Académique Documents
Professionnel Documents
Culture Documents
This training package is proprietary and confidential, and is intended only for uses described in the training materials. Content and software is provided
to you under a Non-Disclosure Agreement and cannot be distributed. Copying or disclosing all or any portion of the content and/or software included in
such packages is strictly prohibited.
The contents of this package are for informational and training purposes only and are provided "as is" without warranty of any kind, whether express or
implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement.
Training package content, including URLs and other Internet Web site references, is subject to change without notice. Because Microsoft must respond
to changing market conditions, the content should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the
accuracy of any information presented after the date of publication. Unless otherwise noted, the companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product,
domain name, e-mail address, logo, person, place, or event is intended or should be inferred.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject
matter in this document. Except as expressly provided in written license agreement from Microsoft, the furnishing of this
document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Complying with all applicable copyright lAdmin Web Service is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form
or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written
permission of Microsoft Corporation.
For more information, see Use of Microsoft Copyrighted Content at
http://www.microsoft.com/about/legal/permissions/
Microsoft, Internet Explorer, Outlook, SkyDrive, Windows Vista, Zune, Xbox 360, DirectX, Windows Server and
Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
Other Microsoft products mentioned herein may be either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries. All other trademarks are property of their respective owners.
Overview
Objectives
What is the
Azure AD
Connect
Tool?
Synchronizati
on Direction
Software
Requiremen
ts
System requirements:
Windows 2008, 2008 R2, 2012 and 2012 R2 supported
Microsoft .NET Framework 4.5
Windows PowerShell 3.0 or Newer
Additional requirements:
Standalone , Member Server or a Domain Controller
Local Administrator to install AADSync
Azure AD account Global Administrator
The following components are installed automatically:
Forefront Identity Manager 2010 R2
Microsoft SQL Server Express 2012 LocalDB (a light
version of SQL Server Express)
Microsoft Online Services Sign-in Assistant
7
Network
Requiremen
ts
Hardware
Recommendatio
ns and Directory
service quota
Number of objects
in Active Directory
CPU
Memory
1.6 GHz
4 GB
70 GB
10,00050,000
1.6 GHz
4 GB
70 GB
50,000100,000
1.6 GHz
16 GB
100 GB
100,000300,000
1.6 GHz
32 GB
300 GB
300,000600,000
1.6 GHz
32 GB
450 GB
More
SQL
Server
Express
size limit 500
thatGB
enables you to
than
600,000
1.6has
GHza 10GB
32 GB
manage approximately 100,000 objects
Directory
Service
Object
Quota
10
Azure AD
Connect
credentials
and
permissions
Wizard Page
Permissions Required
Used For
Connect to
Azure AD
Azure AD directory
credentials
Connect to AD
DS
On-premises Active
Directory credentials
Member of the
Enterprise Admins (EA)
group in Active Directory
N/A
Summary of
the accounts
that are
created by
Azure AD
Connect
Account created
Permissions
assigned
Used for
Dedicated Directory
Synchronization Role
On-going sync
operations (Azure AD
MA account)
Express Settings: AD
account used for sync
Read/write permissions
on the directory as
required for
sync+password sync
On-going sync
operations (Azure AD
MA account)
Logon credentials of
the user running the
wizard
NA
AD FS:GMSA account
(aadcsvc$)
Domain user
FS service logon
account
12
Objects
that
Synchronize
Objects
that Do Not
Synchronize
Contact objects:
SecurityEnabledGroup objects:
isCriticalSystemObject = TRUE
DisplayName is empty
(ProxyAddress doesn't have a primary SMTP address) AND (mail attribute isn't
present/invalid - i.e. indexof ('@') <= 0)
14
Objects
that Do Not
Synchronize
(continued)
User objects:
mailNickName starts with "SystemMailbox{"
mailNickName starts with "CAS_" AND mailNickName contains "{"
sAMAccountName starts with "CAS_" ANDsAMAccountName has
"}"
sAMAccountName equals "SUPPORT_388945a0"
sAMAccountName equals "MSOL_AD_Sync"
sAMAccountName is not present
isCriticalSystemObject is not present
msExchRecipientTypeDetails == 0x1000 OR 0x2000 OR 0x4000
OR 0x400000 OR 0x800000 OR 0x1000000 OR 0x20000000)
15
Mandatory
Attributes
16
DirSync and
Account
Status
Active Directory
DirSync Action
Office 365
Create Account
Create Account
Creates a user.
*Assigning a license will create
a mailbox
Modify Account
Make changes to an
existing account
Update changes
Delete Account
Delete account
Disabled account
Disable account
17
ON-PREM
MICROSOFT
CLOUD
IDENTITY
BRIDGE
SAAS APPS
Azure Active
Admin Web
High Level
Architectu
re
Overview
Directory (AAD)
Service (AWS)
AD DS
Box
Salesforce
Others
AAD Sync
Cloud Sync
Fabric
Or
AAD Connect
Or
Identity
Identity
Manager
Manager
Dirsync
Or
FIM w/ Connector
Or
MIM 2016
HR
18
Core AAD
Connect
Concepts
UserPrincipalName:
Used to sign-in to the cloud services
Recommended to be the same as users primary SMTP address
Needs to use a domain suffix that is registered and verified in the
tenant
Critical for successful single sign-on using AD FS
If missing, is constructed as:
sAMAccountName + @ + Microsoft Online Default Domain
(i.e. user@contoso.onmicrosoft.com)
SourceAnchor:
Used as the immutable identifier for any given object that is
synchronized between on-premises and Office 365
Base64-encoded value generated from AD objects on-premises
ObjectGUID
Providing the AD object is never deleted, the ObjectGUID will never
change
SourceAnchor is the DirSync term and ImmutableID is the ADFS
19
term
Source of
Authority
20
Hard Match
vs. Soft
Match
For attribute updates, the Admin Web Service must identify what
Azure AD object to act upon:
Sync
Overview
On-Premises
AD DS
METAVERSE
CONNECTOR
INBOUND
SYNC RULE
OUTBOUN
D SYNC
RULE
CONNECTOR SPACE
AD DS
CONNECTOR SPACE
CONNECTOR
INBOUND
SYNC RULE
CONNECTOR
Run Profiles and
Steps:
Full Import
Delta Import
Full Synchronization
Delta Synchronization
Export
Microsoft Confidential
23
Sync
Overview
Office 365
Office 365 Admin Web Service receives the object data from AAD
Connect
Import from AAD Connect:
Only specific attributes defined in FIM are synchronized for
each object
Validate that changed data is not corrupted at the attribute level:
Data is normalized using _ for UPN and SamAccountName
Otherwise when an update is invalid for attribute a rejection
email is sent to the tenant contact
If an update is a user Account Creation event:
Admin Web Service attempts to create an account for the user
Failure causes a reject email to be sent to the tenant contact
24
Sync
Overview
Office 365
(continued)
25
Forward
and Back
Sync
26
Forward
and Back
Sync
(continued)
Back-Sync/Write-Back:
There are certain attributes for the Exchange Online
(ExO) service that require reverse propagation to the
on-premises environment for Exchange co-existence
features to work
Back-Sync: Data is changed in the ExO partition and
then syncd back to Azure AD using daemons similar to
those used for Forward-sync
Write-back: Data is shipped from Azure AD, back
through Admin Web Service, to AAD Connect service
using bi-directional FIM functionality
AAD Connect updates local the AD objects with these
updated attributes
27
Write Back
Attributes
Attributes that are written back to the on-premises Active Directory from
Azure Active Directory in an Exchange Hybrid deployment scenario:
Write-Back attribute
msExchArchiveStatus
msExchUCVoiceMailSettings
msExchUserHoldPolicies
ProxyAddresses
(LegacyExchangeDN as X500)
msExchSafeSendersHash
msExchBlockedSendersHash
msExchSafeRecipientsHash
28
Microsoft
Online Default
Routing
Domain
29
AAD
Connect
and SMTP
Addresses
proxyAddresses
SMTP:john@contoso.com
SMTP:john@contoso.com
smtp:john@contoso.onmicrosoft.com
proxyAddresses
smtp:john@contoso.com
SMTP:john@contoso.onmicrosoft.com
smtp:john@contoso.com
proxyAddresses
SMTP:john@contoso.com
smtp:john@apac.contoso.com
SMTP:john@contoso.com
smtp:john@apac.contoso.com
smtp:john@contoso.onmicrosoft.com
john@contoso.com
SMTP:john@contoso.com
smtp:john@contoso.onmicrosoft.com
UserPrincipalName
john@contoso.com
SMTP:john@contoso.com
smtp:john@contoso.onmicrosoft.com
30
AAD
Connect
Process
31
Estimating
Synchronizati
on Time
32
Password
Sync
Overview
33
Are
Passwords
safe?
The Password Sync tool, Azure AD, and all associated services
never see or store the on-premises user's plain text
password
A digest of the Windows Active Directory Password Hash is
used for transmission between the on-premises AD and Azure
Active Directory
To authenticate a user, the password presented by the user is
hashed and compared with the stored hash
The digest of the Password Hash cannot be used to access
resources in the customer's on-premises environment.
34
Password
Sync
Limitations
How does
Password
Hash Sync
work?
36
Enable
Password
Hash
Synchronizati
on
37
Password
Hash Sync
versus SSO
Talking point A,
* Talking point B,
* Talking point C,
38
Password
write back
Talking point A,
* Talking point B,
* Talking point C,
39
Event ID
Monitoring
Password
Synchronizati
on using the
event logs
Description
650
Event
logsProvision credentials batch start. Count: 1
Cause
Password synchronization starts retrieving updated
passwords from the on-premises AD DS.
651
653
654
656
657
40
Forcing Full
Password
Sync
41
Forcing
Delta
Objects
Sync
42
Verifying
and
Monitoring
DirSync
43
Throttling
Sync
44
DirSync and
Deletes
Accidental
Deletes
Scenario:
On-premises AD Admin accidentally deletes a user object in
AD (Oops)
DirSync propagates delete to the cloud
User object is deleted in the cloud (mailbox lost)
What do you do now?
46
Accidental
Deletes
(continued)
Manual recovery:
Admin identifies object to be recovered on-premises and uses
the recycle bin feature or an authoritative restore of the
object
Via AAD Connect:
When admin restores the user object in AD the object is
automatically recovered by AAD Connect, mailbox is also
recovered, etc.
Recovery is dependent on keeping the same SourceAnchor
value
New SourceAnchor value with same attribute values will not
recover the user object in Office 365 and instead will create a
new user
47
Filtering
What
Objects
Sync
48
Attribute
based
filtering
50
Troubleshooti
ng
51
Key
Deployment
Consideration
s
52
Lab: Activate,
Install and
Configure Azure AD
Connect Tool
53
Module
Review
54
Module
Review
(Answers)
55
Module
Summary
56
2013
2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks
in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of
this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and
Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR
STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION