You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: learn-pr/wwl-sci/implement-manage-hybrid-identity/includes/2-plan-design-implement-azure-active-directory-connect.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -38,15 +38,15 @@ When you choose this authentication method, Microsoft Entra ID handles users' si
38
38
39
39
### Federated authentication
40
40
41
-
When you choose this authentication method, Microsoft Entra ID hands off the authentication process to a separate trusted authentication system, such as on-premises Active Directory Federation Services (AD FS), to validate the user’s password. The authentication system can provide other advanced authentication requirements. Examples are smartcard-based authentication or third-party multifactor authentication.
41
+
When you choose this authentication method, Microsoft Entra ID hands off the authentication process to a separate trusted authentication system, such as on-premises Active Directory Federation Services (AD FS), to validate the user’s password. The authentication system can provide other advanced authentication requirements. Examples are smartcard-based authentication or thirdparty multifactor authentication.
42
42
43
43
-**Effort**. A federated authentication system relies on an external trusted system to authenticate users. Some companies want to reuse their existing federated system investment with their Microsoft Entra hybrid identity solution. The maintenance and management of the federated system falls outside the control of Microsoft Entra ID. It's up to the organization by using the federated system to make sure it's deployed securely and can handle the authentication load.
44
44
-**User experience**. The user experience of federated authentication depends on the implementation of the features, topology, and configuration of the federation farm. Some organizations need this flexibility to adapt and configure the access to the federation farm to suit their security requirements. For example, it's possible to configure internally connected users and devices to sign in users automatically, without prompting them for credentials. This configuration works because they already signed into their devices. If necessary, some advanced security features make users' sign-in process more difficult.
45
45
-**Advanced scenarios**. A federated authentication solution is required when customers have an authentication requirement that Microsoft Entra ID doesn't support natively.
46
46
47
47
- Authentication that requires smartcards or certificates.
48
-
- On-premises MFA servers or third-party multifactor providers requiring a federated identity provider.
49
-
- Authentication by using third-party authentication solutions.
48
+
- On-premises MFA servers or thirdparty multifactor providers requiring a federated identity provider.
49
+
- Authentication by using thirdparty authentication solutions.
50
50
- Sign in that requires a sAMAccountName, for example DOMAIN\\username, instead of a User Principal Name (UPN), for example, [email protected].
51
51
52
52
-**Business continuity**. Federated systems typically require a load-balanced array of servers, known as a farm. This farm is configured in an internal network and perimeter network topology to ensure high availability for authentication requests.
@@ -107,7 +107,7 @@ The attribute value must follow the following rules:
107
107
- Shouldn't be case-sensitive and avoid values that vary by case
108
108
- Should be assigned when the object is created
109
109
110
-
If you have a single forest on-premises, the attribute you should use is **objectGuid**. You can also use the objectGuid attribute when you use express settings in Microsoft Entra Connect. And also the attribute used by DirSync. If you have multiple forests and don't move users between forests and domains, then **objectGUID** is a good attribute to use. Another solution is to pick an existing attribute you know doesn't change. Commonly used attributes include **employeeID**. If you consider an attribute that contains letters, make sure there's no chance the case (upper case vs. lower case) can change for the attribute's value. Bad attributes that shouldn't be used include those attributes with the name of the user. Once the sourceAnchor attribute is decided, the wizard stores the information in your Microsoft Entra tenant. The information will be used by future installation of Microsoft Entra Connect.
110
+
If you have a single forest on-premises, the attribute you should use is **objectGuid**. You can also use the objectGuid attribute when you use express settings in Microsoft Entra Connect. And also the attribute used by DirSync. If you have multiple forests and don't move users between forests and domains, then **objectGUID** is a good attribute to use. Another solution is to pick an existing attribute you know doesn't change. Commonly used attributes include **employeeID**. If you consider an attribute that contains letters, make sure there's no chance the case (upper case vs. lower case) can change for the attribute's value. Bad attributes include those attributes with the name of the user. Once the sourceAnchor attribute is decided, the wizard stores the information in your Microsoft Entra tenant. The information will be used by future installation of Microsoft Entra Connect.
Copy file name to clipboardExpand all lines: learn-pr/wwl-sci/implement-manage-hybrid-identity/includes/3-password-hash-synchronization.md
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,13 +4,13 @@ Password hash synchronization is one of the sign-in methods used to accomplish h
4
4
5
5
:::image type="content" source="../media/password-hash-sync-architecture.png" alt-text="Diagram of Microsoft Entra Connect passes a password hash for a user between on-premises and in the cloud.":::
6
6
7
-
Active Directory Domain Services stores passwords in the form of a hash value representation of the actual user password. A hash value is a result of a one-way mathematical function (the hashing algorithm). There is no method to revert the result of a one-way function to the plain text version of a password. To synchronize your password, Microsoft Entra Connect sync extracts your password hash from the on-premises Active Directory instance. Extra security processing is applied to the password hash before it is synchronized to the Microsoft Entra authentication service. Passwords are synchronized on a per-user basis and in chronological order.
7
+
Active Directory Domain Services stores passwords in the form of a hash value representation of the actual user password. A hash value is a result of a one-way mathematical function (the hashing algorithm). There's no method to revert the result of a one-way function to the plain text version of a password. To synchronize your password, Microsoft Entra Connect sync extracts your password hash from the on-premises Active Directory instance. Extra security processing is applied to the password hash before it's synchronized to the Microsoft Entra authentication service. Passwords are synchronized on a per-user basis and in chronological order.
8
8
9
-
The actual data flow of the password hash synchronization process is similar to the synchronization of user data. However, passwords are synchronized more frequently than the standard directory synchronization window for other attributes. The password hash synchronization process runs every 2 minutes. You cannot modify the frequency of this process. When you synchronize a password, it overwrites the existing cloud password.
9
+
The actual data flow of the password hash synchronization process is similar to the synchronization of user data. However, passwords are synchronized more frequently than the standard directory synchronization window for other attributes. The password hash synchronization process runs every 2 minutes. You can't modify the frequency of this process. When you synchronize a password, it overwrites the existing cloud password.
10
10
11
-
The first time you enable the password hash synchronization feature, it performs an initial synchronization of the passwords of all in-scope users. You cannot explicitly define a subset of user passwords that you want to synchronize during the first synchronization. Once the initial synchronization completes, you can set up a **selective password hash synch** for future synchronizations.
11
+
The first time you enable the password hash synchronization feature, it performs an initial synchronization of the passwords of all in-scope users. You can't explicitly define a subset of user passwords that you want to synchronize during the first synchronization. Once the initial synchronization completes, you can set up a **selective password hash synch** for future synchronizations.
12
12
13
-
If there are multiple connectors, it is possible to disable password hash sync for some connectors but not others. When you change an on-premises password, the updated password is synchronized, most often in a matter of minutes. The password hash synchronization feature automatically retries failed synchronization attempts. If an error occurs during an attempt to synchronize a password, an error is logged in your event viewer.
13
+
If there are multiple connectors, it's possible to disable password hash sync for some connectors but not others. When you change an on-premises password, the updated password is synchronized, most often in a matter of minutes. The password hash synchronization feature automatically retries failed synchronization attempts. If an error occurs during an attempt to synchronize a password, an error is logged in your event viewer.
14
14
15
15
## Enable password hash synchronization
16
16
@@ -46,7 +46,7 @@ For reference, this snippet is what it should look like:
46
46
Configure PingFederate with Microsoft Entra Connect to set up federation with the domain you want connected. The following prerequisites are required:
47
47
48
48
- PingFederate 8.4 or later.
49
-
-A TLS/SSL certificate for the federation service name that you intend to use (for example, sts.contoso.com).
49
+
-An TLS/SSL certificate for the federation service name that you intend to use (for example, sts.contoso.com).
50
50
51
51
After you choose to set up federation by using PingFederate in AD Connect, you're asked to verify the domain you want to federate. Select the domain from the drop-down menu.
Copy file name to clipboardExpand all lines: learn-pr/wwl-sci/implement-manage-hybrid-identity/includes/6-federation.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,6 @@
1
1
Federation can use a new or existing on-premises Active Directory farm in Windows Server 2012 R2 (or later), and Microsoft Entra Connect enable users to log into Microsoft Entra resources using their on-premises password.
2
2
3
-
:::image type="content" source="../media/sc300-federation-flow-diagram.png" alt-text="Diagram of federation between on-premises and Microsoft Entra ID. Shows users able log into both on-premises and cloud resources with a single shared login.":::
3
+
:::image type="content" source="../media/sc300-federation-flow-diagram.png" alt-text="Diagram of federation between on-premises and Microsoft Entra ID. Shows users able log into both on-premises and cloud resources with a single shared sign in.":::
4
4
5
5
Federation is a collection of domains that have established trust. The level of trust varies, but typically includes authentication and almost always includes authorization. A typical federation might include a number of organizations that have established trust for shared access to a set of resources.
6
6
@@ -37,7 +37,7 @@ You can complete various AD FS-related tasks in Microsoft Entra Connect with min
37
37
38
38
**Repair the trust** You can use Microsoft Entra Connect to check the current health of the AD FS and Microsoft Entra ID trust and take appropriate actions to repair the trust.
39
39
40
-
**Federate with Microsoft Entra ID using AlternateID** It is recommended that the on-premises User Principal Name(UPN) and the cloud User Principal Name are kept the same. If the on-premises UPN uses a non-routable domain (ex. Contoso.local) or cannot be changed due to local application dependencies, we recommend setting up alternate sign in ID. Alternate sign in ID allows you to configure a sign-in experience where users can sign in with an attribute other than their UPN, such as mail. The choice for User Principal Name in Microsoft Entra ID Connect defaults to the userPrincipalName attribute in Active Directory. If you choose any other attribute for User Principal Name and are federating using AD FS, then Microsoft Entra Connect will configure AD FS for alternate sign in ID.
40
+
**Federate with Microsoft Entra ID using AlternateID** It's recommended that the on-premises User Principal Name(UPN) and the cloud User Principal Name are kept the same. If the on-premises UPN uses a non-routable domain (ex. Contoso.local) or can't be changed due to local application dependencies, we recommend setting up alternate sign in ID. Alternate sign in ID allows you to configure a sign-in experience where users can sign in with an attribute other than their UPN, such as mail. The choice for User Principal Name in Microsoft Entra ID Connect defaults to the userPrincipalName attribute in Active Directory. If you choose any other attribute for User Principal Name and are federating using AD FS, then Microsoft Entra Connect will configure AD FS for alternate sign in ID.
41
41
42
42
**Add a federated domain** It's easy to add a domain to be federated with Microsoft Entra ID by using Microsoft Entra Connect. Microsoft Entra Connect adds the domain for federation and modifies the claim rules to correctly reflect the issuer when you have multiple domains federated with Microsoft Entra ID.
43
43
@@ -47,6 +47,6 @@ Along with **Add and AD FS Server** and **Add an AD FS Web Application Proxy ser
47
47
48
48
Device writeback is used to enable device-based conditional Access for ADFS-protected devices. This conditional Access provides extra security and assurance that access to applications is granted only to trusted devices. Device writeback enables this security by synchronizing all devices registered in Azure back to the on-premises Active Directory. When configured during setup, the following operations are performed to prepare the AD forest:
49
49
50
-
- If they do not exist already, create and configure new containers and objects under: **CN=Device Registration Configuration,CN=Services,CN=Configuration,\[forest dn \]**.
51
-
- If they do not exist already, create and configure new containers and objects under: **CN=RegisteredDevices,\[domain-dn\]**. Device objects will be created in this container.
50
+
- If they don't exist already, create and configure new containers and objects under: **CN=Device Registration Configuration,CN=Services,CN=Configuration,\[forest dn \]**.
51
+
- If they don't exist already, create and configure new containers and objects under: **CN=RegisteredDevices,\[domain-dn\]**. Device objects will be created in this container.
52
52
- Set necessary permissions on the Microsoft Entra Connector account, to manage devices on your Active Directory.
0 commit comments