Toggle menu
Toggle personal menu
Not logged in
Your IP address will be publicly visible if you make any edits.

Authentication: Microsoft Entra Cloud Sync: Difference between revisions

From sysadminafterdark docs
(Created page with "Microsoft Entra ID Connect")
 
No edit summary
 
(24 intermediate revisions by the same user not shown)
Line 1: Line 1:
[[Category:Authentication|Microsoft Entra ID Connect]]
[[Category:Authentication|Microsoft Entra ID Connect]]
== History ==
[[Authentication: Microsoft Entra Cloud Sync]] is a new offering from Microsoft designed to meet and accomplish your hybrid identity goals for synchronization of users, groups, and contacts to Microsoft Entra ID. It accomplishes this by using the Microsoft Entra cloud provisioning agent instead of the Microsoft Entra Connect application. You may learn more about Microsoft Entra Cloud Sync and the new features it offers by reading Microsoft's [https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/what-is-cloud-sync#how-is-microsoft-entra-cloud-sync-different-from-microsoft-entra-connect-sync What is Microsoft Entra Cloud Sync?] article.
== Deployment ==
The following setup guide walks through a typical deployment process to synchronize an already configured [[Authentication:Active Directory]] domain sync with [[Authentication: Microsoft Entra Cloud Sync]]. It is HIGHLY recommended you view Microsoft's [https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/how-to-install Install the Microsoft Entra provisioning agent] article as I have to ensure you are using the correct agent for your environment and are following best practices. It appears deploying the agent on an Active Directory Domain Controller, is fully supported now. Unfortunately, [[Servers: SAD-DC01]] and [[Servers: SAD-DC02]] are both utilizing Windows Server Core, which is still not supported. Future domain controllers in my environment will most likely follow suit, so I will be installing the agent on [[Servers: SAD-AUTH01]], which, in addition to the agent, hosts [[Authentication: Microsoft NPS]] to authenticate [[Network: Road Warrior VPN]].
=== Setup an additional Active Directory UPN ===
An active Directory User Principal Name, or UPN, is a DNS domain name, often used to specify the Windows domain name. For example, the default UPN is internal.sysadminafterdark.com. In order to meet the prerequisites to sync the directory with Entra, another UPN for sysadminafterdark.com must be added and changed for the users we would like to sync.
# On a computer with RSAT tools installed (such as an administrative jumpbox or domain controller), Open Active Directory Domains and Trusts.
# On the sidebar, at the top of the tress, right click Active Directory Domains and Trusts and click Properties.
# Under "Alternative UPN Suffixes", enter the name of the domain you publicly utilize. In my case, this is sysadminafterdark.com. Then click Add, Apply, and finally, Ok.
=== Change Users To New UPN ===
The following process was used to convert users to the new UPN. At large scales, you may want to investigate utilizing a powershell script. I personally only have three users that will be syncing to Entra, so this process was performed manually.
# On a computer with RSAT tools installed (such as an administrative jumpbox or domain controller), Open Active Directory Users and Computers.
# Navigate to the user you wish to modify, right click, then click on properties.
# At the top of the window, click Account.
# Under User Logon Name, click the dropdown and select the new UPN. Click Apply, then Click OK.
# Repeat this process for any users you will be synchronizing to Entra.
=== Create a Hybrid Identity Administrator Service Account ===
It is extremely important to use principal of least privilege. This process creates an unlicensed office 365 hybrid administrator used to connect the tenant to on-prem active directory.
# On the Users tab on the sidebar, Click Active Users, the click Add a user.
# Create a service account to use as your designated hybrid administrator. I am calling mine [[Users and Groups: svc_hybrid]]. Record the username and password for later use.
## NOTE: You DO NOT need to assign a license to this account.
# On the Optional Settings tab, select the Admin Center Access bubble, scroll down and click Show All By Category.
# Scroll down to the Identity section, then check "Hybrid Identity Administrator" then click Next, then click Finish.
=== Ensure TLS 1.2 is Enabled ===
Microsoft has a powershell script to enable the correct registry entries to force TLS 1.2, which is required for Entra AD Cloud Sync. You may find them on their article [https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/reference-connect-tls-enforcement TLS 1.2 enforcement for Microsoft Entra Connect]. Please note that a reboot is required after these changes are made.
=== Ensure TLS 1.3 is Disabled ===
Please see my blog post [https://sysadminafterdark.com/to-the-rescue-working-with-the-microsoft-entra-id-team/ To The Rescue: Working With The Microsoft Entra ID Team] for more information on this. Perform the following steps to ensure TLS 1.3 is disabled:
# Open Windows Registry Editor (regedit.exe) and navigate to the following hive: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
# Create a new key called TLS 1.3 then create a new key within called Client. In the Client key, create a DWORD 32-bit value called Enabled and set the value to 0.
# Reboot the server.
=== Install Microsoft Entra Cloud Sync ===
An agent must be installed on a local server that meets the Microsoft minimum requirements. I mentioned earlier that installing the agent on a domain controller is now fully supported. This process walks through downloading and installing an agent.
# Open a web browser and login to your Office 365 tenant as a global administrator.
# On the sidebar, under Admin Centers, Click Identity.
# On the Identity sidebar, click Hybrid Management then click Cloud sync on the second sidebar under Get Started.
# Click Agents, then click Download on-premises agent. Copy this to the server you will be installing the agent on.
# Double click the installer and install it.
# The Microsoft Entra Provisioning Wizard will start:
## On the Welcome tab, click Next.
## On the Select Extension tab, Select HR-driven provisioning, then click Next.
## On the Connect Microsoft Entra ID tab, click the green Authenticate tab and enter the credentials for the hybrid identity administrator service account created earlier.
## On the Configure Service Account tab, select Create gMSA. Enter the credentials of an Enterprise Admin account.
### Note: Hover your mouse over the blue question mark. You DO NOT need to create a local service account for this process. The user entered will be USED to create the service account and credentials will not be stored or used at a later date.
## On the Connect Active Directory tab, click Next
## On the Confirm tab, review your changes then click Confirm.
=== Configure Sync ===
Now that the agent has been installed, we must configure synchronization to the cloud via the Microsoft Entra portal.
# On the sidebar, under Admin Centers, Click Identity.
# On the Identity sidebar, click Hybrid Management then click Cloud sync on the second sidebar under Get Started. Your agent should now appear here.
# Click Configurations in the second sidebar.
# Click the New Configuration Button then click AD to Microsoft Entra ID sync button from the dropdown.
# On the New Cloud Sync Configuration page, select your domain from the dropdown and ensure "Enable password hash sync" is checked. Click Create.
# Once added successfully, you will be redirected to the Overview page. Click Add Scoping Filters.
# On the Scoping Filters page, select your preferred method of synchronization. I will be syncing by Organizational Units as it is easiest for my environment.
# To find the Distinguished Name of the OU, open Active Directory Users and Computers and navigate to the OU you will be syncing. Right click on it, then select Properties.
# Click the Attribute Editor tab, scroll to distinguishedName and copy it to the prompt in your web browser. Click Add then Save once finished.
## NOTE: If you change the name of the OU in the future, the scope must be updated.
== Azure AD Sync Troubleshooting ==
This section is specific to the Azure AD Sync Console, not the new cloud based Entra Cloud Sync Agent.
=== Force A Sync With Powershell ===
As the name implies, force a delta (changes only) or a full sync. Changes can be monitored in the Synchronization Service Console.
<pre>
# Force A Delta Sync
Start-ADSyncSyncCycle -PolicyType Delta
# Force A Full Check
Start-ADSyncSyncCycle -PolicyType Initial
</pre>
=== Issues Syncing Users ===
In the Synchronization Sync Console, you may notice a user failed to sync. Right click on the user, and click Properties. Click the Security tab, then click Advanced. Click Enable Inheritance, then click Apply. Re-run a delta sync and the user should sync successfully.

Latest revision as of 02:28, 11 July 2024

History

Authentication: Microsoft Entra Cloud Sync is a new offering from Microsoft designed to meet and accomplish your hybrid identity goals for synchronization of users, groups, and contacts to Microsoft Entra ID. It accomplishes this by using the Microsoft Entra cloud provisioning agent instead of the Microsoft Entra Connect application. You may learn more about Microsoft Entra Cloud Sync and the new features it offers by reading Microsoft's What is Microsoft Entra Cloud Sync? article.

Deployment

The following setup guide walks through a typical deployment process to synchronize an already configured Authentication:Active Directory domain sync with Authentication: Microsoft Entra Cloud Sync. It is HIGHLY recommended you view Microsoft's Install the Microsoft Entra provisioning agent article as I have to ensure you are using the correct agent for your environment and are following best practices. It appears deploying the agent on an Active Directory Domain Controller, is fully supported now. Unfortunately, Servers: SAD-DC01 and Servers: SAD-DC02 are both utilizing Windows Server Core, which is still not supported. Future domain controllers in my environment will most likely follow suit, so I will be installing the agent on Servers: SAD-AUTH01, which, in addition to the agent, hosts Authentication: Microsoft NPS to authenticate Network: Road Warrior VPN.

Setup an additional Active Directory UPN

An active Directory User Principal Name, or UPN, is a DNS domain name, often used to specify the Windows domain name. For example, the default UPN is internal.sysadminafterdark.com. In order to meet the prerequisites to sync the directory with Entra, another UPN for sysadminafterdark.com must be added and changed for the users we would like to sync.

  1. On a computer with RSAT tools installed (such as an administrative jumpbox or domain controller), Open Active Directory Domains and Trusts.
  2. On the sidebar, at the top of the tress, right click Active Directory Domains and Trusts and click Properties.
  3. Under "Alternative UPN Suffixes", enter the name of the domain you publicly utilize. In my case, this is sysadminafterdark.com. Then click Add, Apply, and finally, Ok.

Change Users To New UPN

The following process was used to convert users to the new UPN. At large scales, you may want to investigate utilizing a powershell script. I personally only have three users that will be syncing to Entra, so this process was performed manually.

  1. On a computer with RSAT tools installed (such as an administrative jumpbox or domain controller), Open Active Directory Users and Computers.
  2. Navigate to the user you wish to modify, right click, then click on properties.
  3. At the top of the window, click Account.
  4. Under User Logon Name, click the dropdown and select the new UPN. Click Apply, then Click OK.
  5. Repeat this process for any users you will be synchronizing to Entra.

Create a Hybrid Identity Administrator Service Account

It is extremely important to use principal of least privilege. This process creates an unlicensed office 365 hybrid administrator used to connect the tenant to on-prem active directory.

  1. On the Users tab on the sidebar, Click Active Users, the click Add a user.
  2. Create a service account to use as your designated hybrid administrator. I am calling mine Users and Groups: svc_hybrid. Record the username and password for later use.
    1. NOTE: You DO NOT need to assign a license to this account.
  3. On the Optional Settings tab, select the Admin Center Access bubble, scroll down and click Show All By Category.
  4. Scroll down to the Identity section, then check "Hybrid Identity Administrator" then click Next, then click Finish.

Ensure TLS 1.2 is Enabled

Microsoft has a powershell script to enable the correct registry entries to force TLS 1.2, which is required for Entra AD Cloud Sync. You may find them on their article TLS 1.2 enforcement for Microsoft Entra Connect. Please note that a reboot is required after these changes are made.

Ensure TLS 1.3 is Disabled

Please see my blog post To The Rescue: Working With The Microsoft Entra ID Team for more information on this. Perform the following steps to ensure TLS 1.3 is disabled:

  1. Open Windows Registry Editor (regedit.exe) and navigate to the following hive: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
  2. Create a new key called TLS 1.3 then create a new key within called Client. In the Client key, create a DWORD 32-bit value called Enabled and set the value to 0.
  3. Reboot the server.

Install Microsoft Entra Cloud Sync

An agent must be installed on a local server that meets the Microsoft minimum requirements. I mentioned earlier that installing the agent on a domain controller is now fully supported. This process walks through downloading and installing an agent.

  1. Open a web browser and login to your Office 365 tenant as a global administrator.
  2. On the sidebar, under Admin Centers, Click Identity.
  3. On the Identity sidebar, click Hybrid Management then click Cloud sync on the second sidebar under Get Started.
  4. Click Agents, then click Download on-premises agent. Copy this to the server you will be installing the agent on.
  5. Double click the installer and install it.
  6. The Microsoft Entra Provisioning Wizard will start:
    1. On the Welcome tab, click Next.
    2. On the Select Extension tab, Select HR-driven provisioning, then click Next.
    3. On the Connect Microsoft Entra ID tab, click the green Authenticate tab and enter the credentials for the hybrid identity administrator service account created earlier.
    4. On the Configure Service Account tab, select Create gMSA. Enter the credentials of an Enterprise Admin account.
      1. Note: Hover your mouse over the blue question mark. You DO NOT need to create a local service account for this process. The user entered will be USED to create the service account and credentials will not be stored or used at a later date.
    5. On the Connect Active Directory tab, click Next
    6. On the Confirm tab, review your changes then click Confirm.

Configure Sync

Now that the agent has been installed, we must configure synchronization to the cloud via the Microsoft Entra portal.

  1. On the sidebar, under Admin Centers, Click Identity.
  2. On the Identity sidebar, click Hybrid Management then click Cloud sync on the second sidebar under Get Started. Your agent should now appear here.
  3. Click Configurations in the second sidebar.
  4. Click the New Configuration Button then click AD to Microsoft Entra ID sync button from the dropdown.
  5. On the New Cloud Sync Configuration page, select your domain from the dropdown and ensure "Enable password hash sync" is checked. Click Create.
  6. Once added successfully, you will be redirected to the Overview page. Click Add Scoping Filters.
  7. On the Scoping Filters page, select your preferred method of synchronization. I will be syncing by Organizational Units as it is easiest for my environment.
  8. To find the Distinguished Name of the OU, open Active Directory Users and Computers and navigate to the OU you will be syncing. Right click on it, then select Properties.
  9. Click the Attribute Editor tab, scroll to distinguishedName and copy it to the prompt in your web browser. Click Add then Save once finished.
    1. NOTE: If you change the name of the OU in the future, the scope must be updated.

Azure AD Sync Troubleshooting

This section is specific to the Azure AD Sync Console, not the new cloud based Entra Cloud Sync Agent.

Force A Sync With Powershell

As the name implies, force a delta (changes only) or a full sync. Changes can be monitored in the Synchronization Service Console.

 
# Force A Delta Sync
Start-ADSyncSyncCycle -PolicyType Delta

# Force A Full Check
Start-ADSyncSyncCycle -PolicyType Initial

Issues Syncing Users

In the Synchronization Sync Console, you may notice a user failed to sync. Right click on the user, and click Properties. Click the Security tab, then click Advanced. Click Enable Inheritance, then click Apply. Re-run a delta sync and the user should sync successfully.