Azure AD Connect
Azure AD Connect is a tool that offers an optimal solution for managing directory synchronization between on-premise Active Directory and Azure AD. This technology is fundamental to large businesses and enterprise environments, where utilizing both local and cloud resources is essential for uninterrupted operations.
I. Configuring Azure AD Connect
The setup process for Azure AD Connect imposes the following prerequisites:
- An active Azure subscription
- An on-premises Active Directory setup
- Global administrative privileges for both environments
When these requirements have been met, follow these steps:
- Download and install Azure AD Connect on a server within your local network. It is recommended to run the installation with an account holding enterprise admin privileges in Active Directory.
- Once installed, initiate the Azure AD Connect wizard. This will guide you through the process for configuring synchronization.
- Sign in to your Azure account when prompted. This account should have global administrative privileges in Azure AD.
- Choose the required user sign-in method – you can select Password Hash Synchronization (PHS), Pass-through Authentication (PTA), or Federation with AD FS.
- The wizard will then prompt you to connect to your on-premises AD. Provide the enterprise administrator credentials to continue.
- In the next screen, you can choose to either “Synchronize all users and devices” or “Synchronize selected”. Based on the organizational requirements, make the appropriate selection.
- Schedule the synchronization. By default, Azure AD Connect will synchronize every 30 minutes. You can alter this schedule according to your needs.
- Finish the configuration wizard by reviewing everything. Click install to initiate the synchronization process.
II. Managing Azure AD Connect
Azure AD Connect offers diverse options for managing directory synchronization.
Using the Azure AD connect interface, you can manage operational aspects of the synchronization process:
- Sync Cycle: The sync cycle can be modified, paused, or initiated manually as per your requirements.
- Domain and OU Filtering: Azure AD Connect allows you to specify the organizational units and domains you want to sync with. You can modify the selection any time after the initial configuration.
- Attribute filtering: Azure AD Connect can filter out specific attributes of the user objects that you don’t want to synchronize to Azure AD.
Synchronization rules editor is another tool provided with Azure AD Connect:
- Inbound Rules: These rules control how objects and their attributes are imported from AD into Azure AD Connect’s database.
- Outbound Rules: These rules govern how objects and the attributes are exported from Azure AD Connect’s database to Azure AD.
Azure AD Connect Health:
- Azure AD Connect Health provides a dashboard that helps you monitor and gain insights into your on-premises identity infrastructure and the synchronization services.
III. Conclusion
Understanding how to configure and manage Azure AD Connect is a vital part of your preparedness for the MS-100 Microsoft 365 Identity and Services exam. It’s not just about setting up the tool but the management that you can undertake after the initial setup. You can use the synchronization rules editor to modify attribute flow or use directory filtering to limit the directories being synchronized. Moreover, you also need to know how to utilize Azure AD Connect Health to monitor and troubleshoot your identity infrastructure and synchronization services.
Taking the time to fully understand these aspects will serve you well in the exam and beyond. Remember, actual environment implementation may vary, so always consider consulting the official Microsoft documentation for up to date information and in-depth tutorials.
Practice Test
True or False: Azure AD Connect Health provides robust monitoring and a central location in the Azure portal to view this activity.
- True
- False
Answer: True.
Explanation: Azure AD Connect Health offers sync insights, performance monitoring, error reporting and sync performance trends.
With Azure AD Connect, you can achieve automatic synchronization:
- A) Every 30 minutes.
- B) Every 60 minutes.
- C) Every 90 minutes.
Answer: A) Every 30 minutes.
Explanation: By default, Azure AD Connect syncs changes from Active Directory to Azure AD every 30 minutes.
For staging mode of Azure AD Connect, which of the following is correct:
- A) It does not synchronize any information.
- B) It synchronizes nearly every 2 hours.
- C) It synchronizes, but does not export data.
Answer: C) It synchronizes, but does not export data.
Explanation: The staging mode is a safe mode where the server synchronizes but does not export the data.
True or False: Azure AD Connect does not support multiple on-premises AD forests.
- True
- False
Answer: False.
Explanation: Azure AD Connect actually does support multiple on-premises AD forests by a feature known as multi-forest synchronization.
What feature is used to quickly setup directory synchronization?
- A) Parallel import
- B) Express settings
- C) Direct sync
Answer: B) Express settings
Explanation: Express settings are used to quickly set up directory synchronization.
True or False: You can filter which objects are synchronized to Azure AD using Azure AD Connect.
- True
- False
Answer: True.
Explanation: There are several options to filter certain objects from synchronization, either based on attribute, domain or OU-based filtering.
Azure AD Connect can be installed on:
- A) Windows Server 2008 R2 SP1 or later.
- B) Windows Server 2003 R2 SP1 or later.
- C) Windows Server 2012 or later.
Answer: A) Windows Server 2008 R2 SP1 or later.
Explanation: Azure AD Connect can be installed on Windows Server 2008 R2 SP1 or later.
True or False: Azure AD Connect allows you to synchronize identities from multiple directories into Azure AD.
- True
- False
Answer: True.
Explanation: Azure AD Connect is used to synchronize identities from local Active Directory and other directories into Azure AD.
True or False: Azure AD Connect supports password hash synchronization?
- True
- False
Answer: True.
Explanation: Password hash synchronization is one of the sign-in methods used by Azure AD Connect.
During troubleshooting, synchronization errors in Azure AD Connect can be viewed in:
- A) Windows Event Viewer
- B) Azure AD Connect Health
- C) SQL Server Management Studio
Answer: B) Azure AD Connect Health
Explanation: Azure AD Connect Health provides you with the synchronization errors.
True or False: To manage synchronization from the on-premises organization to Azure AD, you can utilize the Synchronization Service Manager.
- True
- False
Answer: True.
Explanation: The Synchronization Service Manager is an on-premises tool that you use to manage synchronization from your on-premises organization to Azure AD.
True or False: The synchronization service account is an immutable account that is automatically created when you install Azure AD Connect.
- True
- False
Answer: True.
Explanation: The synchronization service account is automatically created when you install Azure AD Connect and it has the necessary rights and permissions to manage directory synchronization.
Azure AD Connect supports a hybrid environment with:
- A) Exchange Online
- B) Exchange Server 2003
- C) Both A and B
Answer: A) Exchange Online
Explanation: Azure AD Connect supports a hybrid environment with Exchange Online and not with Exchange Server
True or False: Azure AD Connect cannot be used for multi-forest environments.
- True
- False
Answer: False.
Explanation: Azure AD Connect actually supports multi-forest environments.
True or False: Azure AD Connect does not support provisioning from AD to Azure AD.
- True
- False
Answer: False.
Explanation: Azure AD Connect supports provisioning of users, groups, and other directory objects from AD to Azure AD.
Interview Questions
What is Azure AD Connect used for?
Azure AD Connect is the Microsoft tool designed to meet and accomplish your hybrid identity goals. It is used to configure federation with Azure AD, which syncs on-premises directory objects with Microsoft’s cloud (Azure).
Which Windows Server editions can Azure AD Connect be installed on?
Azure AD Connect can be installed on Windows Server 2008 Standard or better, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2 and Windows Server 2016.
What are the password synchronization options available with Azure AD Connect?
Azure AD Connect offers two options for password synchronization: Password Hash Synchronization (PHS) and Pass-through Authentication (PTA).
What are the synchronization options available in Azure AD Connect?
Azure AD Connect can perform three types of synchronization options: Password Hash Synchronization (PHS), Pass-through Authentication (PTA) and Federation Integration.
Can you use your own SQL Server with Azure AD Connect?
Yes. Apart from using the default SQL Server 2012 Express that comes with Azure AD connect, you have an option to use a different SQL Server instance.
How to check the current status of synchronization of Azure AD Connect?
You can check the overall synchronization status from the Synchronization Service Manager console in Azure AD Connect server or by running powershell cmdlet
Get-ADSyncScheduler
.
Can you enable Single Sign-On with Azure AD Connect?
Yes. Azure AD Connect allows you to enable Seamless Single Sign-On, which can eliminate the need for users to type their passwords again when accessing Azure AD resources from within the corporate network.
Can Azure AD Connect be installed on Active Directory Federation Service (ADFS) servers?
No. Installing Azure AD Connect on an ADFS server is not supported.
How frequently does Azure AD Connect synchronize changes by default?
By default, Azure AD Connect synchronizes changes every 30 minutes.
How to manually start the synchronization process in Azure AD Connect?
You can manually start the synchronization process by using the PowerShell cmdlet
Start-ADSyncSyncCycle -PolicyType Delta
.
Can Azure AD Connect be used with multiple Active Directory forests?
Yes. Azure AD Connect supports complex Active Directory environments that include multiple Active Directory forests.
What will happen if the Azure AD Connect server is turned off or disconnected from the network?
If the Azure AD Connect server is turned off or disconnected from the network, the changes made in the on-premises Active Directory or Azure AD won't be synced between them.
What is the purpose of the Azure AD Connect health agent?
Azure AD Connect health agent collects and sends the data to Azure AD, provides you with alerts and provides a view of the current sync engine health in a central location in the Azure portal.
Can I synchronize a single unit from Active Directory using Azure AD Connect?
Yes. Azure AD Connect allows to do such granular synchronization using OU (Organizational Unit) based filtering.
How to update Azure AD Connect for new improvements?
Azure AD Connect updates can be checked and installed manually from the Azure AD Connect blade in Azure portal. Automatic upgrade is also available if you have enabled it during installation.