The idea of this tutorial is to guide you through how you create a hybrid environment for your on-premises AD and your Azure AD using a tool called Azure AD Connect. You have a number of options to achieve “Hybrid Identity” which are Password hash synchronisation (PHS), Pass-through authentication (PTA) and Federation, below is a little description of what each one does. I am going to configure PHS in my tutorial and perhaps move onto PTA at some point which should spawn a new post so keep an eye out for that one.
- Password hash synchronisation (PHS) – The most commonly used option, if you choose express settings when configuring AD Connect then it uses this method. PHS synchronises a hash of the hash from the users password from the on-premises AD instance to the Azure AD instance. sounds like a mouthful right but the diagram below shows you how it works. This is ideal for a corporate/enterprise environment as it negates the need for multiple passwords as you can sign into Office 365 for example using the same password you would use to authenticate yourself through your on-premises AD. For more information about how PHS works then use this link here
- Pass-through authentication (PTA) – PTA allows users to sign into your on-premises and Cloud applications with the same password, this is perfect for efficiency, security (passwords are never stored in the cloud) and availability. You can integrate this with features such as MFA, SSPR and it is supported in a multi-forest AD environment. The diagram below shows you what the process is for PTA. Find out more information about how PTA works visit this link here
Federation – This is basically a group of domains that have established trust, this is especially useful for enabling companies to share resources. If you already have AD FS on-premises setup and configured then you can also setup PHS as a backup. Below is a diagram of how Federation works, you can find more information by clicking on this link here
- Azure Subscription with a tenant configured and a global administrator account
- Windows Server 2016 with AD DS configured with a domain admin account
- Internet Connection (Mine is using a Hyper-V VM with an internal switch with internet sharing setup on the host ethernet adapter)
- AD Connect software (available here)
- First thing you need to do is logon to your on-premises AD Server, locate the Azure AD Connect.msi file and run it
- This screen just explains a little about what the AD Connect tool does and guides you in the direction that is suitable for your infrastructure. Tick the box if its not already ticked to agree to the Terms and click Continue
- This is the part where you can customise your settings or choose the express settings method, i will be using PHS so this is ideal for me. Click Use Express Settings
- If you do choose Customize then this is the window you would see for the user sign-in method
- This is where you need to enter your global administrator credentials for your tenant, for me it would be something like firstname.lastname@example.org. Click Next and you should be authenticated on your Azure AD side, if not this page is ideal for troubleshooting solutions Troubleshoot Hybrid Connectivity
- When you get to this window you are asked to provide your on-premises AD Domain admin credentials, again if you have any issues click the troubleshooting link to see if your problem has already been documented. Click Next
- Once you are happy to proceed ensure the box is ticked as shown and click Install
- The size of your on-premises AD and your Azure AD will determine how long the synchronisation will take, for me it took around 5-10 minutes and i was presented with this window. I took note of any recommendations and clicked Exit
- You will notice your AD Server Start menu has a few extra Azure AD Connect tools now once the install has completed
- When i run the Synchronization Service Manager you can see that the Sync was successful, you can use this tool to configure the complicated aspects of the sync engine and view the operational aspects of the newly configured service.
- When i login to my Azure portal, navigate to Azure Active Directory>Azure AD Connect i can see my sync status too. From here i logged onto my Azure portal with a user account i had created earlier using the on-premises AD Server.