Before viewing this post please refer back to my following articles if you require a base understanding of Microsoft Azure ADConnect and the features available.
- I first posted on AADConnect and AADSync back in August last year.
- I also presented on Cloud Identities at TechEd Melbourne and Sydney last year here.
This post will focus on what is new and what has changed.
As posted by Alex Simons (Azure AD Director) the Microsoft Azure ADConnect preview 2 was released earlier this year. I downloaded Azure AD Connect Public Preview Download from here. I started the installer and was presented with the screen to install the services. Note: I could have specified a SQL server if my Domain was large enough to warrant this (Microsoft recommends this for over 50,000 + users). I could specift a Service Account if that was a company requirement. I could also select import settings if I had a previous configuration that I wanted to apply to this ADSync server. I left all options unselected and selected install.
The next option was to specifiy what I wanted to install, ADSync or SSO. I selected ADSync.
I then entered my Azure Global Admin credentials. The installer now creates and assigns a service account within Azure AD with the minimum permissions that it requires, which is a great improvement. I then entered my On-Premises credentials (this also creates a service account).
The following option allows for Group Based filtering. I noted that you can only specify 1 group here which may suit some customers who do not wish to use OU based filtering. Microsoft added this option with the intention of pilot and evaluations of Azure AD and Office 365. I selected ‘Synchronise all users and devices’.
Here I specify that a user is represented only once across all directories.
Here you can change your user attribute mappings. This may be required if you are using for example Shibboleth for SSO or if you have some other customised requirements.
Optional features can be modified later, so don’t be overwhelmed by the amount of options. You can re-run the wizard to make changes later if you need.
- Exchange Hybrid- For an Exchange Hybrid migration to Office 365.
- Azure AD attributes- if you only want to sync a smaller set of user attributes.
- Password writeback- change a password in Azure AD and it writes back to On-Premises and verifies the On-Premises password policy.
- User writeback- A user created in Azure AD is created in On-Premises AD.
- Group writeback- Groups in Office 365 will be written back to your On-Premises Exchange forest.
- Device Sync- Allows for Windows 10 computers enrolled with Intune or directly with Azure AD to sync to On-Premises AD. (we are seeing the start of managing a Windows-as-a-Service subscription model). This is called ‘Cloud registered Devices’. NOTE: This requires a 2012 R2 schema.
- Directory extension- Use this if you want to sync a unique attribute to Azure AD, eg. a custom Linux attribute, or an Employee ID (currently limitations apply to certian values and characters).
The screenshot below is for Azure AD attributes. So in my example I will not be using CRM so I remove the syncing of these attributes.
Below we have the option to remove attributes from being Synced. Eg. An organisation may have extended their schema and used “extensionAttribute’s”. Perhaps these contain sensitive information, the administrator can simply uncheck these attributes so they are not synced.
Here we confirm which On-Premise destination we want to use for User writeback. Select the Users OU. Note: you can add/merge many domains to the one Azure AD subscription, so Write-Back destination is required.
Here I ticked the box to start a sync after install.
Here you can see I have run the miisclient and can see that 60 objects have been synced automatically.
Here was can easily see errors. My user account had an error because AD and AAD had the exact same display name of aaron.whittaker. For this test environment I will ignore this error.
Next in Azure AD I create a new user called CloudUser1
Back on my Sync server I selected connectors at the top, then selected my Azure AD and run a ‘Full Synchronization’.
Below you can see the event for the CloudUser1 being synced to On-Premises.
Here we can verify that the user has been synced. You can see I have applied an On-Premises group membership permission to a Cloud User.
To view my post on upgrading to AADConnect GA from Beta see my post here.
To get started refer to the following articles:
Post by Alex Simons
And follow these twitter handles:
To start planning for your business transformation you can deploy and test these features all from within your Microsoft Azure subscription. If you don’t have a Microsoft Azure subscription you can take a trial here.
Aaron Whittaker
@AaronW2003