In my last entry, I walked through a vanilla setup for Azure Active Directory (AAD) Connect. Now, what if you need something a little different? Well, let’s talk through some of the features I’ve been successful with turning on and configuring.
Return to AAD Connect
Whenever you want to make changes to your current synchronization settings, click on Azure AD Connect, and walk through the wizard. Keep in mind, any time you are in the wizard, the synchronization engine pauses.
Once you click Configure you’re presented with a list of additional tasks you can configure.
If you go into Privacy settings, you can disable the telemetry feedback to Microsoft. By turning this off, you are limiting what the product team could do through machine learning. I leave this to your own paranoia level to decide how to set your privacy settings.
Customize Synchronization Options
You could change your Active Directory or Forest settings. This includes Filtering what objects are allowed to synchronize with AAD. You can also customize Exchange settings from this screen. I have not been involved with any Exchange synchronization projects, so I can’t speak to those settings.
This is also where you can allow your AD instance to synchronize information necessary to support Azure applications.
You can also control what attributes will be synchronized between Active Directory and AAD for your users. The list is quite extensive.
From the optional features page you could turn off Password hash synchronization, and stop passwords from being kept in sync between your two environments. If you’re going to force all Azure authentication to come back to your Active Directory instance to verify credentials (known as Pass-through authentication), then you would turn off the hash sync.
You could also stop password writeback if you didn’t want to allow users to change their passwords in Azure, and have that change written back to your Active Directory.
You can also choose to write group changes, or Azure Device registrations from Azure to your Active Directory instance. Useful for keeping that information in sync between the two environments. The last option on the list is Directory Extension Attribute sync, you can really customize what elements of your Active Directory is kept in sync with AAD. Honestly, I’ve never had a need to dig into this list. If you’re looking for guidance, you’ll need to go to Microsoft.
The last section in Customize Synchronization Option is Seamless Single sign-on. Imagine hitting your Azure resources without logging in to a web browser each time. Just being logged in to your domain machine would take care of passing your credentials to Azure, and you can just get to work. I get that it’s a small thing, but this is the feature that makes Integrating Active Directory with AAD! Turn this on, and then hit next to make the change to your AAD synchronization options. Once complete, and once your next sync completes, you can hit portal.azure.com from your domain machine without the second log in!
Even better than getting logged in to the portal without a second login, how about getting into your Azure SQL Database instances without a second login?
That’s right! Single sign-on gets you Windows-like authentication. The reason I say “Windows-like” is in the screen shot above, you have to change the Authentication selection from Windows to Azure Active Directory – Integrated. You’re using a slightly different connector when connecting this way. The good news is this connector is available in SSIS as well!
Configure Device Options
Starting with Windows 10, there are two ways you can connect computers to your domain. You can bind the computer to your domain. This is how you traditionally deal with computers in companies. The new option ties the computer to your domain by way of Azure Active Directory. This new method doesn’t get you all the benefits that you get through the traditional method, but there are some features new to the Azure option. For example, you can bind your iDevices to your AAD instance. The next section of AAD Connect allows you to configure your preferences for devices in your environment.
In those cases where you set up Hybrid AD Join, you can set the operating systems to support in your domain: Win 10 or later” or “downlevel”. As of January 15th 2020, that only refers to the operating systems starting with Windows 8. This is an and/or option.
After selecting which operating system(s) you want to support through synchronization, you have to set up a service connection point so your devices can discover your AAD instance.
Just choose the highlighted row, and enter your Enterprise Admin credentials, then hit next to configure the SCP.
Refresh Directory Schema
If you need to fully refresh the directory on both sides, Active Directory and AAD, this is the option you need, just highlight it from the main AAD Connect menu and hit next. No options to set here.
Configure Staging Mode
If you’re looking to test changes to your AAD Connect configuration, but not actually run those changes, then this is the section for you.
Change User Sign-in
If you want to change how users sign in this is the section for you. You can choose between the following options:
- Password Hash Sync — the mode configured in the previous blog entry
- Pass-through — where azure has to connect to a local domain controller to verify a user’s credentials
- Federation with ADFS — effectively keep two domains, but establish a trust between the two so users in one domain could use the resources on the other domain.
- Federate with PingFederate — a third-party solution that provides similar features to ADFS. Learn more here.
You can also toggle Enable single sign-on from this section.
From here you can view your current federation configuration. You can also manage the certificates or servers set up to certify communications between your federated domains. I haven’t worked with federated domains, but I have a friend of the Microsoft team that supports AD FS. If you’d like to learn more about federations or federated trusts, let me know and I’ll see if I can get him to contribute some content here!
The final section of AAD Connect is dedicated to linking you out to a tool to help resolve problems with your current AAD Configuration. While it’s useful for diagnosing some issues, I will note it did not help me find the cause of new accounts being created in azure that did not exist on the Active directory side. It does excel at helping you figure out where the problem is.
Now that we’ve dug into all the sections of AAD Connect, I’m ready to share how to resolve the issue where seemingly random accounts are created in Azure for no reason. Until then, if you have other questions about integrating Active Directory and AAD, let me know on Twitter @shannonlowder.