To synchronize login credentials between Energetic Listing and Azure Energetic Listing, many directors use Azure AD Join. We’ve got already described how one can synchronize on-premises Energetic Listing environments with Azure AD. Learn the article “Set up Azure AD Join” to find out about single sign-on situations between on-premises networks and Azure.
Along with Azure AD Join, Microsoft additionally gives Azure AD Join cloud sync. These are totally different providers for related features.
Azure AD cloud synchronization comparability
Use Azure AD Join
Along with the choice of utilizing Azure AD Join, Microsoft additionally gives the “Azure AD cloud synchronization” service. That is an alternative choice for synchronizing customers and teams between Energetic Listing and Azure AD. Azure AD cloud synchronization can be obtainable within the Azure Energetic Listing admin heart. You possibly can entry the Azure AD admin heart by way of the URL https://aad.portal.azure.com. The Azure AD Join and Azure AD cloud synchronization settings may be discovered by way of the “Azure Energetic DirectoryAzure AD Join” menu merchandise.
With Azure AD Join cloud sync, you additionally want agent software program on the community on a server that acts as a bridge between Azure AD and AD . The deployment configuration is saved in Azure AD and managed as a part of the service. In contrast to Azure AD Join, the agent on the server doesn’t deal with all of the actions, however all duties are saved and carried out within the cloud. The agent on the server is barely used to attach Energetic Listing to Azure AD. It’s useful to know that Azure AD Join cloud sync and Azure AD Join can be utilized in parallel.
Azure AD Join cloud sync vs Azure AD Join sync
Azure AD Join cloud sync and Azure AD Join sync work equally. Nonetheless, solely Azure AD Join cloud sync may be run with a smaller agent. As well as, there may be the choice to put in a number of energetic brokers for a high-availability atmosphere. Nonetheless, if customized attributes are additionally to be synchronized, Azure AD Join is (nonetheless) the higher method to go, as a result of Azure AD Join cloud sync shouldn’t be (but) able to doing this. Passthrough authentication can be attainable when utilizing Azure AD Join.
Azure AD Join cloud sync can be the higher method to go in the case of synchronizing a number of total AD constructions with an Azure subscription. Particularly if the general constructions should not linked to Azure. Azure AD cloud sync helps set up on a number of servers on the community that may connect with Azure AD. This lets you obtain excessive availability of the service. For the operation of the agent, a service account is created, which in fact should have rights in Energetic Listing.
Use Managed Service Accounts
Create Group Managed Service Accounts (GMSA)
To make the set up on a number of servers simpler to implement, you may as well use Group Managed Service Accounts (GMSA). On this case, you employ one person account for every put in occasion of Azure AD cloud sync.
The account may be managed by the service itself, together with altering passwords. The agent setup wizard can create a grouped managed service account. It’s also attainable to create such an account your self and choose it right here. Managed service accounts are person accounts in Energetic Listing which might be used for native providers. The passwords of those accounts should not modified manually, however robotically by Energetic Listing beneath sure situations. Directors can set off such adjustments manually.
The benefit is that the system providers that use these person accounts shouldn’t have to be configured by directors when passwords are modified. As an alternative, they take over the change of passwords robotically.
Create managed service accounts
You create the service accounts by way of PowerShell, extra exactly by way of the Energetic Listing module of PowerShell with the Cmdlet New-ADServiceAccount -name -Enabled $true , for instance with New-ADServiceAccount “AzureADConnect” -Enabled $true -DNSHostName “AzureADConnect.joos.int”.
By default, the cmdlet in Home windows Server 2019 creates a brand new grouped managed service account. Earlier than you create grouped accounts, you have to first create a brand new grasp key for the area:
|
Add–KdsRootKey –EffectiveImmediately |
By default, it takes 10 hours from this second till you’ll be able to create managed service accounts. In take a look at environments, you’ll be able to bypass this time interval with the next command:
|
Add–KdsRootKey –EffectiveTime ((Get–Date).addhours(–10)) |
The Freeware Managed Service Accounts GUI makes it a lot simpler to create managed service accounts in Home windows Server 2019.
Set up Azure AD cloud synchronization
You arrange Azure AD cloud synchronization from the Azure Energetic Listing admin heart. To do that, click on on “Azure Energetic DirectoryAzure AD Join” within the admin heart (https://aad.portal.azure.com) after which on “Handle Azure AD cloud synchronization” beneath “Azure AD cloud synchronization”. Within the window, you’ll be able to click on “Obtain Agent” to obtain the software program. Right here you may as well see the standing of the assorted brokers which might be already linked.
After downloading, first set up the agent on a server with which you wish to connect with Azure AD. After the preliminary setup, it’s typically a good suggestion to put in the agent on one other server as properly, in order that synchronization all the time works.
For additional connection of Energetic Listing to Azure AD, authentication to Azure AD continues to be required. Right here, the set up wizard additionally helps multifactor authentication in Azure AD. After that, you choose whether or not you need the wizard to create a managed service account or whether or not you wish to use an present account.
Subsequent, choose the Energetic Listing area to be synchronized with Azure AD. Right here, too, a logon should happen. Within the final step you get a abstract and the agent begins with the setup. If one thing goes fallacious in the course of the setup, you will discover the log recordsdata of the service within the listing „C:ProgramDataMicrosoftAzure AD Join Provisioning AgentTrace“
After the profitable setup, you’ll be able to see the connection within the Azure Energetic Listing admin heart at “Azure Energetic DirectoryAzure AD Join” after which at “Azure AD cloud sync” by way of “Handle Azure AD cloud sync” while you click on “Examine all brokers”.
If the synchronization doesn’t work, test whether or not the “Microsoft Azure AD Join Provisioning Agent” system service has began. The “Microsoft Azure AD Join Agent Updater” system service should even be began.
As soon as the agent has linked to Azure AD, you can begin the cloud sync with “New configuration” within the Azure AD Join administration interface. Right here you’ll be able to choose the synchronization from the domains which might be linked to brokers. After that save the synchronization.
FirstAttribute AG – Id Administration & IAM Cloud Providers
We assist you together with your AD and Azure AD / Microsoft 365 Id Administration.
Did this make it easier to? Share it or depart a remark:
Article created: 02.08.2021
