AZURE AD CONNECT CLOUD SYNC — AZURE AD CONNECT CLOUD SYNC INTEGRATION WITH ON-PREMISES ACTIVE DIRECTORY
Project:
An IT services Provider Company Abc Inc. is engaged into providing software development solutions. Currently, they are working on Hybrid model so some of the legacy applications are running on On-Premises and some workload running on Azure Cloud.
There are numerous applications which are trying to access few of the services from SAAS which is part of Hybrid infrastructure model and, hence the IAM plays an essential role here to grant access and do integration.
At the present, management is struggling to find a Hybrid IAM access management solution which allows and sync an On-Premises identity with Microsoft Azure Cloud and that’s where the Azure AD Connect Cloud Sync comes to rescue.
Solution:
What is Azure AD Connect cloud sync?
Azure Active Directory (Azure AD) is a cloud-based multi-tenant directory and identity service. This reference architecture shows best practices for integrating on-premises Active Directory domains with Azure AD to provide cloud-based identity authentication.
Organizations can use Azure AD if they are ‘pure cloud,’ or as a ‘hybrid’ deployment if they have on-premises workloads. A hybrid deployment of Azure AD can be part of a strategy for an organization to migrate its IT assets to the cloud, or to continue to integrate existing on-premises infrastructure alongside new cloud services.
Historically, ‘hybrid’ organizations have seen Azure AD as an extension of their existing on-premises infrastructure. In these deployments, the on-premises identity governance administration, Windows Server Active Directory or other in-house directory systems, are the control points, and users and groups are synced from those systems to a cloud directory such as Azure AD. Once those identities are in the cloud, they can be made available to Microsoft 365, Azure, and other applications
Azure AD Connect cloud sync is a new offering from Microsoft designed to meet and accomplish your hybrid identity goals for synchronization of users, groups, and contacts to Azure AD. It accomplishes this by using the Azure AD cloud provisioning agent instead of the Azure AD Connect application. However, it can be used alongside Azure AD Connect sync and it provides the following benefits:
· Support for synchronizing to an Azure AD tenant from a multi-forest disconnected Active Directory forest environment: The common scenarios include merger & acquisition (where the acquired company’s AD forests are isolated from the parent company’s AD forests), and companies that have historically had multiple AD forests.
· Simplified installation with light-weight provisioning agents: The agents act as a bridge from AD to Azure AD, with all the sync configuration managed in the cloud.
· Multiple provisioning agents can be used to simplify high availability deployments, particularly critical for organizations relying upon password hash synchronization from AD to Azure AD.
· Support for large groups with up to 50,000 members. It’s recommended to use only the OU scoping filter when synchronizing large groups.
Cloud Sync — How it works
Cloud sync is built on top of the Azure AD services and has 2 key components:
Provisioning agent: The Azure AD Connect cloud provisioning agent is the same agent as Workday inbound and built on the same server-side technology as app proxy and Pass Through Authentication. It requires an outbound connection only and agents are auto-updated.
Provisioning service: Same provisioning service as outbound provisioning and Workday inbound provisioning which uses a scheduler-based model. In case of cloud sync, the changes are provisioned every 2 mins.
Ref: https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/concept-how-it-works
Synchronization flow
Once you have installed the agent and enabled provisioning, the following flow occurs.
1. Once configured, the Azure AD Provisioning service calls the Azure AD hybrid service to add a request to the Service bus. The agent constantly maintains an outbound connection to the Service Bus listening for requests and picks up the System for Cross-domain Identity Management (SCIM) request immediately.
2. The agent breaks up the request into separate queries based on object type.
3. AD returns the result to the agent and the agent filters this data before sending it to Azure AD.
4. Agent returns the SCIM response to Azure AD. These responses are based on the filtering that happened within the agent. The agent uses scoping to filter the results.
5. The provisioning service writes the changes to Azure AD.
6. If this is a delta Sync as opposed to a full sync, then cookie/watermark is used. New queries will get changes from that cookie/watermark onwards.
Description:
This project was a challenge project for to deploy Hybrid identity management on Azure. The task was to manage On-Premises identity to integrate with Azure Cloud using Hybrid Identity Management service using Microsoft Azure AD Connect Cloud Sync.
Task 1: In order to deploy and configure domain controller one has to require a registered and verified domain. DNS: abc.cloud.ca
Task 2: Once the domain is registered needs to go to Azure Cloud Active Directory service and verify the custom domain using the appropriate service.
Task 3: There has to deploy a Windows Server 2019 Datacenter on VMware machine which would On-Premises domain controller host machine which is hosting a DNS server and managing On-Premises Active Directory services.
Task 4: Thereafter install a Azure AD Connect Cloud Sync provisioning agent on to On-Premises windows server which would be installing an agent for AD Connect Cloud sync service feature, and then needs to configure Active Directory Service installation.
Task 5: Then it has to create some user group and users which would be synced from On-Premises to Azure Cloud using Azure AD Connect service.
Task 6: Once users are created it has to configure Azure AD Connect Cloud Sync and configure a new forest using custom DNS: abc.cloud.ca and select a active directory service for sync, and finish the process which would start syncing the On-Premises users to Azure Cloud.
Task 7: Go to Azure Cloud and verify that the On-Premises groups and users have been synced successfully and displayed under the respective section.
Task 8: Once users have synced successfully, verify that using on-premises user credentials the synced user is successfully logged into azure portal.
Project Cost Estimation:
(Note: This cost is Not any actual cost, it’s just an estimation based on high level requirement. Price may be vary based on adding and removing services based on requirement.)
Ref: https://azure.microsoft.com/en-us/pricing/details/active-directory/
Tools & Technologies covered:
VMware Hypervisor
Windows Server 2019 Datacenter
Azure Cloud
Azure AD Tenant
Azure AD Connect
On-Premises AD DNS Server
On-Premises Active Directory Service
Azure AD Connect Cloud sync
This migration project will be completed in following implementation phases.
Project implementation Phase:
Phase 1: Verify DNS on Azure Portal
Phase 2: Create Azure cloud test users on Azure Portal
Phase 3: Deploy Azure AD Connect provisioning agent on On-Premises DC
Phase 4: Create On-Premise groups and users
Phase 5: Deploy Azure AD Connect Cloud sync on On-Premise DC
Phase 6: Verify and validate that On-Premise Group and users have synced to Azure Cloud
Phase 7: Verify that On-Premises user successfully logged into Azure Portal after Azure AD Cloud sync
Pre-requisite:
1) Azure Cloud Admin User 1 — Role –Global admin on azure AD tenant
2) Azure Cloud ADadmin User 2 — Role — Hybrid Identity Administrator
3) Registered domain custom DNS: abc.cloud.ca
4) On-Premises server — Windows Server 2016 xxx
5) On-Premise Windows Domain Controller running on the domain name
6) On-Premise Test users on Windows DC server
7) Azure portal account
8) Active Directory Admin user: Global Administrator
Implementation:
Phase 1: Verify DNS on Azure Portal
1. Go to Azure Active Directory — custom domain
2. Add TXT record to Domain registrar account
3. Verify DNS from Azure Portal custom domain
Phase 2: Create Azure cloud test users on Azure Portal
1. Create Global Admin active directory user
2. Create few azure cloud test users
Phase 3: Deploy Azure AD Connect provisioning agent on On-Premises DC
1. Go to vmware Windows server machine
2. Sign in to Azure Portal
3. Go to Active Directory — Azure AD Connect — Azure AD Cloud sync
4. Download Agent — Install the agent
5. Verify that AD DS service is installed
6. Add New forest — abc.cloud.ca and finish the installation
Phase 4: Create On-Premise groups and users
1. Go to Tools — Active Directory Users and Computers
2. Create a new group name: office365
3. Create a new users
a. Vedant Patel
b. Alex Doe
c. John Smith
4. Assign users to group: office365
Phase 5: Verify and validate that On-Premise Group and users have synced to Azure Cloud
1. Go to On-Premise Windows 2019 DC server
2. Go to My PC — Properties — validate that custom domain displayed
3. Go to Azure Portal — Active Directory service
4. Validate that new Group: office365 synced from On-Premise to Azure cloud
5. Validate that new users synced from On-Premise to Azure Cloud
a. Vedant Patel
b. Alex Doe
c. John Smith
Phase 6: Verify that On-Premises user successfully logged into Azure Portal after Azure AD Cloud sync
1. Go to Azure portal — active directory -users
2. Select user which is synced from On-Premises — alex.doe@abc.cloud.ca
3. Open a new azure portal sign in — Login as — alex.doe@abc.cloud.ca
4. Verify that user is successfully logged in using same credentials
