Plan Directory Synchronization (part 3)

By Ashwin Venugopal -

 




To read part 1, please click here
To read part 2, please click here





Plan Azure AD Connect Topologies

If your organization have multiple forests for authentication, you should consider the following:
  • Evaluate consolidating your forests- Generally, more overhead is required to maintain multiple forests, but if your organization needs separate forests, you have to simplify your on-premises environment.
  • Use only in your primary logon forest- You should deploy Microsoft 365 only in your primary loon forest for your initial roll out of Microsoft 365.

Although multi-forest hybrid deployment prerequisites are virtually identical to the hybrid deployment ones for a single-forest organization, they have following exceptions:

  • Autodiscover- If you have shared domains across multiple Exchange forests, then, both mail routing as well as Autodiscover endpoints should be configured ad work properly between the Exchange forests before configuring your multi-forest hybrid deployment.

  • Certificates- A digital certificate is needed by all hybrid deployments by trusted third-party Certificate Authority (CA) and as a single digital certificate cannot be used for multiple AD forests, each forest have to use a Globally trusted dedicated CA-issued certificate for secure mail transport to function correctly in a hybrid deployment. The certificate used for hybrid deployment must differ in at least one of the following properties: 

  1. Common Name (CN)- It is a part of the certificate subject which must match the host being authenticated and is typically the external hostname for the Client Access Server in the AD forest (like mail.contoso.com). It is recommended that the CN should be used as the differentiating property between AD certificates used in multi-forest hybrid deployments. 
  2. Issuer- It is the third-party CA that verifies the organization information and issued the certificate like VeriSign or Go Daddy i.e. one forest can have a certificate issued by VeriSign and the other one can have a certificate issued by Go Daddy. For this situation you have to ensure that you identify when the certs expire so that some of your services don't become untrusted. 

Plan Azure AD Connect Pass-through Authentication

Azure AD Pass-through Authentication (PTA) is easy to implement and maintain while also assuring that password validation of the services relying on Azure AD must performed against an on-premises AD, but if it fails, then automatic failover to password sync is performed  (if enabled). If you want to enable Azure AD pass-through authentication, then you should:
  • Run the Azure AD Connect Setup Wizard
  • On the User Sign-in page, select the Pass-through authentication option 

You should also make sure that all the ports needed for Azure AD pass-through authentication are available as follows:

Port

Description

80

Enables outbound HTTP traffic for security validation such as SSL certificate revocation lists.

443

Enables user authentication against Azure AD.

8080/443

Enables the Connector bootstrap sequence and Connector automatic update.

9090

Enables Connector registration (required only for the Connector registration process).

9091

Enables Connector trust certificate automatic renewal.

9352, 5671

Enables communication between the Connector and the Azure AD service for incoming requests.

9350

[Optional] enables better performance for incoming requests.

10100-10120

Enables responses from the connector back to Azure AD.

 

Plan Azure AD Connect Password Hash Synchronization

It allows the synchronization of the hashes of user passwords from on-premises AD to Azure AD. You can also use password hash synchronization along with password write-back to enable self-service password reset in Azure AD. Seamless SSO for users can also be enabled on domain-joined machines that are on the corporate network where enabled users only have to enter a username to help them securely access cloud resources with single sign-on.

How password hash synchronization works?

First of all, Azure AD Connect sync extracts your password hash from the on-premises AD instance to synchronize your passwords that are generally synchronized on a per-user basis and in chronological order. The password hash synchronization process runs every 2 minutes and its frequency cannot be modified. Whenever a password is synchronized, it overwrites the existing cloud password. 

If an on-premises password is changed, the updated password is synchronized in a matter of minutes and if an error occurs during synchronization, the error occurs in your event viewer. However, if a user is already signed in, then this synchronization have no impact on the user but when the cloud service requires you to authenticate again you will have to provide your new password. 

A user have to enter their corporate credentials a second time to authenticate to Azure AD whether they are signed in to their corporate network or not; but if the user selects the Keep Me Signed In (KMSI) check box during sign-in, then a session cookie is set that bypasses authentication for 180 days. You can also reduce password prompts by turning on seamless SSO where users can be signed in automatically whenever they are on their corporate devices connected to your corporate network.              













To read part 1, please click here
To read part 2, please click here


Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different...
Read more

Deployment (Part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Azure Resources Microsoft Sentinel needs following resources to be created: Subscription (if a dedicated subscription(s) will be used) Resource group(s) Log Analytics workspace(s) Automation rules/playbook Alert rules Workbooks Microsoft Sentinel offers hundreds of alert rules, workbooks, and automation playbook templates along with hunting scripts. The templates can be used to activate/deploy schedule alerts, create customized dashboards, create automation playbooks and perform threat-hunting activities. Generally, once deployed, the resources created have to be adjusted to match the existing environment, configure local credentials, etc. Methods of deployment: Manual- Administrator can manually configures the Microsoft Sentinel resources with the help of Azure portal. Any manual process has the inherent risks of human operator error, lack of compliance with potential change control procedures, and u...
Read more

Deployment (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 3, please click  here Microsoft Sentinel Content Hub Content in Microsoft Sentinel includes any of the following types: Data connectors offer log ingestion from different sources into Microsoft Sentinel. Parsers give log formatting/transformation into ASIM formats, supporting usage across various Microsoft Sentinel content types and scenarios. Workbooks provide monitoring, visualization, and interactively with data in Microsoft Sentinel, highlighting meaningful insights for users.  Analytics rules give alerts that point to relevant SOC actions via incidents.  Hunting Queries are used by SOC teams to proactively hunt for threats in Microsoft Sentinel. Notebooks help SOC teams in using advanced hunting features in Jupyter and Azure Notebooks. Watchlists support the ingestion of specific data for enhanced threat detection and reduced alert fatigue.  Playbooks and Azure Logic Apps Custom Connectors provide featu...
Read more