You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The first task addresses determining the organizations business needs. This can be very broad and scope creep can occur if you are not careful. In the beginning, keep it simple but always remember to plan for a design that will accommodate and facilitate change in the future. Regardless of whether it is a simple design or a complex one, Azure Active Directory is the Microsoft Identity platform that supports Microsoft 365, Microsoft Online Services, and cloud aware applications.
28
+
The first task addresses determining the organizations business needs. This task can be broad and scope creep can occur if you are not careful. In the beginning, keep it simple but always remember to plan for a design that will accommodate and facilitate change in the future. Regardless of whether it is a simple design or a complex one, Azure Active Directory is the Microsoft Identity platform that supports Microsoft 365, Microsoft Online Services, and cloud aware applications.
29
29
30
30
## Define an integration strategy
31
-
Microsoft has three main integration scenarios: cloud identities, synchronized identities, and federated identities. You should plan on adopting one of these integration strategies. The strategy you choose can vary and the decisions in choosing one may include, what type of user experience you want to provide, do you have an existing infrastructure, and what is the most cost effective.
31
+
Microsoft has three main integration scenarios: cloud identities, synchronized identities, and federated identities. You should plan on adopting one of these integration strategies. The strategy you choose can vary. Decisions in choosing one may include, what type of user experience you want to provide, do you have an existing infrastructure, and what is the most cost effective.
***Cloud identities**: identities that exist solely in the cloud. In the case of Azure AD, they would reside specifically in your Azure AD directory.
38
-
***Synchronized**: identities that exist on-premises and in the cloud. Using Azure AD Connect, users are either created or joined with existing Azure AD accounts. The user’s password hash is synchronized from the on-premises environment to the cloud in what is called a password hash. When using synchronized the one caveat is that if a user is disabled in the on-premises environment, it can take up to three hours for that account status to show up in Azure AD. This behavior is due to the synchronization time interval.
38
+
***Synchronized**: identities that exist on-premises and in the cloud. Using Azure AD Connect, users are either created or joined with existing Azure AD accounts. The user’s password hash is synchronized from the on-premises environment to the cloud in what is called a password hash. Remember that if a user is disabled in the on-premises environment, it can take up to three hours for that account status to show up in Azure AD. This behavior is due to the synchronization time interval.
39
39
***Federated**: identities exist both on-premises and in the cloud. Using Azure AD Connect, users are either created or joined with existing Azure AD accounts.
40
40
41
41
> [!NOTE]
@@ -49,7 +49,7 @@ The following table helps in determining the advantages and disadvantages of eac
49
49
| --- | --- | --- |
50
50
|**Cloud identities**|Easier to manage for small organization. <br> Nothing to install on-premises. No extra hardware needed<br>Easily disabled if the user leaves the company |Users will need to sign in when accessing workloads in the cloud <br> Passwords may or may not be the same for cloud and on-premises identities |
51
51
|**Synchronized**|On-premises password authenticates both on-premises and cloud directories <br>Easier to manage for small, medium, or large organizations <br>Users can have single sign-on (SSO) for some resources <br> Microsoft preferred method for synchronization <br> Easier to manage |Some customers may be reluctant to synchronize their directories with the cloud due specific company’s policies |
52
-
|**Federated**|Users can have single sign-on (SSO) <br>If a user is terminated or leaves, the account can be immediately disabled and access revoked,<br> Supports advanced scenarios that cannot be accomplished with synchronized |More steps to set up and configure <br> Higher maintenance <br> May require extra hardware for the STS infrastructure <br> May require extra hardware to install the federation server. Additional software is required if AD FS is used <br> Require extensive setup for SSO <br> Critical point of failure if the federation server is down, users won’t be able to authenticate |
52
+
|**Federated**|Users can have single sign-on (SSO) <br>If a user is terminated or leaves, the account can be immediately disabled and access revoked,<br> Supports advanced scenarios that cannot be accomplished with synchronized |More steps to set up and configure <br> Higher maintenance <br> May require extra hardware for the STS infrastructure <br> May require extra hardware to install the federation server. Other software is required if AD FS is used <br> Require extensive setup for SSO <br> Critical point of failure if the federation server is down, users won’t be able to authenticate |
53
53
54
54
### Client experience
55
55
The strategy that you use will dictate the user sign-in experience. The following tables provide you with information on what the users should expect their sign-in experience to be. Not all federated identity providers support SSO in all scenarios.
@@ -73,7 +73,7 @@ The strategy that you use will dictate the user sign-in experience. The followi
73
73
| Exchange ActiveSync |Prompt for credentials |single sign-on for Lync, prompted credentials for Exchange |
74
74
| Mobile apps |Prompt for credentials |Prompt for credentials |
75
75
76
-
If you have determined from task 1 that you have a third-party IdP or are going to use one to provide federation with Azure AD, you need to be aware of the following supported capabilities:
76
+
If you have a third-party IdP or are going to use one to provide federation with Azure AD, you need to be aware of the following supported capabilities:
77
77
78
78
* Any SAML 2.0 provider that is compliant for the SP-Lite profile can support authentication to Azure AD and associated applications
79
79
* Supports passive authentication, which facilitates authentication to OWA, SPO, etc.
@@ -91,7 +91,7 @@ You must also be aware of what capabilities will not be available:
91
91
>
92
92
93
93
## Define synchronization strategy
94
-
In this task you will define the tools that will be used to synchronize the organization’s on-premises data to the cloud and what topology you should use. Because, most organizations use Active Directory, information on using Azure AD Connect to address the questions above is provided in some detail. For environments that do not have Active Directory, there is information about using FIM 2010 R2 or MIM 2016 to help plan this strategy. However, future releases of Azure AD Connect will support LDAP directories, so depending on your timeline, this information may be able to assist.
94
+
This task defines the tools that will be used to synchronize the organization’s on-premises data to the cloud and what topology you should use. Because, most organizations use Active Directory, information on using Azure AD Connect to address the questions above is provided in some detail. For environments that do not have Active Directory, there is information about using FIM 2010 R2 or MIM 2016 to help plan this strategy. However, future releases of Azure AD Connect will support LDAP directories, so depending on your timeline, this information may be able to assist.
95
95
96
96
### Synchronization tools
97
97
Over the years, several synchronization tools have existed and used for various scenarios. Currently Azure AD Connect is the go to tool of choice for all supported scenarios. AAD Sync and DirSync are also still around and may even be present in your environment now.
@@ -103,7 +103,7 @@ Over the years, several synchronization tools have existed and used for various
103
103
104
104
### Supported topologies
105
105
When defining a synchronization strategy, the topology that is used must be determined. Depending on the information that was determined in step 2 you can determine which topology is the proper one to use.
106
-
The single forest, single Azure AD topology is the most common and consists of a single Active Directory forest and a single instance of Azure AD. This topology is going to be used in a majority of the scenarios and is the expected topology when using Azure AD Connect Express installation as shown in the figure below.
106
+
The single forest, single Azure AD topology is the most common and consists of a single Active Directory forest and a single instance of Azure AD. This topology is going to be used in a most scenarios and is the expected topology when using Azure AD Connect Express installation as shown in the figure below.
@@ -118,19 +118,19 @@ It is common for large and even small organizations to have multiple forests, as
118
118
119
119
Multi-Forest Scenario
120
120
121
-
If this is the case, then the multi-forest single Azure AD topology should be considered if the following items are true:
121
+
The multi-forest single Azure AD topology should be considered if the following items are true:
122
122
123
-
* Users have only 1 identity across all forests – the uniquely identifying users section below describes this in more detail.
123
+
* Users have only 1 identity across all forests – the uniquely identifying users section below describes this scenario in more detail.
124
124
* The user authenticates to the forest in which their identity is located
125
125
* UPN and Source Anchor (immutable id) will come from this forest
126
-
* All forests are accessible by Azure AD Connect – this means it does not need to be domain joined and can be placed in a DMZ if this facilitates this.
126
+
* All forests are accessible by Azure AD Connect – meaning it does not need to be domain joined and can be placed in a DMZ.
127
127
* Users have only one mailbox
128
128
* The forest that hosts a user’s mailbox has the best data quality for attributes visible in the Exchange Global Address List (GAL)
129
129
* If there is no mailbox on the user, then any forest may be used to contribute values
130
130
* If you have a linked mailbox, then there is also another account in a different forest used to sign in.
131
131
132
132
> [!NOTE]
133
-
> Objects that exist in both on-premises and in the cloud are “connected” via a unique identifier. In the context of Directory Synchronization, this unique identifier is referred to as the SourceAnchor. In the context of Single Sign-On, this is referred to as the ImmutableId. [Design concepts for Azure AD Connect](plan-connect-design-concepts.md#sourceanchor) for more considerations regarding the use of SourceAnchor.
133
+
> Objects that exist in both on-premises and in the cloud are “connected” via a unique identifier. In the context of Directory Synchronization, this unique identifier is referred to as the SourceAnchor. In the context of Single Sign-On, this identifier is referred to as the ImmutableId. [Design concepts for Azure AD Connect](plan-connect-design-concepts.md#sourceanchor) for more considerations regarding the use of SourceAnchor.
134
134
>
135
135
>
136
136
@@ -140,15 +140,15 @@ If the above are not true and you have more than one active account or more than
140
140
141
141
**Multi-forest multiple Azure AD scenario**
142
142
143
-
It is recommended to have just a single directory in Azure AD for an organization but it is supported it a 1:1 relationship is kept between an Azure AD Connect sync server and an Azure AD directory. For each instance of Azure AD, you need an installation of Azure AD Connect. Also, Azure AD, by design is isolated and users in one instance of Azure AD will not be able to see users in another instance.
143
+
It is recommended to have just a single directory in Azure AD for an organization. However, it is supported if a 1:1 relationship is kept between an Azure AD Connect sync server and an Azure AD directory. For each instance of Azure AD, you need an installation of Azure AD Connect. Also, Azure AD, by design is isolated and users in one instance of Azure AD, will not be able to see users in another instance.
144
144
145
145
It is possible and supported to connect one on-premises instance of Active Directory to multiple Azure AD directories as shown in the figure below:
* Azure AD Connect sync servers must be configured for filtering so they each have a mutually exclusive set of objects. This done, for example, by scoping each server to a particular domain or OU.
154
154
* A DNS domain can only be registered in a single Azure AD directory so the UPNs of the users in the on-premises AD must use separate namespaces
@@ -158,7 +158,7 @@ To do this, the following must be true:
158
158
* Group write-back with default configuration
159
159
* Device write-back
160
160
161
-
The following is not supported and should not be chosen as an implementation:
161
+
The following items are not supported and should not be chosen as an implementation:
162
162
163
163
* It is not supported to have multiple Azure AD Connect sync servers connecting to the same Azure AD directory even if they are configured to synchronize mutually exclusive set of object
164
164
* It is unsupported to sync the same user to multiple Azure AD directories.
@@ -172,7 +172,7 @@ The following is not supported and should not be chosen as an implementation:
172
172
>
173
173
174
174
## Define multi-factor authentication strategy
175
-
In this task you will define the multi-factor authentication strategy to use. Azure AD Multi-Factor Authentication comes in two different versions. One is a cloud-based and the other is on-premises based using the Azure MFA Server. Based on the evaluation you did above you can determine which solution is the correct one for your strategy. Use the table below to determine which design option best fulfills your company’s security requirement:
175
+
In this task, you will define the multi-factor authentication strategy to use. Azure AD Multi-Factor Authentication comes in two different versions. One is a cloud-based and the other is on-premises based using the Azure MFA Server. Based on the evaluation you did above you can determine which solution is the correct one for your strategy. Use the table below to determine which design option best fulfills your company’s security requirement:
0 commit comments