Plan Directory Synchronization (part 3)

 




To read part 1, please click here
To read part 2, please click here





Plan Azure AD Connect Topologies

If your organization have multiple forests for authentication, you should consider the following:
  • Evaluate consolidating your forests- Generally, more overhead is required to maintain multiple forests, but if your organization needs separate forests, you have to simplify your on-premises environment.
  • Use only in your primary logon forest- You should deploy Microsoft 365 only in your primary loon forest for your initial roll out of Microsoft 365.

Although multi-forest hybrid deployment prerequisites are virtually identical to the hybrid deployment ones for a single-forest organization, they have following exceptions:

  • Autodiscover- If you have shared domains across multiple Exchange forests, then, both mail routing as well as Autodiscover endpoints should be configured ad work properly between the Exchange forests before configuring your multi-forest hybrid deployment.

  • Certificates- A digital certificate is needed by all hybrid deployments by trusted third-party Certificate Authority (CA) and as a single digital certificate cannot be used for multiple AD forests, each forest have to use a Globally trusted dedicated CA-issued certificate for secure mail transport to function correctly in a hybrid deployment. The certificate used for hybrid deployment must differ in at least one of the following properties: 

  1. Common Name (CN)- It is a part of the certificate subject which must match the host being authenticated and is typically the external hostname for the Client Access Server in the AD forest (like mail.contoso.com). It is recommended that the CN should be used as the differentiating property between AD certificates used in multi-forest hybrid deployments. 
  2. Issuer- It is the third-party CA that verifies the organization information and issued the certificate like VeriSign or Go Daddy i.e. one forest can have a certificate issued by VeriSign and the other one can have a certificate issued by Go Daddy. For this situation you have to ensure that you identify when the certs expire so that some of your services don't become untrusted. 

Plan Azure AD Connect Pass-through Authentication

Azure AD Pass-through Authentication (PTA) is easy to implement and maintain while also assuring that password validation of the services relying on Azure AD must performed against an on-premises AD, but if it fails, then automatic failover to password sync is performed  (if enabled). If you want to enable Azure AD pass-through authentication, then you should:
  • Run the Azure AD Connect Setup Wizard
  • On the User Sign-in page, select the Pass-through authentication option 

You should also make sure that all the ports needed for Azure AD pass-through authentication are available as follows:

Port

Description

80

Enables outbound HTTP traffic for security validation such as SSL certificate revocation lists.

443

Enables user authentication against Azure AD.

8080/443

Enables the Connector bootstrap sequence and Connector automatic update.

9090

Enables Connector registration (required only for the Connector registration process).

9091

Enables Connector trust certificate automatic renewal.

9352, 5671

Enables communication between the Connector and the Azure AD service for incoming requests.

9350

[Optional] enables better performance for incoming requests.

10100-10120

Enables responses from the connector back to Azure AD.

 

Plan Azure AD Connect Password Hash Synchronization

It allows the synchronization of the hashes of user passwords from on-premises AD to Azure AD. You can also use password hash synchronization along with password write-back to enable self-service password reset in Azure AD. Seamless SSO for users can also be enabled on domain-joined machines that are on the corporate network where enabled users only have to enter a username to help them securely access cloud resources with single sign-on.

How password hash synchronization works?

First of all, Azure AD Connect sync extracts your password hash from the on-premises AD instance to synchronize your passwords that are generally synchronized on a per-user basis and in chronological order. The password hash synchronization process runs every 2 minutes and its frequency cannot be modified. Whenever a password is synchronized, it overwrites the existing cloud password. 

If an on-premises password is changed, the updated password is synchronized in a matter of minutes and if an error occurs during synchronization, the error occurs in your event viewer. However, if a user is already signed in, then this synchronization have no impact on the user but when the cloud service requires you to authenticate again you will have to provide your new password. 

A user have to enter their corporate credentials a second time to authenticate to Azure AD whether they are signed in to their corporate network or not; but if the user selects the Keep Me Signed In (KMSI) check box during sign-in, then a session cookie is set that bypasses authentication for 180 days. You can also reduce password prompts by turning on seamless SSO where users can be signed in automatically whenever they are on their corporate devices connected to your corporate network.              













To read part 1, please click here
To read part 2, please click here


Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Deployment (Part 2)