully deploy Azure AD Connect. These tasks are:
- Managing user accounts
- Recovering a user account that was accidentally deleted
- Recovering from unsynchronized deletes
- Enhanced user management
Managing User Accounts
- Microsoft 365 product licenses
- Advanced Exchange Online settings such as enabling In-place Archiving
Recovering a User Account that was Accidentally Deleted
- In the Microsoft 365 admin center, on the left navigation pane, on the users menu, click Deleted users.
- Select the deleted user account that you want to recover, and then click Recover.
- Select either Auto-generate password or Let me create the password on the Restore page. If Password synchronization is enabled, the selection will be overwritten during the next password sync cycle.
If you want to use Windows PowerShell, then you can use the Restore-MsolUser cmdlet to recover a user object.
If the recycle bin feature is enabled in AD, you can easily recover the account from the recycle bin and the link between accounts will be re-established, but if it's not enabled, then you may have to create another account with a new GUID.
Note- After the cloud recycle bin is purged (hard delete), it can no longer be restore the deleted accounts.
Recovering from Unsynchronized Deletes
- Manually run a directory synchronization update- You can either use Azure AD Connect's Synchronization Service Manager or Windows PowerShell with the help of Start-ADSyncSyncCycle-PolicyType Delta cmdlet to archive this one.
- Check that directory synchronization occurred correctly- To perform this task, firstly you have to open the Synchronization Service Manager, verify that all synchronizations are finished and finally the status line will show "Success".
- Verify directory synchronization- Firstly, open the Microsoft 365 admin center and then verify if the objects are deleted as expected.
- Remove orphaned objects, if necessary- If the AD object's deletion has still not propagated to Azure AD even after performing all the tasks successfully, then, you can manually remove the orphaned object with the help of following Windows PowerShell cmdlets:
- Remove-MsolUser
- Remove-MsolContact
- Remove-MsolGroup
Enhanced User Management
Password Writeback
To enable this feature to will need the following:
- Windows Server 2008 or higher Domain Controllers in your on-premises AD (along with an installed KB2386717 for Windows 2008 or Windows 2008 R2 Domain Controllers).
- Azure AD premium license
- Configured the Self-Service Password Reset (SSPR) option in your Office 365 tenant.
You have to enable the password writeback option while installing Azure AD Connect by choosing Custom Setup option while running the Azure AD Connect installation wizard which will configure the following:
- The Azure AD Connect connectors, which are enabled for password reset.
- The Azure AD Connect service account for on-premises AD requires permissions for password reset that can be viewed in AD Users and Computers if you enable Advanced mode. The permission entry check box must be enabled for the following permissions-
- Change password
- Reset password
- Write Permission on the lockout Time property
- Write Permission on the pwdLastSet property
You can use the Self Service Password Reset in your Microsoft 365 tenant to test the password writeback functionality which is identical to changing your password.
Device Writeback
It is mainly used to enable conditional access according to either devices to AD FS protected applications, or on relying party trusts providing extra security as well as assurance that the access to applications are granted only to trusted devices. Device writeback requires the following:
- AD forest runs Windows Server 2012 R2 or later
- AD FS is hosted from Windows Server 2012 R2 (AD FS v3.0) or later
- Azure AD Premium license
You have to enable the device writeback option during the installation of Azure AD Connect by running Custom Setup and then running Windows PowerShell cmdlets on the Azure AD Connect Server, to enable this feature for Azure AD Connect.
Comments
Post a Comment