Azure ADconnect

Sunith 81 Reputation points
2020-08-19T04:53:22.527+00:00

Hi

We are to setup ADConnect on Azure to sync our on=premise AD with Azure. The main reason being we have an in house application that will be using SSO.

I have some basic questions to understand ur path to migration / setup.

  1. Is this same as syncing with M365? if not, please advise on how to do this with M365?
  2. Our current scenario is like

on-premise AD

User: John Doe
Username: jdoe
Password: xxxxxxxx

on M365

User: John Doe
Username: john.doe@keyman .com
Password: yyyyyyy

The difference in Username and Password, will this be an issue during setup?

  1. The initial stage of the application using SSO, only 15 users needs to sync, is it possible to only 15 users to SSO? HOw?
  2. Ones the sync is complete? what impact does it have on users logging to their computers? and to their Outlook? or office applications?

I am sure this may be silly questions however, I like to hear from the experts to make things easy for us before we begin the setuo

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,449 questions
0 comments
Accepted answer
  1. AmanpreetSingh-MSFT 56,561 Reputation points
    2020-08-21T15:18:58.283+00:00

    Hi @Sunith Please find my answers inline below:

    How can we merge the users "AHeartings" & "Ann.Heartings" as 1 user and sync to on-premise AD?
    This can be done by hard match or soft match, which is very well explained here: https://dirteam.com/sander/2020/03/27/explained-user-hard-matching-and-soft-matching-in-azure-ad-connect/

    With AD Connect Sync, does it sync only the identities (usernames) or both Usernames and Passwords?
    If you have enabled Password Hash Sync (PHS), it will sync user accounts along with their passwords. If PHS is not enabled, passwords are not synced.

    On our corporate computers and network does the user login using the AD username and with SSO enabled will it automatically login the user to Outlook and other office apps?
    As I mentioned in my previous reply, you'll get seamless sso experience if you have deployed Seamless SSO or perform Hybrid AAD join. Otherwise users will have to login to every new browser session.

    with user molly dolly showing in sync with on-premise AD, what is the password for this user on M365? or do we need to reset the password on M365?
    Since you have PHS enabled, it should be on-premise AD password.

    As mentioned we did the selective sync with OU and since we only need to sync 25 out of 200 users for this specific application, is it best to sync OU or a security group, we have a structured OU based on location and we like to keep it. However if OU is best way forward over the security group? then we will have to take that path?
    We recommend security group based filtering for testing purpose so that you can test by syncing few accounts. However, if changing OU structure is not an option and you will not be having more than 50,000 users, you can use security groups as well. The number of members in a group that you can synchronize from your on-premises Active Directory to Azure Active Directory by using Azure AD Connect is limited to 50,000 members.

    For SSO is it best to use “Pass-Through Authentication” or “Password Hash Synchronization”
    For best SSO experience, use Pass-Through Authentication along with Seamless SSO configured in AD Connect. Refer to https://video2.skills-academy.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start#deploy-seamless-single-sign-on. If you want to use PHS only, then you'd need to go with Hybrid Azure AD Join.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,561 Reputation points
    2020-08-19T09:57:57.763+00:00

    Hi @Sunith M365 uses Azure AD to store all its identities. So, the users synced from on-premises Active Directory to Azure AD will be available in M365 and there is no separate steps needed to perform for M365.

    If your on-prem UPN is jdoe@Company portal .local, the user account will be synced as jdoe@Company portal .onmicrosoft.com on Azure AD. If you don't want to use contoso.onmicrosoft.com as upn suffix, first you would need to add your public domain e.g. contoso.com to Azure AD and flip the on-prem upn suffix from contoso.local to contoso.com.

    If you already have john.doe@Company portal .com present as cloud user and you would like to merge it with synced user, you can do it via hard match or soft match. Refer to https://video2.skills-academy.com/en-us/azure/active-directory/hybrid/how-to-connect-install-existing-tenant for more details.

    To sync 15 users, you may consider using Sync filtering based on groups or use OU based filtering and add only 15 users to the group or OU depending on which filtering you decide to go with.

    There won't be any impact on users' logins to computers, outlook or office by just synchronizing the accounts.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

  2. AmanpreetSingh-MSFT 56,561 Reputation points
    2020-08-20T14:27:06.677+00:00

    Hi @Sunith As you have onprem presence, for seamless single sign on experience you can choose to go with one of the below options:

    1. Pass through authentication (PTA) and deploy seamless sso via AD Connect. As with PTA, authentication will be done via on-prem domain controllers and users won't have to enter credentials to access cloud resources. For step by step instruction please refer to Deploy Seamless Single Sign-On
    2. Perform Hybrid Azure AD Join. In this case, your devices will be joined to both On-prem AD and Azure AD. When users sign into hybrid joined device, they get a PRT (Primary Refresh Token) which is used to facilitate SSO while accessing cloud resources.

    Without any of the above implementations, SSO will be based on browser session, where session cookies are issued to the users and after user closes the browser session cookies are invalidated and a sign-in is required for the new browser session.

    Hope this answers your questions regarding SSO.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments
  3. Sunith 81 Reputation points
    2020-08-20T17:07:46.927+00:00

    @amarpreetsingh-msft
    Thank you Amarpreetsingh for your response, I like to close this with my test scenario
    On-Premise AD
    We created an
    OU - "App_Users"
    and within the OU we created
    User1 - Ann Heartings Username: AHeartings Password: X7y8Z9
    User2 = John Doe Username: JDoe Password: X4y5Z6
    User3 = Molly Dolly Username: MDolly Password: X1y2Z3

    on M365, I added 2 users
    User1 - Ann.Heartings@keyman .com Password: A1b2C3 SMTP: Ann.Heartings@keyman .com
    User2 - John.Doe@keyman .com Password: A4b5C6 SMTP: John.Doe@keyman .com

    I went back to On-Premise AD and added the below SMTP to the users – SMTP Matching

    1. John Doe - SMTP: John.Doe@keyman .com
    2. Molly Dolly - SMTP: Molly.Dolly@keyman .com

    Now I installed AD Connect and using custom installation I filtered selectively the OU and run the sync using "Password Hash Synchronization" and it was successful.

    The status on Azure shows
    19232-2020-08-20-20-55-11.png

    The Status on M365 Shows

    19233-2020-08-20-20-55-39.png

    Now on checking the results of the Sync on M365, my findings are

    1. User Aheartings@keyman .com shows in sync with “On-Premise AD” and shows “Unlicensed”
    2. User Ann.Heartings@keyman .com shows in sync with “In-Cloud”
    3. User John.Doe@keyman .com shows in sync with “On-Premise AD”
    4. User Molly.Dolly@keyman .com shows in sync with “On-Premise AD” and “Unlicensed”

    Based on the above scenario, my questions are:

    1. How can we merge the users "AHeartings" & "Ann.Heartings" as 1 user and sync to on-premise AD
    2. With AD Connect Sync, does it sync only the identities (usernames) or both Usernames and Passwords?
    3. On our corporate computers and network does the user login using the AD username and with SSO enabled will it automatically login the user to Outlook and other office apps?
    4. with user molly dolly showing in sync with on-premise AD, what is the password for this user on M365? or do we need to reset the password on M365 ?
    5. As mentioned we did the selective sync with OU and since we only need to sync 25 out of 200 users for this specific application, is it best to sync OU or a security group, we have a structured OU based on location and we like to keep it. However if OU is best way forward over the security group? then we will have to take that path?
    6. For SSO is it best to use “Pass-Through Authentication” or “Password Hash Synchronization”
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.