Configure & Manage Synchronized Identities (part 3 of 4)

 



To read part 1, please click here
To read part 2, please click here
To read part 4, please click here 





Manage Users with Directory Synchronization

You have to perform some management tasks as the Security and Compliance Administrator so that users can efficiently synchronize as well as successfully deploy Azure AD Connect. These tasks are:

  1. Managing user accounts
  2. Recovering a user account that was accidentally deleted
  3. Recovering from unsynchronized deletes
  4. Enhanced user management

Managing User Accounts

Synchronized user accounts cannot be managed with the help of Microsoft 365 admin center or Exchange Online Admin Center (EAC) as all the synchronized attributes are not synchronized back to your on-premises environment. However, some additional attributes that are not available in your AD, can be managed in the Microsoft 365 admin center like:
  • Microsoft 365 product licenses
  • Advanced Exchange Online settings such as enabling In-place Archiving

Recovering a User Account that was Accidentally Deleted

You can either use the Microsoft 365 admin center or Windows PowerShell to recover deleted user objects:
  • In the Microsoft 365 admin center, on the left navigation pane, on the users menu, click Deleted users. 
  • Select the deleted user account that you want to recover, and then click Recover.
  • Select either Auto-generate password or Let me create the password on the Restore page. If Password synchronization is enabled, the selection will be overwritten during the next password sync cycle.

If you want to use Windows PowerShell, then you can use the Restore-MsolUser cmdlet to recover a user object. 

If the recycle bin feature is enabled in AD, you can easily recover the account from the recycle bin and the link between accounts will be re-established, but if it's not enabled, then you may have to create another account with a new GUID.

Note-  After the cloud recycle bin is purged (hard delete), it can no longer be restore the deleted accounts.

Recovering from Unsynchronized Deletes

Dealing with an on-premises delete that doesn't synchronize to Microsoft 365, the case in which linked object is not removed from Azure AD, is an important maintenance task. This situation may occur due to an incomplete directory synchronization or failing to delete a specific cloud object by directory synchronization, which will lead to an abandoned Azure AD object. The following steps will help you resolve such issues:
  • Manually run a directory synchronization update- You can either use Azure AD Connect's Synchronization Service Manager or Windows PowerShell with the help of Start-ADSyncSyncCycle-PolicyType Delta cmdlet to archive this one. 

  • Check that directory synchronization occurred correctly- To perform this task, firstly you have to open the Synchronization Service Manager, verify that all synchronizations are finished and finally the status line will show "Success". 

  • Verify directory synchronization- Firstly, open the Microsoft 365 admin center and then verify if the objects are deleted as expected.

  • Remove orphaned objects, if necessary- If the AD object's deletion has still not propagated to Azure AD even after performing all the tasks successfully, then, you can manually remove the orphaned object with the help of following Windows PowerShell cmdlets:    

  1. Remove-MsolUser
  2. Remove-MsolContact
  3. Remove-MsolGroup

Enhanced User Management

Azure AD Connect provides additional enhanced user management features, along with password writeback and device writeback. 

Password Writeback

To enable this feature to will need the following:

  • Windows Server 2008 or higher Domain Controllers in your on-premises AD (along with an installed KB2386717 for Windows 2008 or Windows 2008 R2 Domain Controllers).
  • Azure AD premium license
  • Configured the Self-Service Password Reset (SSPR) option in your Office 365 tenant.  

You have to enable the password writeback option while installing Azure AD Connect by choosing Custom Setup option while running the Azure AD Connect installation wizard which will configure the following:

  • The Azure AD Connect connectors, which are enabled for password reset.
  • The Azure AD Connect service account for on-premises AD requires permissions for password reset that can be viewed in AD Users and Computers if you enable Advanced mode. The permission entry check box must be enabled for the following permissions- 

  1. Change password
  2. Reset password
  3. Write Permission on the lockout Time property
  4. Write Permission on the pwdLastSet property

You can use the Self Service Password Reset in your Microsoft 365 tenant to test the password writeback functionality which is identical to changing your password. 

Device Writeback

It is mainly used to enable conditional access according to either devices to AD FS protected applications, or on relying party trusts providing extra security as well as assurance that the access to applications are granted only to trusted devices. Device writeback requires the following:

  1. AD forest runs Windows Server 2012 R2 or later
  2. AD FS is hosted from Windows Server 2012 R2 (AD FS v3.0) or later
  3. Azure AD Premium license

You have to enable the device writeback option during the installation of Azure AD Connect by running Custom Setup and then running Windows PowerShell cmdlets on the Azure AD Connect Server, to enable this feature for Azure AD Connect. 











To read part 1, please click here
To read part 2, please click here
To read part 4, please click here 


Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Deployment (Part 2)