Configure & Manage Synchronized Identities (part 3 of 4)

By Ashwin Venugopal -

 



To read part 1, please click here
To read part 2, please click here
To read part 4, please click here 





Manage Users with Directory Synchronization

You have to perform some management tasks as the Security and Compliance Administrator so that users can efficiently synchronize as well as successfully deploy Azure AD Connect. These tasks are:

  1. Managing user accounts
  2. Recovering a user account that was accidentally deleted
  3. Recovering from unsynchronized deletes
  4. Enhanced user management

Managing User Accounts

Synchronized user accounts cannot be managed with the help of Microsoft 365 admin center or Exchange Online Admin Center (EAC) as all the synchronized attributes are not synchronized back to your on-premises environment. However, some additional attributes that are not available in your AD, can be managed in the Microsoft 365 admin center like:
  • Microsoft 365 product licenses
  • Advanced Exchange Online settings such as enabling In-place Archiving

Recovering a User Account that was Accidentally Deleted

You can either use the Microsoft 365 admin center or Windows PowerShell to recover deleted user objects:
  • In the Microsoft 365 admin center, on the left navigation pane, on the users menu, click Deleted users. 
  • Select the deleted user account that you want to recover, and then click Recover.
  • Select either Auto-generate password or Let me create the password on the Restore page. If Password synchronization is enabled, the selection will be overwritten during the next password sync cycle.

If you want to use Windows PowerShell, then you can use the Restore-MsolUser cmdlet to recover a user object. 

If the recycle bin feature is enabled in AD, you can easily recover the account from the recycle bin and the link between accounts will be re-established, but if it's not enabled, then you may have to create another account with a new GUID.

Note-  After the cloud recycle bin is purged (hard delete), it can no longer be restore the deleted accounts.

Recovering from Unsynchronized Deletes

Dealing with an on-premises delete that doesn't synchronize to Microsoft 365, the case in which linked object is not removed from Azure AD, is an important maintenance task. This situation may occur due to an incomplete directory synchronization or failing to delete a specific cloud object by directory synchronization, which will lead to an abandoned Azure AD object. The following steps will help you resolve such issues:
  • Manually run a directory synchronization update- You can either use Azure AD Connect's Synchronization Service Manager or Windows PowerShell with the help of Start-ADSyncSyncCycle-PolicyType Delta cmdlet to archive this one. 

  • Check that directory synchronization occurred correctly- To perform this task, firstly you have to open the Synchronization Service Manager, verify that all synchronizations are finished and finally the status line will show "Success". 

  • Verify directory synchronization- Firstly, open the Microsoft 365 admin center and then verify if the objects are deleted as expected.

  • Remove orphaned objects, if necessary- If the AD object's deletion has still not propagated to Azure AD even after performing all the tasks successfully, then, you can manually remove the orphaned object with the help of following Windows PowerShell cmdlets:    

  1. Remove-MsolUser
  2. Remove-MsolContact
  3. Remove-MsolGroup

Enhanced User Management

Azure AD Connect provides additional enhanced user management features, along with password writeback and device writeback. 

Password Writeback

To enable this feature to will need the following:

  • Windows Server 2008 or higher Domain Controllers in your on-premises AD (along with an installed KB2386717 for Windows 2008 or Windows 2008 R2 Domain Controllers).
  • Azure AD premium license
  • Configured the Self-Service Password Reset (SSPR) option in your Office 365 tenant.  

You have to enable the password writeback option while installing Azure AD Connect by choosing Custom Setup option while running the Azure AD Connect installation wizard which will configure the following:

  • The Azure AD Connect connectors, which are enabled for password reset.
  • The Azure AD Connect service account for on-premises AD requires permissions for password reset that can be viewed in AD Users and Computers if you enable Advanced mode. The permission entry check box must be enabled for the following permissions- 

  1. Change password
  2. Reset password
  3. Write Permission on the lockout Time property
  4. Write Permission on the pwdLastSet property

You can use the Self Service Password Reset in your Microsoft 365 tenant to test the password writeback functionality which is identical to changing your password. 

Device Writeback

It is mainly used to enable conditional access according to either devices to AD FS protected applications, or on relying party trusts providing extra security as well as assurance that the access to applications are granted only to trusted devices. Device writeback requires the following:

  1. AD forest runs Windows Server 2012 R2 or later
  2. AD FS is hosted from Windows Server 2012 R2 (AD FS v3.0) or later
  3. Azure AD Premium license

You have to enable the device writeback option during the installation of Azure AD Connect by running Custom Setup and then running Windows PowerShell cmdlets on the Azure AD Connect Server, to enable this feature for Azure AD Connect. 











To read part 1, please click here
To read part 2, please click here
To read part 4, please click here 


Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different...
Read more

Deployment (Part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Azure Resources Microsoft Sentinel needs following resources to be created: Subscription (if a dedicated subscription(s) will be used) Resource group(s) Log Analytics workspace(s) Automation rules/playbook Alert rules Workbooks Microsoft Sentinel offers hundreds of alert rules, workbooks, and automation playbook templates along with hunting scripts. The templates can be used to activate/deploy schedule alerts, create customized dashboards, create automation playbooks and perform threat-hunting activities. Generally, once deployed, the resources created have to be adjusted to match the existing environment, configure local credentials, etc. Methods of deployment: Manual- Administrator can manually configures the Microsoft Sentinel resources with the help of Azure portal. Any manual process has the inherent risks of human operator error, lack of compliance with potential change control procedures, and u...
Read more

Deployment (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 3, please click  here Microsoft Sentinel Content Hub Content in Microsoft Sentinel includes any of the following types: Data connectors offer log ingestion from different sources into Microsoft Sentinel. Parsers give log formatting/transformation into ASIM formats, supporting usage across various Microsoft Sentinel content types and scenarios. Workbooks provide monitoring, visualization, and interactively with data in Microsoft Sentinel, highlighting meaningful insights for users.  Analytics rules give alerts that point to relevant SOC actions via incidents.  Hunting Queries are used by SOC teams to proactively hunt for threats in Microsoft Sentinel. Notebooks help SOC teams in using advanced hunting features in Jupyter and Azure Notebooks. Watchlists support the ingestion of specific data for enhanced threat detection and reduced alert fatigue.  Playbooks and Azure Logic Apps Custom Connectors provide featu...
Read more