Chapter 1: Planning for Hybrid Identity
Configuring a Microsoft 365 hybrid environment requires an understanding of your organization's identity needs, which will enable you to plan and deploy the correct Azure Active Directory (AD) authentication and synchronization method within your environment. This chapter covers planning your identity methodology and describes the process of monitoring and understanding the events recorded by Azure AD Connect.
By the end of this chapter, you will be able to determine your business needs, analyze on-premises identity infrastructure, and develop a plan for hybrid identity. You will understand how to design and implement authentication and application management solutions, how to enhance data security through strong identity, and how to analyze events and configure alerts in Azure AD Connect.
In this chapter, we will cover the following topics:
- Planning your hybrid environment
- Synchronization methods with Azure AD Connect ...
Planning your hybrid environment
Identity is key when planning and implementing a Microsoft 365 environment. While the default identity method within Microsoft 365 is cloud-only, most organizations will need to plan for deploying hybrid identities when introducing Microsoft 365 to their organization. So, what is hybrid identity? Well, in simple terms, it is the process of providing your users with an identity in the cloud that is based on their on-premises identity. There are several ways that this can be achieved, and the available methods will be explained in detail later in this chapter.
The basic principles of hybrid identity in Microsoft 365 are shown in the following diagram:
Figure 1.1 – Hybrid identity
Let's examine how to start planning for hybrid identity in Microsoft 365.
The first step to establishing the correct identity lies in determining the business needs of your organization. It is important, at this stage, to recognize...
Synchronization methods with Azure AD Connect
Now that you understand the concept of hybrid identity and authentication, we will turn our attention to the process that makes hybrid identity possible—directory synchronization. The tool used to configure directory synchronization is called Azure AD Connect (previously known as Azure AD Sync Service and DirSync). Azure AD Connect consists of three essential components, as follows:
- Synchronization services
- Active Directory Federation Services (AD FS)—an optional component
- Health monitoring
Azure AD Connect supports multiple AD forests and multiple Exchange organizations to a single Microsoft 365 tenant. It leverages a one-way process, where the tool is used to synchronize users, groups, and contact objects from your on-premises active directory to Microsoft 365.
The principles of Azure AD Connect are shown in the following diagram:
Figure 1.2 – Azure AD Connect
Once...
Additional authentication security
The authentication security methods available in Microsoft 365 are as follows:
- Multi-factor authentication (MFA)
- Self-service password reset (SSPR)
- Conditional Access
We will briefly introduce the principles of these methods; however, each of these will be described and explored in greater detail in Chapter 2, Authentication and Security, and Chapter 3, Implementing Conditional Access Policies, of this book.
Multi-factor authentication
MFA in Azure AD provides two-step verification to Microsoft services via a combination of approved authentication methods that are determined by Microsoft 365 administrators. The available methods can be based on the following:
- Something you know, such as your password
- Something you own, such as your mobile phone or an OAuth token
- Something you are, such as biometric identification (fingerprint or facial recognition)
When setting up MFA for users in your Microsoft...
Event monitoring and troubleshooting in Azure AD Connect
So, now that you have your hybrid identity method configured, hopefully it will all run smoothly for you. However, occasionally you may encounter some problems, and this is where the ability to assess and troubleshoot Azure AD Connect with tools and from the Microsoft 365 portal can assist administrators to quickly identify and resolve issues. Administrators will be able to perform the following tasks:
- Review and interpret synchronization errors by accessing the Microsoft 365 admin center via https://portal.office.com and examine the Azure AD Connect directory sync status. Here, you will see an overview of any directory synchronization errors. A common example may be a duplicate proxy address or UPNs causing conflicts and preventing an object from syncing. The following screenshot shows the Azure AD Connect tile you will see in the admin center. Any issues with your synchronization will be shown here in red:
Figure 1.16...
Summary
In this chapter, we discussed the steps and considerations for planning and implementing hybrid identity in Microsoft 365. You should now have an understanding of the synchronization methods available to you and how to choose the correct one for your environment, along with the principles of additional security authentication and how to understand and troubleshoot events and alerts when required.
In the next chapter, we will dive deeper into those security and authentication features within Microsoft 365, including MFA and SSPR. We will also take a look at Azure AD dynamic groups and managing access reviews.
Questions
- Which of the following is not one of the identity methods available with Azure AD?
a. Pass-through authentication
b. Federation
c. MFA
d. Password hash sync
- Which of the following tools could you use to assess your organization's readiness to synchronize their active directory to Azure AD?
a. The Remote Connectivity Analyzer tool
b. The IdFix tool
c. The OffCAT tool
d. Synchronization Service Manager
- True or false – with password hash synchronization, users will always authenticate to on-premises AD when logging onto Azure AD.
a. True
b. False
- Which of the following Microsoft 365 licenses allow users to use SSPR (choose two)?
a. Azure AD Premium P2
b. Intune
c. Azure Information Protection P1
d. Azure AD Premium P1
- Which of the following PowerShell commands could you use to run a full Azure AD Connect sync manually?
a.
Start-ADSyncSyncCycle -PolicyType Initial
b.
Start-ADSyncSyncCycle -PolicyType Delta
c.
Start-ADSyncSyncCycle -PolicyType Full
d.
Start-ADSyncSyncCycle...
References
Please refer to the following links for more information:
- Refer to https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-hybrid-identity-design-considerations-business-needs?wt.mc_id=4039827 to help you to plan for hybrid identity.
- Information on how to select the most appropriate synchronization method for Azure AD Connect can be found at https://docs.microsoft.com/en-us/azure/security/fundamentals/choose-ad-authn.
- For help with additional authentication security, please refer to https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks, https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks, and https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview.
- Further guidance on troubleshooting synchronization with Azure AD Connect can be found at https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-objectsync.