You are currently viewing Part 14 – Microsoft Entra Connect

Part 14 – Microsoft Entra Connect

Microsoft Entra Connect

In this post, we will look at how to set up a Microsoft Entra ID Connect (formerly Microsoft AD Connect) to synchronize On-Premise objects to the cloud.

Microsoft Entra ID Connect enables us to synchronize objects in the cloud. That means that we can synchronize existing users, groups, and devices that already exist in our On-premise Environment. So basically we can use the same users, and groups of devices in the Microsoft 365 environment.

We can even establish a connection between Exchange Server On-Prem and Exchange Online. With the help of Microsoft Entra ID Connect, we create a hybrid deployment for the Exchange Server. However, this will not be the main goal of this article.

Github repository – Microsoft Home Lab

Sychnroziation Tools Options

There are two options to synchronize objects to the cloud.

  • Microsoft Entra Connect
  • Microsoft Entra Cloud Sync

Microsoft Entra Cloud Sync is newer, the engine works in the cloud so we only need to deploy agents to servers to establish a connection. When Microsoft Entra Cloud Sync was introduced there were fewer functions supported. But as time goes on, there are more and more features supported. However, it’s important to note that Microsoft is encouraging customers to review the features and advantages of Cloud Sync before deploying Entra Connect Sync. The choice between the two would depend on your specific requirements and the complexity of your environment.

But in this our lab, we will use Microsoft Entra Connect.

Note: Microsoft introduced Entra Connect and Cloud Sync to help people transition their resources into the cloud.  But the reality from my experiences is that people do not fully transition to the cloud and they keep their synchronization enabled forever. So basically they are using hybrid deployment.


Explanation of some features

When we start to implement the above-mentioned solution, we will encounter different features. Below I will explain some features so you will understand why we choose some options in the deployment section.

 

Active Directory Recycle Bin

The Recycle Bin provides a safety net when you accidentally delete an Active Directory object. You can restore the deleted objects with all their attributes intact, which is much more efficient than having to use backup and restoration tools.

Scenarios for which activation is recommended

When an Active Directory (AD) user object is mistakenly deleted on-premises, the Recycle Bin feature allows for its restoration. The corresponding Azure AD user object is also restored. This is advantageous as it eliminates the need to manually recreate user objects.
The Recycle Bin feature, when enabled, ensures that the Source Anchor value of a restored on-premises AD user object remains the same. The Source Anchor attribute plays a crucial role in linking on-premises AD objects with Azure AD objects. If a new AD user object is created to replace a deleted one without the Recycle Bin enabled, the Source Anchor value will differ. This results in Azure AD creating a new Azure AD user object instead of restoring the soft-deleted one.
Azure AD, by default, keeps deleted Azure AD user objects in a soft-deleted state for 30 days before they are permanently deleted. Once the objects are permanently deleted, they cannot be recovered, even with the on-premises AD Recycle Bin feature enabled. Therefore, enabling the Recycle Bin provides an extra layer of protection against accidental deletions.

 

Password Hash Sync vs  Password Through Authentication (PHS vs PTA)

Password Hash Synchronization (PHS):

  • PHS is an uncomplicated and efficient method for managing user authentication in the cloud.
  • It operates by synchronizing a secure version of your users’ passwords from the on-premises Active Directory to the cloud.
  • PHS is easy to set up and maintain, making it an excellent choice for organizations seeking a solution that’s easy to manage.
  • However, PHS doesn’t immediately apply changes in on-premises account states, such as when accounts are disabled or locked.
  • It’s particularly suitable for organizations that require a simple solution without the need for complex infrastructure.

Pass-through Authentication (PTA):

  • PTA involves verifying user passwords directly against the on-premises Active Directory domain.
  • Setting up PTA is a bit more complex than PHS. It requires the installation of lightweight agents on your servers.
  • A significant advantage of PTA is that it enforces Active Directory user account states, password policies, and sign-in hours in real time.
  • However, this method does require more maintenance and infrastructure than PHS.
  • PTA provides more direct control over user access, aligning closely with on-premises security policies.

In summary, PHS offers simplicity and ease of use, making it ideal for organizations looking for a straightforward solution. In contrast, PTA provides enhanced security by enforcing on-premises policies in real-time, making it suitable for organizations with complex security requirements.


Alternative UPN Suffix

Why do we need to add a domain suffix?

Basically, the UPN suffix (domain) must match the domain in the cloud. This enables that domain can be verified and users will have the correct domain in the cloud.

Change the UPN suffix for users that will be synchronized to the cloud.

 

Open the Microsoft Entra ID Portal and check the Domain Name.

 

Connect to Domain Controller (NDL-DC01).

Open Active Directory Domain and Trusts. Click properties.

 

 

Add the domain name from the Microsoft Entra ID portal.

 

Create a new testing user which will be synced to the cloud. Choose a previously created domain.

 


Microsoft Entra Connect Installation and Configuration

Navigate to Download Azure AD Connect V2 from Official Microsoft Download Center

Download and install the file. We install it on our Domain controller which is not recommended but we will use it only for our Lab environment.

 

Welcome screen after installation.

 

Select Customize to choose advanced deployment options.

 

We can change some default settings but in this case we don’t need to. Click install.

 

Choose Password Hash Synchronization.

 

Enter Microsoft Entra global administrator or hybrid identity administrator credentials.

 

Click Add Forest Directory.

 

Enter the Enterprise Admin credentials. Optionally you can provide the existing account with the required permission.

 

Choose the forest then click next.

 

Now we can see a list of domains. We can see that our ninjademolab.com is verified. At the start, we successfully created the UPN Suffix name and assigned it to our users.

Note: All users who are not using verified domains will not have a correct domain in the cloud. So keep in mind to change the UPN Domain Suffix for all users that will be synced to the cloud.

 

Choose which Organization Unit you want to sync to the cloud. By default, all OUs are synced.

Then just skip the rest of the steps. Right now we do not need any additional configuration.

 

Click install.

 

After installation, we get a notification that enabling a recycle bin is highly recommended.

 

Navigate to the Active Directory Administrative Center on the Domain Controller. Then enable Recycle bin.

 

 

After everything is configured. We can see that our Test user was successfully synced to the cloud.

Additionally, the user required for On-Premise Directory synchronization is synced too.

Note: Microsoft didn’t change their name from Microsoft AD Connect to Microsoft Entra Connect everywhere. So somewhere you will still see Microsoft AD Connect naming which will change in the future


See yaa in next blog post 🙂

Github repository – Microsoft Home Lab

Leave a Reply