Azure AD — Hybrid Identities and AD Connect
When it comes to sociology , Hybrid identity is defined by:
“a product of the fusion of two or more types of identity which is much more likely to occur within a complex global culture where there is a greater flow of ideas and greater movement of people.”
In Azure AD’s realm, however, Hybrid Identity is a different concept.
This article is a continuation of my previous on Identities.
This Subject is part of multiple Microsoft certification exams, including (but not limited to):
- SC-300 (Identity and Access Administrator Associate)
- SC-900 (Identity and Access Fundamentals)
Previously I mentioned AAD and how it is able to manage and maintain a user database in Azure.
This is not the only way it can handle Identities though.
There are two types of Identities that Azure AD can manage:
- Cloud-only: which are the Identities created in itself and managed by itself.
- Hybrid Identities: which are identities created in Active Directory (AD on Prem) or other IdP and synced with AAD.
Notice that Cloud-Only deployments won’t support any of the features from AAD Connect (which I’ll explain further). Microsoft advises on the subject:
When using the hybrid model, authentication can either be done by Azure AD, which is known as managed authentication, or Azure AD redirects the client requesting authentication to another identity provider, which is known as federated authentication.
The concept of Hybrid identities is particularly useful for large enterprises who are already utilizing a AD Domain Services (AD DS) and want to connect to AAD to leverage, or start their journey to, the cloud.
When we talk about AAD using identities in AD DS, a requirement is to utilize Azure AD Connect.
There are a number of requirements and rules that need to be double checked prior to setting up Azure AD connect.
What does AAD connect provide? It offers support to these features:
Password hash synchronization — A sign-in method that synchronizes a hash of a users on-premises AD password with Azure AD.
Pass-through authentication — A sign-in method that allows users to use the same password on-premises and in the cloud, but doesn’t require the additional infrastructure of a federated environment.
Federation integration — Federation is an optional part of Azure AD Connect and can be used to configure a hybrid environment using an on-premises AD FS infrastructure. It also provides AD FS management capabilities such as certificate renewal and additional AD FS server deployments.
Synchronization — Responsible for creating users, groups, and other objects. As well as, making sure identity information for your on-premises users and groups is matching the cloud. This synchronization also includes password hashes.
Health Monitoring — Azure AD Connect Health can provide robust monitoring and provide a central location in the Azure portal to view this activity.
AAD connect works by:
(AAD connect) users 3 accounts in order to synchronize information from on-premises or Windows Server Active Directory to Azure Active Directory.
If you decide to setup this integration, you’ll have to double check all the Network, Hardware and other requirements.
A comprehensive list of these requirements is available here, including Network and Hardware requirements.
In this server, you’ll have to setup a SQL database, Visual C++ and AAD Connect Health.
AAD connect Health is a component from AAD Connect that syncs changes and maintains a connection from the on-prem AD DS to AAD. It also provides monitoring capabilities to key services that deal with Ids in on-prem hardware.
It has a dedicated web portal to report on everything it’s collecting — including the performance and usage of these services. This is called the AAD connect Health portal.
But what are the reasons why you should use AAD Connect and AAD Connect Health?
Well, AAD connect is the current AD sync solution from Microsoft, superseding AD Sync and DirSync, for example.
The main driver to use AAD Connect is to sync On-prem Identities with Cloud-based AD, offering the best user experience to login to multiple Legacy (on-prem) and Modern (cloud-based) applications/Services.
Plus, the tool allows for secure methods of syncing passwords, to keep your compliance goals checked.
As for AAD Connect Health it’s really about assurance, performance optimization and availability of the Sync.
helps monitor and gain insights into your on-premises identity infrastructure thus ensuring the reliability of this environment.
Follow me on twitter: Camillo (@iamcamillo) / Twitter
Learn more about my Cloud and Security Projects:
Thank you for reading and leave your thoughts/comments!
Scattered throughout the document.