Skip to content

Commit b798874

Browse files
committed
2 parents a5adeae + 5db745d commit b798874

File tree

360 files changed

+3855
-2476
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

360 files changed

+3855
-2476
lines changed

.openpublishing.redirection.json

Lines changed: 18 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22921,7 +22921,7 @@
2292122921
},
2292222922
{
2292322923
"source_path": "articles/active-directory/active-directory-reporting-power-bi-content-pack-how-to.md",
22924-
"redirect_url": "/azure/active-directory/reports-monitoring/howto-power-bi-content-pack",
22924+
"redirect_url": "azure/active-directory/reports-monitoring/howto-use-azure-monitor-workbooks",
2292522925
"redirect_document_id": false
2292622926
},
2292722927
{
@@ -22984,6 +22984,23 @@
2298422984
"redirect_url": "/azure/active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub",
2298522985
"redirect_document_id": true
2298622986
},
22987+
{
22988+
"source_path": "articles/active-directory/reports-monitoring/quickstart-install-power-bi-content-pack.md",
22989+
"redirect_url": "/azure/active-directory/reports-monitoring/howto-use-azure-monitor-workbooks",
22990+
"redirect_document_id": false
22991+
},
22992+
{
22993+
"source_path": "articles/active-directory/reports-monitoring/howto-power-bi-content-pack.md",
22994+
"redirect_url": "/azure/active-directory/reports-monitoring/howto-use-azure-monitor-workbooks",
22995+
"redirect_document_id": false
22996+
},
22997+
{
22998+
"source_path": "articles/active-directory/reports-monitoring/troubleshoot-content-pack.md",
22999+
"redirect_url": "/azure/active-directory/reports-monitoring/howto-use-azure-monitor-workbooks",
23000+
"redirect_document_id": false
23001+
},
23002+
23003+
2298723004
{
2298823005
"source_path": "articles/active-directory/reporting-azure-monitor-diagnostics-azure-storage-account.md",
2298923006
"redirect_url": "/azure/active-directory/reports-monitoring/quickstart-azure-monitor-route-logs-to-storage-account",

.vscode/extensions.json

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
{
2+
"recommendations": [
3+
"docsmsft.docs-authoring-pack"
4+
]
5+
}

articles/active-directory-b2c/active-directory-b2c-custom-setup-goog-idp.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ ms.subservice: B2C
1717

1818
[!INCLUDE [active-directory-b2c-advanced-audience-warning](../../includes/active-directory-b2c-advanced-audience-warning.md)]
1919

20-
This article shows you how to enable sign-in for users from a Google account by using [custom policies](active-directory-b2c-overview-custom.md) in Azure Active Directory B2C (Azure AD B2C).
20+
This article shows you how to enable sign-in for users with a Google account by using [custom policies](active-directory-b2c-overview-custom.md) in Azure Active Directory B2C (Azure AD B2C).
2121

2222
## Prerequisites
2323

articles/active-directory-domain-services/TOC.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,8 @@
2525
href: powershell-create-instance.md
2626
- name: Concepts
2727
items:
28+
- name: Administration basics
29+
href: administration-concepts.md
2830
- name: Common deployment scenarios
2931
href: scenarios.md
3032
- name: How Azure AD DS synchronization works
Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
---
2+
title: Management concepts for Azure AD Domain Services | Microsoft Docs
3+
description: Learn about how to administer an Azure Active Directory Domain Services managed domain and the behavior of user accounts and passwords
4+
services: active-directory-ds
5+
author: iainfoulds
6+
manager: daveba
7+
8+
ms.service: active-directory
9+
ms.subservice: domain-services
10+
ms.workload: identity
11+
ms.topic: conceptual
12+
ms.date: 10/08/2019
13+
ms.author: iainfou
14+
15+
---
16+
17+
# Management concepts for user accounts, passwords, and administration in Azure Active Directory Domain Services
18+
19+
When you create and run an Azure Active Directory Domain Services (AD DS) managed domain, there are some differences in behavior compared to a traditional on-premises AD DS environment. You use the same administrative tools in Azure AD DS as a self-managed domain, but you can't directly access the domain controllers (DC). There's also some differences in behavior for password policies and password hashes depending on the source of the user account creation.
20+
21+
This conceptual article details how to administer an Azure AD DS managed domain and the different behavior of user accounts depending on the way they're created.
22+
23+
## Domain management
24+
25+
In Azure AD DS, the domain controllers (DCs) that contain all the resources like users and groups, credentials, and policies are part of the managed service. For redundancy, two DCs are created as part of an Azure AD DS managed domain. You can't sign in to these DCs to perform management tasks. Instead, you create a management VM that's joined to the Azure AD DS managed domain, then install your regular AD DS management tools. You can use the Active Directory Administrative Center or Microsoft Management Console (MMC) snap-ins like DNS or Group Policy objects, for example.
26+
27+
## User account creation
28+
29+
User accounts can be created in Azure AD DS in multiple ways. Most user accounts are synchronized in from Azure AD, which can also include user account synchronized from an on-premises AD DS environment. You can also manually create accounts directly in Azure AD DS. Some features, like initial password synchronization or password policy, behave differently depending on how and where user accounts are created.
30+
31+
* The user account can be synchronized in from Azure AD. This includes cloud-only user accounts created directly in Azure AD, and hybrid user accounts synchronized from an on-premises AD DS environment using Azure AD Connect.
32+
* The majority of user accounts in Azure AD DS are created through the synchronization process from Azure AD.
33+
* The user account can be manually created in an Azure AD DS managed domain, and doesn't exist in Azure AD.
34+
* If you need to create service accounts for applications that only run in Azure AD DS, you can manually create them in the managed domain. As synchronization is one-way from Azure AD, user accounts created in Azure AD DS aren't synchronized back to Azure AD.
35+
36+
## Password policy
37+
38+
Azure AD DS includes a default password policy that defines settings for things like account lockout, maximum password age, and password complexity. Settings like account lockout policy apply to all users in Azure AD DS, regardless of how the user was created as outlined in the previous section. A few settings, like minimum password length and password complexity, only apply to users created directly in Azure AD DS.
39+
40+
You can create your own custom password policies to override the default policy in Azure AD DS. These custom policies can then be applied to specific groups of users as needed.
41+
42+
For more information on the differences in how password policies are applied depending on the source of user creation, see [Password and account lockout policies on managed domains][password-policy].
43+
44+
## Password hashes
45+
46+
To authenticate users on the managed domain, Azure AD DS needs password hashes in a format that's suitable for NT LAN Manager (NTLM) and Kerberos authentication. Azure AD doesn't generate or store password hashes in the format that's required for NTLM or Kerberos authentication until you enable Azure AD DS for your tenant. For security reasons, Azure AD also doesn't store any password credentials in clear-text form. Therefore, Azure AD can't automatically generate these NTLM or Kerberos password hashes based on users' existing credentials.
47+
48+
For cloud-only user accounts, users must change their passwords before they can use Azure AD DS. This password change process causes the password hashes for Kerberos and NTLM authentication to be generated and stored in Azure AD.
49+
50+
For users synchronized from an on-premises AD DS environment using Azure AD Connect, [enable synchronization of password hashes][hybrid-phs].
51+
52+
> [!IMPORTANT]
53+
> Azure AD Connect only synchronizes legacy password hashes when you enable Azure AD DS for your Azure AD tenant. Legacy password hashes aren't used if you only use Azure AD Connect to synchronize an on-premises AD DS environment with Azure AD.
54+
>
55+
> If your legacy applications don't use NTLM authentication or LDAP simple binds, we recommend that you disable NTLM password hash synchronization for Azure AD DS. For more information, see [Disable weak cipher suites and NTLM credential hash synchronization][secure-domain].
56+
57+
Once appropriately configured, the usable password hashes are stored in the Azure AD DS managed domain. If you delete the Azure AD DS managed domain, any password hashes stored at that point are also deleted. Synchronized credential information in Azure AD can't be reused if you later create an Azure AD DS managed domain - you must reconfigure the password hash synchronization to store the password hashes again. Previously domain-joined VMs or users won't be able to immediately authenticate - Azure AD needs to generate and store the password hashes in the new Azure AD DS managed domain. For more information, see [Password hash sync process for Azure AD DS and Azure AD Connect][azure-ad-password-sync].
58+
59+
## Next steps
60+
61+
To get started, [create an Azure AD DS managed domain][create-instance].
62+
63+
<!-- INTERNAL LINKS -->
64+
[password-policy]: password-policy.md
65+
[hybrid-phs]: tutorial-configure-password-hash-sync.md#enable-synchronization-of-password-hashes
66+
[secure-domain]: secure-your-domain.md
67+
[azure-ad-password-sync]: ../active-directory/hybrid/how-to-connect-password-hash-synchronization.md#password-hash-sync-process-for-azure-ad-domain-services
68+
[create-instance]: tutorial-create-instance.md
80.2 KB
Loading

0 commit comments

Comments
 (0)