Microsoft Azure AZ-800 — Section 7: Implement and manage hybrid identities Part 4
58. Implement Azure AD Connect
I’m now going to go through the process of beginning the Azure Kinect installation, So, we’re going to we’re going to see how we can go and download Azure 80 Kinect and get this ball rolling in terms of synchronizing.
So first thing I want to do is open up my web browser. And I’m going to go to a search engine like Google and I’m going to search for. Oh, I’m sorry. I’m going to go to Portal Dot, Astrakhan. Actually, you can download Azure 80 Connect by searching for just the words, download Azrieli Connect, but I wanted to show you more the proper way to do it, which is just to go straight through your azure tenets.
So, I’m logging on to my Azure tenant here, and I’m going to click the little menu bar here, and I’m going to go to Azure Active Directory, so, we’ll click on Azure Active Directory.
OK. And we’re going to scroll down a little bit and we’re going to go to Azure 80 Connect. All right.
So there’s Azure, any connect right there and you’re going to notice that currently we do not have Azure, any connect working. It is not installed. It has never seen it right. We are not using federation, no pass through authentication. Nothing has been enabled. At that point. I can click download Azure 80 Connect. It’s going to take me to the download page. Which is right here, and then I can click download, it’ll take a couple of minutes to download. I went ahead and downloaded it, so, I wouldn’t have to wait here.
So here it is, right here. I’ve already downloaded it and I’m going to go ahead and click it and begin installing.
OK, So, it’s going to run through the installer here, installing Azure 80 Connect software files that are going to be needed in order to do this installation.
OK, So, we’re going to let that run and then we’re going to get a little pop up here, Azure Connect pop up, which is going to bring up the wizard. That’s going to let me run through this installation, but you’ve got to understand before you can fully go through the process of, you know, getting this going. You have to actually install all the files that are needed, and it’s going to ask a couple of questions for doing that.
OK, so here it is right here, and it’s going to make me agree to their terms.
So, I’m going to accept the agreement. Click Continue. And it’s going to ask if I want to do an express install or if I want to do a custom install.
OK.
So, if you do an expressed install, it’ll just synchronize all of your stuff and it’s going to do hash synchronization. And no, I don’t want to do that. I want to actually have some control over this.
So, we’re going to click Customize. And at that point, I can choose a custom location to install this tool. It’ll let me tap into SQL Server. I want to use that. I can specify existing service account that’s going to do the synchronization process. I’ll explain that more here coming up, but you can do custom sync groups. This where I can specify synchronizing certain groups, and I can also, Import synchronization settings from another another location. I’m not going to do any of those right now. I’m going to choose those during this next wizard.
So, we’re going to we’re going to customize this more once we get this fully installed.
So, we’re going to go ahead and click install now and it’s going to install all of the files that it’s going to be needed. This not doing the synchronization. Understand that this not kicking off the synchronization. This just getting the files installed that are going to be needed. This installing the agent so that you can then configure the agent to start doing the actual synchronization.
So this just part of the process that we have to do to just get those files installed so that we can finally get the synchronization go on. As you can see, it’s it’s installing the synchronization service right now.
Now, after the service is configured, you’ll notice I can now officially choose my options that I want to go with here so, I can choose password hash synchronization, pass through authentication, which is P.T.A.. I could do the federated services if I’ve set up an idea of a server. And then there’s this other one called Ping Federate.
Now, Ping Federate is actually a third party company that you can go with, and Ping Frederick can handle the federation stuff for you. This we’re not really talking about getting into the ping federate stuff, nor is it something that’s tesTable or any of that.
So don’t worry about it, but it is another option that companies can go with. Then I could say do not configure, which is basically says, Hey, I just want to go ahead and get everything installed. I’ll go back and change and choose which of these methods I want to use later. I’m going to go with password hash synchronization, and I’m going to enable the single sign on service. This going to enable me to utilize seamless s0 and all of that.
So, if you want to utilize seamless SSL, you’re going to want to use single sign on.
OK, so at that point, I can click next. It’s going to say enter a global administrator credentials.
So this going to be your global administrator credentials for your Azure 80 it right? So, I’m going to put in my credentials. It’s going to be JSI at examlabpractice.com, and I’m going to put a password in.
OK, which I typed out. There we go. And we’re going to click next. And it’s going to now try to esTablish a connection with the cloud, and it’s going to verify that I did put in the correct credentials. Of course, Server is also going to pops a message up saying, Hey, we got to make sure that we trust these websites that you’re going to.
So, I’m going to go ahead and select Add, OK, entering my password yet again, which again, I type out. Let’s try to do better at that and then I’m going to click sign in. All right, is going to text my phone. Multifactor authentication at its finest. I’m just going to enter the code that it’s giving me here. All right. And then we’re going to verify. Look yes to that. And it should now officially connect me. All right, examining domains.
OK, so now I’m going to specify my Active Directory domain that I have on-premise, so, I have on-premise right now, I have the examlabpractice.com on-premise domain. Its Active Directory? That’s great. I’m going to click Add that directory and then it says, OK, if you’re going to if you’re going to connect these together, it says it’s going to need what is called a forced account with the right amount of privileges. And what it’s going to do is it’s going to create an account to be able to create the synchronization between your on-premise environment and Azure ad. Alternatively, you could use you could create the account yourself with whatever the permissions are you’re going to need and you could say use existing account and they have an article here. You can read about talks about the exact permissions that are needed to do that. I’m actually just going to tell it to create the account itself as opposed to me doing it. Keep in mind for me to do this, though. I have to be an enterprise administrator, so luckily I am right.
So, I want put exam lab practice backslash administrator and I’m going to put in my password and I’m going to click OK, and it’s going to verify that I put it in the right credentials and I did.
So, I’m good to go there now. I’m going to click next and it is retrieving the scheme information that’s going to be used to communicate with Azure ad.
OK. It’s going to talk about verifying your domain name using this user principal name. That’s great.
So, I’m going to verified. I’m going to use user principal names for email addresses and all that, and then I’m going to click next.
OK, and then we get into the objects that I’m actually going to synchronize and we’ll we’ll look at this in this next little segment.
59. Identifying objects being migrated using Azure AD Connect
So here on this screen, we have domain and 0U filtering, this what we’re going to identify exactly the information users mailboxes, everything is going to that. I would want that. Maybe, the mailboxes being associated, the users that I want to actually synchronize now. You’ll notice that the default is basically going to say just synchronize everything, sync all domains and oh yes, right? But Microsoft recommends that if this your first synchronization, you might want to pilot this so you might want to choose a pilot group of you that you want to do this with.
So, I am going to actually just synchronize my I.T. department, right? So, I’m going to synchronize, synchronize my I.T. department, and maybe I don’t want to synchronize desktop and helpdesk right now. Desktop support helpdesk. Just the IT folks that I have, which of course, you know, if we go back in the server manager. Real quick, and we pull up our Active Directory users and computers, we can quickly look and and see, and if we have Microsoft Exchange on-premise and these users have mailboxes, we can will this will be sort of moving towards being able to synchronize their mailboxes as well, though it’s not going to initially synchronize their mailboxes yet. You have to use exchange migration tool for that. But if I pull up Active Directory users computers here. I’ll be able to see that in it. I have all these users here, right, and I want to point out that if I go to my Azure portal right now, if I go to Azure Active Directory and I look at my users, I’d like to point out that I don’t have those users in this, this Azure ad tenant right now. These users do not exist in Azure. In fact, you’ll see these are the only users. I have a user named Bob Jones, John Christopher and John Smith, right? That’s it. But after I do the synchronization, we should have Sam Jones, Sally Benson, Jane Doe, Billy Smith, Andrew Wilson, Administrator. All that good stuff, right? So that’s that’s fine. I pull this back up. We’re just going to synchronize it. Remember, you can go back and rerun this later and synchronize the rest of your people. Right? So, if you want after if everything goes smooth, so now I’m going to click next. All right. And then at that point, it’s going to have me specify a few things it says uniquely, identify your users.
OK, it’s a select how users should be identified in your on-premise. Network users are represented by only once across all directories.
So, if all your users are only represented one time you’re not synchronizing a bunch of domains, then you can. You just leave this as default? Or you can say user identities exist across multiple directories match using their mail attribute object, said SAM account name. Or you can specify a specific attribute you want to use.
OK, so, I’m going to go with users are represented only once, said Select how users should be identified in Azure. Let Azure manage the source anchor.
So the source anchor MSDS consistency grid. That’s the one everybody basically recommends. Azure is going to take care of that as our source anchor.
OK, so that’s where Source Anchor is going to be handled.
OK. And then at that point, we’re going to click next and we can filter things even further if we want. Notice it says for a pilot deployment, specify a group containing your users and devices that will be synchronized. Nested groups are not supported and will be ignored.
OK.
So, if I wanted to, I could say just synchronize the cloud administrators, and it would only synchronize these folks right here, right? If I only wanted those cloud administrators to go, I could actually click this. I could specify the group I’m going to use. In a way, I go, OK, in my case, I’m actually just going to say synchronize all. All right. But I did want to point out what that was.
OK. All right. And then we’re going to click next. That’s going to bring us two optional features, and we’ll take a look at this in this next segment.