Back in 2006, I was working with a large Canadian managed-hosting service provider. At that time, there was a huge demand for dedicated server hosting and colocation services. Hardware, bandwidth, and management all came at a high cost. However, things started to change with the rise of virtualization: it was able to bring the hosting costs down massively. I still remember that there were all sorts of discussions at the time about the pros and cons of virtualization. As with any technology, in the beginning, there were issues, but virtualization technologies developed rapidly and brought businesses to a point that they can't look away from.

For us, it was the same: business-wise, we were safe with dedicated server hosting. We were making good profits. But with virtualization, customers were able to bring racks of dedicated servers into a few hypervisor hosts. Then, businesses in the hosting field started to find new ways of making money with virtualized technologies...

In Chapter 1, Active Directory Fundamentals, I explained why it is important to consider extending out identities to the cloud. Throughout this book, we've learned about the features and management of Azure AD in a hybrid environment. Now, it is time to talk about the integration of Azure AD with on-prem AD.

Based on experience, I would like to propose the following steps to consider before proceeding with the implementation task.

1. Evaluating the present business requirements
2. Evaluating an organization's infrastructure road map
3. Evaluating the security requirements
4. Selecting the Azure AD version
5. Deciding on the sign-in method
6. Implementation

The actual configuration process of hybrid identity is quite straightforward. In less than an hour, we can complete the process. But that's not the point. There are some critical decisions businesses have to make before stepping into hybrid identity...

There can be one or many reasons why a business is looking to extend their on-prem AD to Azure AD. The most common reasons can be as follows:

• Use of Software-as-a-Service (SaaS) applications
• Cloud migration
• Features
• Security

Let's go ahead and explore each of the above in detail:

• Use of Software-as-a-Service (SaaS) applications: This is one of the most common reasons for an organization to start using the Azure AD hybrid model. With the maturity of the cloud, lots of software vendors started to move into the SaaS market. Most of these solutions are now available through the Microsoft Azure Marketplace.

  Due to HA, less management, scalability, and cost, most organizations do not hesitate to move into SaaS applications. Every SaaS application requires authentication to handle access permissions. By extending on-prem AD to Azure AD, users are able to use their existing domain logins to...

In the previous section, we talked about why an organization may use an Azure AD hybrid setup. Moving from an on-prem service to a cloud service is a big decision for an organization; therefore, if it is not planned properly from an early stage, it can be hard to change things after implementation. To provide any IT solution, as engineers, we should not only consider the current state of the requirement: we also need to know the upcoming changes or future plans for the company infrastructure as it may have an impact on the solution that we have in mind. This is important as it helps engineers to provide future-proof solutions.

RebelAdmin Corp. has an initial requirement to move from on-prem Exchange services to Office 365. However, RebelAdmin Corp. has already decided to move their application and services completely to the Azure cloud by 2023. So, if an engineer just considers the immediate requirements, they can simply...

Azure AD comes with a lot of features and services that can be used to protect identities in cloud-only or hybrid environments against modern threats. Since it is a managed service, these features and services have been continuously improved according to trends. Each and every security feature or service is not needed for every Azure AD environment. We can decide on the security requirements based on the following points:

• Nature of the business: Identity protection and data protection are important for every infrastructure; however, some businesses require advanced protection due to the sensitivity of the data they process, compliance requirements, and legal requirements. As an example, a financial institution will require advanced protection compared to a college due to differences in the sensitivity of data.
• Skills: Even if you have advanced security features and services, if you do not know how to use them appropriately, they...

Azure AD has five different editions. Azure AD free edition is the default edition for any Azure and Office 365 subscription. Basic and Premium versions are available through the Microsoft Enterprise Agreement, the Open Volume License program, and the Cloud Solution Provider program. Microsoft 365 E3 and E5 licenses also come with Azure AD Premium editions. More information about these editions can be found at https://bit.ly/3oYV5km.

Deciding on a sign-in method

In this section, we are going to evaluate different Azure AD sign-in options for hybrid environments.

The sign-in options for a hybrid environment are managed only through the Azure AD Connect configuration. These sign-in methods can simply be grouped into two categories:

1. Authentication takes place against Azure AD: In this category, cloud users and synced on-prem users will be directly authenticated via Azure AD. No authentication request will pass to on-prem AD for...

Federation trusts between domains allow organizations to manage their own identities within their own environments. Azure AD also supports federation with on-prem AD. When a federation trust is in place, users can log in to Azure AD using the same on-prem AD passwords. With this method, on-prem users will always be authenticating via on-prem AD. We can use AD Federation Services (AD FS) or PingFederate to create federation trusts between Azure AD and on-prem AD.

In Chapter 13, I have explained how AD FS works with Azure AD and also demonstrated how to enable federation between Azure AD and AD FS. Please check Chapter 13 if you need more details.

Pass-through authentication

To create federation trusts between Azure AD and on-prem AD, quite a bit of work is involved. We need additional servers, SSL certificates, licenses, a HA solution, firewall changes, and advanced configurations. But Azure AD Pass-through Authentication allows organizations to...

Before we start with the integration process, we need the following:

• Valid Azure subscription: We need to have a valid Azure subscription. It can be a pay-as-you-go subscription or a partner subscription. You can also get a free Azure demo account with £150 in credit. More information can be found at https://bit.ly/3oV95Ma.
• Global Administrator account: To set up Azure AD, you need to log in to Azure with an account that has Global Administrator account privileges.
• Access to DNS: If you are going to add a custom domain name, as part of the process, you need to verify the ownership of the domain name.

  This is done by using a DNS record. Therefore, engineers need to have access to DNS servers.

• Enterprise Administrator account: In order to set up and configure Azure AD Connect, the engineers need to be members of the Enterprise Administrator group in the on-prem AD setup...

Azure AD and other workloads should use the same virtual network so that they can be operated under the same managed domain. If you already have a subscription and have your virtual network set up, this step can be skipped:

1. Log in to the Azure portal as Global Administrator (https://bit.ly/30XzSig).
2. Click on Virtual networks from the left-hand navigation panel. Then, click on + Add.
3. On the first page of the wizard, provide the following details:
   • Name: Provide a name for the virtual network. In this demo, I am using REBELVMNet as my virtual network name.
   • Resource group: Select or create a resource group for the virtual network. In my demo, I am using a new resource group for this called REBELBOOK.
   • Location: Select a location for the virtual network. Please note that we need to use the same location for the managed domain.
4. After the settings are in place click on Next: IP Addresses...

The next step of the configuration process is to set up an Azure AD managed domain:

1. In order to do that, log in to the Azure portal (https://bit.ly/3oUVqo7) as Global Administrator.
2. Go to All Services | Azure AD Domain Services.
3. Click on Create Azure AD Domain Services:

   

   Figure 18.17: Initiating Azure AD DS setup

4. This will open up a wizard. Type in a DNS domain name for the service. It is recommended that you use the default tenant domain name in the beginning as we can add a custom domain later on, if required. Also, select the resource group we created in the previous step. In here, we also need to select the SKU for the service.

   There are three levels of subscription for the service and you can find more details about these on https://bit.ly/3nLCc4Y. By default the forest type is set to User. If you need to, you can also set this up as a resource forest:

   

   Figure 18.18: Azure AD DS configuration...

If we need to add a VM to this managed domain, the VM should be able to resolve the DNS name of the managed domain. This is done via a DNS server that belongs to the managed domain. We need to add this DNS server to the virtual network so that we can add VMs to the managed domain at a later time.

To do this, perform the following steps:

1. Go to All Services | Azure AD Domain Services.
2. Click on the managed domain we just created.
3. On the next page, click on Configure, which is under Update DNS server settings for your virtual network. This will add DNS servers to the relevant virtual network:

   

   Figure 18.23: Update DNS records

4. Once the DNS update process has completed, we will be able to see the records under the relevant virtual network's DNS settings:

   

Figure 18.24: Custom DNS servers

This completes the configuration of Azure AD DS; the next step is to configure Azure...

During the Azure AD Connect configuration, we require an account that has Global Administrator privileges (in Azure). It is recommended to use a separate account for this.

In order to create a user account, perform the following steps:

1. Click on Azure Active Directory in the Azure portal.
2. Click on All users | + New user:

   

   Figure 18.25: Create new user

3. Then, type the account name and username in the relevant fields. After that, click on Directory role and make sure that you select Global Administrator.
4. After creating the user, log in to the Azure portal using the new account details and make sure that the account is in a working state before using it for AD sync.
5. Also, make sure that this account is a member of the AAD DC Administrators group. This will provide administrative privileges to the managed domain.

The next step of the configuration is to set up Azure...

In my demo environment, I have an on-prem DC running. It is operating in the Windows Server 2016 domain and forest functional levels. I would like to integrate it with the Azure AD managed domain we just created. In my setup, the on-prem AD uses the same domain name as the managed domain. In the production environment, you can use the custom domain name option and register the domain under Azure AD before going into the Azure AD Connect configuration.

With the Azure AD Connect configuration, I would like to do the following:

1. Sync all the users and groups to the Azure AD tenant
2. Configure Pass-through Authentication
3. Configure Azure AD Seamless SSO

The first step of the configuration will be to configure Pass-through Authentication agents.

Before we move into Azure AD Connect, we need to install the Pass-through Authentication agent. It is recommended to install the Pass-through Authentication agent on the same server as Azure AD Connect. In a production environment, it is recommended to install this agent in at least three servers:

1. Log in to the Azure portal (https://bit.ly/30RTYdW) as Global Administrator.
2. Click on Azure Active Directory | Azure AD Connect | Pass-through authentication:

   

   Figure 18.26: Pass-through authentication settings

3. Click on Download to download the file.
4. Once the .exe file has been downloaded, move to the server where it is going to be installed.
5. Then, double-click on the file and proceed with the installation:

   

   Figure 18.27: Start Azure AD Connect authentication agent installation

6. During the installation process, it will prompt for authentication. Use the Global Administrator...

Now, we have everything ready so that we can go ahead with the Azure AD Connect installation and configuration:

1. Log in to the on-prem server as a Domain Administrator.
2. Download the latest version of Azure AD Connect from https://bit.ly/3l6JZZr.
3. Run the .msi file as an administrator.
4. On the first page, accept the license terms and click on Continue.
5. On the next page, select the Customize configuration option:

   

   Figure 18.30: Azure AD Connect express setup

6. On the next page, keep the default selection and click on Install.
7. On the user sign-in page, select the Pass-through authentication (step 1) and Enable single sign-on (step 2) options, and then click Next (step 3) to proceed. This will enable pass-through authentication for the directory:

   

   Figure 18.31: Azure AD Connect pass-through authentication setting

8. On the next page, log in to the user Azure AD Global Admin account...

Azure AD Connect does not synchronize NTLM and Kerberos credential hashes to Azure AD by default. To use AD DS, we need to configure Azure AD Connect so that it synchronizes the credential hashes that are required for NTLM and Kerberos authentication. To do that, we need to run the following PowerShell script:

$adConnector = "<CASE SENSITIVE AD CONNECTOR NAME>"
$azureadConnector = "<CASE SENSITIVE AZURE AD CONNECTOR NAME>"
Import-Module adsync
$c = Get-ADSyncConnector -Name $adConnector
$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParamter "Microsoft.Synchronize.ForceFullPasswordSync", String, ConnectorGlobal, $null, $null, $null
$p.Value = 1
$c.GlobalParameters.Remove($p.Name)
$c.GlobalParameters.Add($p)
$c = Add-ADSyncConnector -Connector $c
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $azureadConnector...

In an on-prem AD environment, there can be applications or services that require integration with AD. With AD integration, the application can search for AD users, allow login, assign permissions, etc. This integration part is usually done using LDAP. By default, traffic over LDAP is not encrypted. Due to the vulnerabilities, Microsoft now recommends only using secure LDAP (LDAPS, LDAP over SSL) connections to DCs. In Chapter 15, I have demonstrated how we enable secure LDAP access with an on-prem DC. Azure AD DS also supports secure LDAP connections. Most of the time the LDAP connection to Azure AD DS will be initiated over the public internet. So, it is important to have encryption in place to prevent man-in-the-middle attacks.

In this section, I am going to demonstrate how to enable secure LDAP for Azure AD DS. Before we start, make sure you have the following prerequisites in place:

1. A valid Azure subscription...

The next step of the configuration process is to enable secure LDAP. To do that,

1. Log in to the Azure portal (https://bit.ly/3oV9pKS) as Global Administrator.
2. Then go to Azure AD Domain Services.
3. Click on the Azure AD DS instance.
4. It will open up the Azure AD DS settings page. On this page, click on Secure LDAP. It will open up a new window:

   

   Figure 18.42: Secure LDAP feature

5. To enable secure LDAP, click on Enable under Secure LDAP. We also need to enable secure LDAP over the internet as in this demo I am going to access it via the public internet. To do that click on Enable under Allow secure LDAP access over the internet.

   We also need to upload the PFX file we created. We can do that under the option for uploading aPFX file with a secure LDAP certificate. Click on the file icon and select the PFX file. Under the Password to decrypt .PFX file option, type the password for the PFX file. Finally, click on Save...

Azure AD is a Microsoft-managed, cloud-based, and multi-tenant directory service. It can be used in a cloud-only infrastructure or in a hybrid infrastructure. When used in a hybrid infrastructure, it allows us to use the same identities so that we can work with resources on-prem and in the cloud. It extends local AD infrastructure functionalities to the cloud.

In this chapter, we learned what Azure AD DS is and what its capabilities are. We also looked into the different types of sign-in options that we can use in a hybrid setup, including password hash synchronization, pass-through authentication, and SSO. After that, we looked at a step-by-step guide for integrating our on-prem directory service with Azure AD. We also learned how to set up secure LDAP with an Azure AD managed domain and how to improve the resiliency of the Azure AD managed domain by using replica sets. In this chapter, I was only able to demonstrate a very limited number of features and capabilities...