Hello and welcome back to Cy Berries. Microsoft Azure Administrator A Z 103 Course, this is Episode 49 Azure Active Directory Connect. And I'm your instructor, Will Carlson.
In today's episode, we're going to talk about what is azure A. D connect, and to point back to the exam reference for the easy one of three exam. This is gonna be the section that talks about configuring, managing and maintaining hybrid identity and hybrid identity simply means that we've got Azure active directory
solution managing identity. So we've got it Hybrid we have on prim and Cloud. So how do we do this? What does it look like? So to illustrate this, I want to jump into a section here in Portal and we're gonna go back to Azure Active Directory where we've been in the past few episodes,
and we're gonna come down here Toe azure 80 Connect
as your A D Connect is going to be an application that you will install on your on premise environment that's gonna connect to your active directory domain service's environment. And it's going to synchronize those user accounts and groups over into azure active directory, and you can get to that simply by clicking here,
and that's gonna take you to the Azure 80 Connect download. You'll download the software, install it on Bram and then configure it, and we'll walk through what some of those configuration options here as visible in portal. Suffice it to say it's relatively straightforward to set up, and there are a number of options as well.
Want to call your attention at this point, though, to the resource is tab here in cyber ery down below, where you'll find a really great lab on how to do this on the get hub site. So I highly encourage you to go through that lab from the Get Hub site about installing and configuring Azure A D connect.
It's relatively involved, but it is a really great lab for illustrating the full configuration stack for Azure 80 Connect.
Come back over here to portal. However,
we can see that sink has not currently been run, which makes sense. I have not deployed as your A D connect in this environment,
and password hash sink is disabled. Now you have a number of ways that you can share identity from your on Prem equipment to your azure a. D. Instance.
Password Hash sink is simply going to be one of the ways in which we do this, and what this does is it takes the hashes of your user passwords, and it saves them off and tow azure active directory. Now obviously those passwords or not in clear text, but the hashes of those passwords are stored in Azure a D.
That may or may not be a problem for some, but that eliminates our need to create openings in our firewall into our active directory environment to handle this authentication. So it is a relatively simple way to do some other single sign on type things here with azure actor directory.
We enable password hash sink, the hashes air saved out in Azure 80
and we're good to go. However, I also want to call out that as your A D Connect has another really great option in its configuration, and that's going to be passed through authentication, and you can see that here under user sign in,
and what this essentially is going to do is
your azure. A D connect installation is going to be contacting the azure a D cloud on an interval, and it's going to be looking for user's wanting to authenticate. And as soon as it finds somebody queued up to authenticate your azure, A D Connect
implements a connection outbound from your environment to the azure A D in the cloud,
and it will authenticate the user that way. The really great thing about path rock Indication is it doesn't store your password. Hash is in the cloud,
and you're not required to open any ports on your firewall, because Azure A D Connect is instigating the connection from inside your environment. No internal, no inbound ports are required to be open. Hester Authentication is a really interesting tool that they've implemented here in Azure 80 Connect.
Now, once we have an ability to authenticate as an internal user to azure a d. I can implement some really interesting single sign on options and think about this for an office 3 65 deployment where your user has the client side version of office installed, they typically would still have to authenticate.
But if I've set up Azure 80 connect and enabled single sign on as soon as my user logs into their computer. They're automatically signed in tow. Office 3 65 as well.
Single sign on a really great solution for a whole host of products. I recommend you checking into that for your production environment. It really can alleviate a number of administrative headaches.
Federation here in Azure active directory is gonna be just like federation and any other service I can authenticate and use 1/3 party credential. Ultimately, to gain access to azure workloads. Those federation agreements and arrangements will have to be set up here within azure. So as your nose,
who isn't authorised Federation Service's provider for your environment.
And then you can simply use your third party credentials to authenticate to azure workloads of various kinds. And the last thing I want to point out here about Azure 80 Connect is that there is an azure a D connect health
application or blade here as well. And this is gonna help you make sure that everything is working clearly with azure A. D. Connect the way that you would expect.
The lab points to this to a certain extent again, I highly recommend you step through that lab, and you also get some health information in the A Z Connect application itself.
Of particular mention is, for example, if you're
sinking, password hash is, and all of a sudden a password, hash is not sink TW Users may not be able to log in to their as your workloads anymore, And that would be because Azure A D hasn't sink to the change of your on premise environment, and this could cause some connective ity issues.
Yet another reason possibly to avoid
password hash sinking and simply used, passed through authentication. But the azure Adie connect health is a great tool to use to make sure that the sink is actually working the way that you expect and to help you troubleshoot any issues with Azure 80 connect.
So in today's episode, we talked about using Azure A D connect to enable our hybrid identity solution Here in Azure. We also talked about a number of ways we could handle authentication all the way from Federation Service is to single sign on toe sinking password hash is to pass through authentication,
and we talked briefly about how just the fact that
as your 80 connect health is there for us when we run into any issues with our azure 80 connect
coming up. Next, we talk a little bit more about what we can do now that we have our on prime users synchronized with our azure A D environment and some of the fun that we can have and some of the interesting things that Microsoft offers us as administrators in the way that we manage identity using the azure platform. Thanks so much for joining me today.
I'm looking forward to the next episode.