Azure AD Connect is a critical component for organizations wishing to function Microsoft 365 in a hybrid configuration. It’s the mechanism that synchronizes the on-premises Active Directory to Azure AD. One of the things that always surprises folks when deploying Azure AD Connect for the primary time is simply how simple the configuration course of really is. This course of consists of little greater than accepting a license settlement and getting into credentials to your Active Directory atmosphere and your Azure AD atmosphere. Despite its simplicity, nonetheless, there are a number of things that you want to know about Azure AD Connect before deploying it.
1. Clean up your Active Directory first
Although I’ve by no means truly seen it occur in actual life, Microsoft has lengthy warned that errors, duplicate objects, and different Active Directory well being points can derail the synchronization course of. As such, Microsoft recommends utilizing a tool called IdFix to monitor down any potential listing well being points before deploying Azure AD Connect.
According to Microsoft, about 60% of the entire listing synchronization errors that they see are tied to both malformed proxy addresses or person principal names. The IdFix instrument received’t repair each listing well being difficulty, particularly if the Active Directory atmosphere has turn into corrupted. But it’ll determine and proper a lot of the points recognized to trigger issues with Azure AD Connect. As such, it’s a good suggestion to run IdFix before you deploy Azure AD Connect.
You can see what this instrument appears like within the picture under. In this case, the instrument didn’t discover any errors, so a lot of the window is clean. Even so, the menu gadgets on the high illustrate how you can simply settle for and apply the fixes that the instrument recommends.
2. TLS necessities for deploying Azure AD Connect
Another factor that you want to pay attention to before deploying Azure AD Connect is that it makes use of TLS encryption. In the previous, the instrument’s dependency on TLS was seamless. However, the present model of the instrument requires TLS 1.2, which isn’t enabled by default in Windows Server. Therefore, if you try to set up Azure AD Connect with out first enabling TLS 1.2, you will obtain an error message.
Unfortunately, enabling TLS 1.2 isn’t so simple as putting in a Windows Server function or downloading an add-on. Instead, the method includes configuring a number of registry keys. However, as a result of the method of manually enabling TLS 1.2 is considerably Tedious, Microsoft created a PowerShell script that automates the method.
I ran this script on one among my servers before putting in Azure AD Connect and located that it labored flawlessly. In case you are questioning, the PowerShell script doesn’t require any person enter. Just run it in an administrative PowerShell session, and TLS 1.2 shall be enabled.
3. Use a devoted server
One of crucial things you ought to do concerning organising Azure AD Connect is to deploy it on a devoted server (or, extra possible, digital machine). There are two explanation why that is so vital.
The first cause is that Azure AD Connect is a really delicate utility. Remember, it requires entry to each your Active Directory atmosphere and to your Microsoft Azure atmosphere. As such, Microsoft recommends that you deal with Azure AD Connect simply as you would a site controller, with regard to safety. Running Azure AD Connect on a devoted bodily or digital machine helps isolate it from some other processes that may compromise its safety.
The different cause why it’s so vital to run Azure AD Connect on a devoted machine is as a result of Microsoft requires Azure AD Connect to be put in on a domain-joined system operating Windows Server 2016 or larger. Additionally, this server has to have the total desktop expertise (the GUI) enabled. Since Windows servers are sometimes put in and not using a GUI, the GUI requirement alone will typically imply that Azure AD Connect will want to be put in by itself server.
4. Multifactor authentication
For fairly a while now, Microsoft has strongly advisable that organizations use multifactor authentication. Azure AD Connect can be utilized with or with out multifactor authentication, though utilizing multifactor authentication may help to enhance your general safety.
If your group is utilizing multifactor authentication, it will be significant to be sure that one particular URL is included on the checklist of trusted websites. This URL is: https://safe.aadcdn.microsoftonline-p.com/
5. Be certain to allow password writeback
Once Azure AD Connect has been put in and configured, it will be significant to enable password writeback. The thought behind that is comparatively easy. When Microsoft first created Azure AD Connect, it was largely supposed to be used as a unidirectional synchronization instrument. Data was synchronized from the on-premises atmosphere to the Azure cloud. At the time, Microsoft was possible envisioning a world the place every part resided within the cloud and noticed Azure AD Connect as a instrument that might assist with Active Directory migrations to the cloud.
Today, in fact, things are a bit of bit totally different. Hybrid environments are the norm. Thankfully, Azure AD Connect has at the least a point of help for two-way synchronization. Having mentioned that, although, you could have to manually allow password writeback. Otherwise, if a person occurs to change their password within the cloud, then that password change is not going to apply to the on-premises atmosphere. The person can find yourself with one password on-premises and a unique password in Azure.
Enabling password writeback is easy to do. Once Azure AD Connect is put in, simply open it up and go into the settings. You can discover the checkbox for enabling password writeback inside the Optional Feature part.
Deploying Azure AD Connect: Easy — if think about the issues
Azure AD Connect is a vital part of the hybrid Active Directory. Even although Microsoft has made it tremendous easy to deploy Azure AD Connect, it’s price your time to be sure that you tackle these varied issues before you try to synchronize your Active Directory to the cloud.
Featured picture: Shutterstock