Install Azure AD Connect to Integrate On-Prem ADFS with AAD (Hybrid Identity)

cc 好物分享

 Azure AD Connect comes with several features you can optionally turn on or are enabled by default. Some features might sometimes require more configuration in certain scenarios and topologies.

Filtering is used when you want to limit which objects are synchronized to Azure AD. By default all users, contacts, groups, and Windows 10 computers are synchronized. You can change the filtering based on domains, OUs, or attributes.

Password hash synchronization synchronizes the password hash in Active Directory to Azure AD. The end-user can use the same password on-premises and in the cloud but only manage it in one location. Since it uses your on-premises Active Directory as the authority, you can also use your own password policy.

Password writeback will allow your users to change and reset their passwords in the cloud and have your on-premises password policy applied.

Device writeback will allow a device registered in Azure AD to be written back to on-premises Active Directory so it can be used for Conditional Access.

The prevent accidental deletes feature is turned on by default and protects your cloud directory from numerous deletes at the same time. By default it allows 500 deletes per run. You can change this setting depending on your organization size.

Automatic upgrade is enabled by default for express settings installations and ensures your Azure AD Connect is always up to date with the latest release.

Pre-requisites

Azure AD

  • You need an Azure AD tenant. 
  • Add and verify the domain you plan to use in Azure AD. An Azure AD tenant allows, by default, 50,000 objects. When you verify your domain, the limit increases to 300,000 objects. 

On-Prem Prepare

  • Use IdFix to identify errors such as duplicates and formatting problems in your directory before you synchronize to Azure AD and Microsoft 365.
  • Review optional sync features you can enable in Azure AD, and evaluate which features you should enable.
  • The Active Directory schema version and forest functional level must be Windows Server 2003 or later
  • If you plan to use the feature password writeback, the domain controllers must be on Windows Server 2016 or later.
  • The domain controller used by Azure AD must be writable. 
  • Using on-premises forests or domains by using "dotted" (name contains a period ".") NetBIOS names isn't supported.
  • We recommend that you enable the Active Directory recycle bin.
  • Azure Active Directory Connect runs signed PowerShell scripts as part of the installation. Ensure that the PowerShell execution policy will allow running of scripts. The recommended execution policy during installation is "RemoteSigned".


Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine
Get-ExecutionPolicy -List

Scope ExecutionPolicy
 ----- ---------------
MachinePolicy Undefined
 UserPolicy Undefined
 Process Undefined
 CurrentUser RemoteSigned
 LocalMachine RemoteSigned

Installation prerequisites

  • Azure AD Connect must be installed on a domain-joined Windows Server 2016 or later.
  • The minimum .Net Framework version required is 4.6.2, and newer versions of .Net are also supported.
  • Azure AD Connect can't be installed on Small Business Server or Windows Server Essentials before 2019 (Windows Server Essentials 2019 is supported). The server must be using Windows Server standard or better.
  • The Azure AD Connect server must have a full GUI installed. Installing Azure AD Connect on Windows Server Core isn't supported.
  • The Azure AD Connect server must not have PowerShell Transcription Group Policy enabled if you use the Azure AD Connect wizard to manage Active Directory Federation Services (AD FS) configuration. You can enable PowerShell transcription if you use the Azure AD Connect wizard to manage sync configuration.
  • If AD FS is being deployed:
  • It is not supported to break and analyze traffic between Azure AD Connect and Azure AD. Doing so may disrupt the service.
  • If your global administrators have MFA enabled, the URL https://secure.aadcdn.microsoftonline-p.com must be in the trusted sites list. You're prompted to add this site to the trusted sites list when you're prompted for an MFA challenge and it hasn't been added before. You can use Internet Explorer to add it to your trusted sites.
  • If you plan to use Azure AD Connect Health for syncing, ensure that the prerequisites for Azure AD Connect Health are also met. For more information, see Azure AD Connect Health agent installation.

Express installation of Azure AD Connect

Introduction Express Installation

Express is the most common option and is used by about 90% of all new installations. It was designed to provide a configuration that works for the most common customer scenarios.

It assumes:

  • You have a single Active Directory forest on-premises.
  • You have an enterprise administrator account you can use for the installation.
  • You have less than 100,000 objects in your on-premises Active Directory.

You get:

Options where you can still use Express:

  • If you do not want to synchronize all OUs, you can still use Express and on the last page, unselect Start the synchronization process...*. Then run the installation wizard again and change the OUs in configuration options and enable scheduled sync.
  • You want to enable one of the features in Azure AD Premium, such as Password writeback. First go through express to get the initial installation completed. Then run the installation wizard again and change the configuration options.

Steps:

  1. Sign in as a local administrator to the server you wish to install Azure AD Connect on. You should do this on the server you wish to be the sync server.
  2. Navigate to and double-click AzureADConnect.msi.
  3. On the Welcome screen, select the box agreeing to the licensing terms and click Continue.
  4. On the Express settings screen, click Use express settings.
    Welcome to Azure AD Connect
  5. On the Connect to Azure AD screen, enter the username and password of a global administrator for your Azure AD. Click Next.
    Connect to Azure AD
    If you receive an error and have problems with connectivity, then see Troubleshoot connectivity problems.
  6. On the Connect to AD DS screen, enter the username and password for an enterprise admin account. You can enter the domain part in either NetBios or FQDN format, that is, FABRIKAM/administrator or fabrikam.com/administrator. Click Next.
    Connect to AD DS
  7. The Azure AD sign-in configuration page only shows if you did not complete verify your domains in the prerequisitesUnverified domains
    If you see this page, then review every domain marked Not Added and Not Verified. Make sure those domains you use have been verified in Azure AD. Click the Refresh symbol when you have verified your domains.
  8. On the Ready to configure screen, click Install.
    • Optionally on the Ready to configure page, you can unselect the Start the synchronization process as soon as configuration completes checkbox. You should unselect this checkbox if you want to do additional configuration, such as filtering. If you unselect this option, the wizard configures sync but leaves the scheduler disabled. It does not run until you enable it manually by rerunning the installation wizard.
    • Leaving the Start the synchronization process as soon as configuration completes checkbox enabled will immediately trigger a full synchronization to Azure AD of all users, groups, and contacts.
    • If you have Exchange in your on-premises Active Directory, then you also have an option to enable Exchange Hybrid deployment. Enable this option if you plan to have Exchange mailboxes both in the cloud and on-premises at the same time. Ready to configure Azure AD Connect
  9. When the installation completes, click Exit.
  10. After the installation has completed, sign off and sign in again before you use Synchronization Service Manager or Synchronization Rule Editor.

Post Installation

Add additional sync admins

By default, only the user who did the installation and local admins are able to manage the installed sync engine. For additional people to be able to access and manage the sync engine, locate the group named ADSyncAdmins on the local server and add them to this group.

Assign licenses to Azure AD Premium and Enterprise Mobility Suite users

Now that your users have been synchronized to the cloud, you need to assign them a license so they can get going with cloud apps such as Microsoft 365.

Verify the scheduled synchronization task

Use the Azure portal to check the status of a synchronization.

Start a scheduled synchronization task

If you need to run a synchronization task, you can do this by:

  1. Double-click on the Azure AD Connect desktop shortcut to start the wizard.
  2. Click Configure.
  3. On the tasks screen, select the Customize synchronization options and click Next
  4. Enter your Azure AD credentials
  5. Click Next. Click Next. Click Next.
  6. On the Ready to Configure screen, ensure that the Start the synchronization process when configuration completes box is selected.
  7. Click Configure.

Additional Tasks

Additional tasks available in Azure AD Connect

After your initial installation of Azure AD Connect, you can always start the wizard again from the Azure AD Connect start page or desktop shortcut. You will notice that going through the wizard again provides some new options in the form of additional tasks.

The following table provides a summary of these tasks and a brief description of each task.

List of additional tasks

Additional task Description
Privacy Settings View what telemetry data is being shared with Microsoft.
View current configuration View your current Azure AD Connect solution. This includes general settings, synchronized directories, and sync settings.
Customize synchronization options Change the current configuration like adding additional Active Directory forests to the configuration, or enabling sync options such as user, group, device, or password write-back.
Configure device options Device options available for synchronization
Refresh directory schema Allows you to add new on-premises directory objects for synchronization
Configure Staging Mode Stage information that is not immediately synchronized and is not exported to Azure AD or on-premises Active Directory. With this feature, you can preview the synchronizations before they occur.
Change user sign-in Change the authentication method users are using to sign-in
Manage federation Manage your AD FS infrastructure, renew certificates, and add AD FS servers
Troubleshoot Help with troubleshooting Azure AD Connect issues

Manage Azure AD Connect

Tasks to Manage AAD Connect 

Enable Sync features:

Topic Link
Configure filtering Azure AD Connect sync: Configure filtering
Password hash synchronization Password hash synchronization
Pass-through Authentication Pass-through authentication
Password writeback Getting started with password management
Device writeback Enabling device writeback in Azure AD Connect
Prevent accidental deletes Azure AD Connect sync: Prevent accidental deletes
Automatic upgrade Azure AD Connect: Automatic upgrade
https://blog.51sec.org

版权声明:
作者:cc
链接:https://www.techfm.club/p/23063.html
来源:TechFM
文章版权归作者所有,未经允许请勿转载。

THE END
分享
二维码
< <上一篇
下一篇>>