Toggle search
Toggle menu
18
19
1
893
sysadminafterdark docs
Toggle personal menu
Not logged in
Your IP address will be publicly visible if you make any edits.

Authentication: Microsoft Entra Cloud Sync

From sysadminafterdark docs
More actions

History

Authentication: Microsoft Entra Cloud Sync is a new offering from Microsoft designed to meet and accomplish your hybrid identity goals for synchronization of users, groups, and contacts to Microsoft Entra ID. It accomplishes this by using the Microsoft Entra cloud provisioning agent instead of the Microsoft Entra Connect application. You may learn more about Microsoft Entra Cloud Sync and the new features it offers by reading Microsoft's What is Microsoft Entra Cloud Sync? article.

WARNING! I had issues configuring the new Microsoft Entra Cloud Sync Agent. I was advised by Entra support to forego utilizing it and installing the Azure AD Connect agent for the time being. The process is mostly the same with a few screens that are different. I have also added an Azure AD Sync specific section at the bottom.

Deployment

The following setup guide walks through a typical deployment process to synchronize an already configured Authentication:Active Directory domain sync with Authentication: Microsoft Entra Cloud Sync. It is HIGHLY recommended you view Microsoft's Install the Microsoft Entra provisioning agent article as I have to ensure you are using the correct agent for your environment and are following best practices. It appears deploying the agent on an Active Directory Domain Controller, is fully supported now. Unfortunately, Servers: SAD-DC01 and Servers: SAD-DC02 are both utilizing Windows Server Core, which is still not supported. Future domain controllers in my environment will most likely follow suit, so I will be installing the agent on Servers: SAD-AUTH01, which, in addition to the agent, hosts Authentication: Microsoft NPS to authenticate Network: Road Warrior VPN.

Setup an additional Active Directory UPN

An active Directory User Principal Name, or UPN, is a DNS domain name, often used to specify the Windows domain name. For example, the default UPN is internal.sysadminafterdark.com. In order to meet the prerequisites to sync the directory with Entra, another UPN for sysadminafterdark.com must be added and changed for the users we would like to sync.

  1. On a computer with RSAT tools installed (such as an administrative jumpbox or domain controller), Open Active Directory Domains and Trusts.
  2. On the sidebar, at the top of the tress, right click Active Directory Domains and Trusts and click Properties.
  3. Under "Alternative UPN Suffixes", enter the name of the domain you publicly utilize. In my case, this is sysadminafterdark.com. Then click Add, Apply, and finally, Ok.

Change Users To New UPN

The following process was used to convert users to the new UPN. At large scales, you may want to investigate utilizing a powershell script. I personally only have three users that will be syncing to Entra, so this process was performed manually.

  1. On a computer with RSAT tools installed (such as an administrative jumpbox or domain controller), Open Active Directory Users and Computers.
  2. Navigate to the user you wish to modify, right click, then click on properties.
  3. At the top of the window, click Account.
  4. Under User Logon Name, click the dropdown and select the new UPN. Click Apply, then Click OK.
  5. Repeat this process for any users you will be synchronizing to Entra.

Create a Hybrid Identity Administrator Service Account

It is extremely important to use principal of least privilege. This process creates an unlicensed office 365 hybrid administrator used to connect the tenant to on-prem active directory.

  1. On the Users tab on the sidebar, Click Active Users, the click Add a user.
  2. Create a service account to use as your designated hybrid administrator. I am calling mine Users and Groups: svc_hybrid. Record the username and password for later use.
    1. NOTE: You DO NOT need to assign a license to this account.
  3. On the Optional Settings tab, select the Admin Center Access bubble, scroll down and click Show All By Category.
  4. Scroll down to the Identity section, then check "Hybrid Identity Administrator" then click Next, then click Finish.

Ensure TLS 1.2 is Enabled

Microsoft has a powershell script to enable the correct registry entries to force TLS 1.2, which is required for Entra AD Cloud Sync. You may find them on their article TLS 1.2 enforcement for Microsoft Entra Connect. Please note that a reboot is required after these changes are made.

Install Microsoft Entra Cloud Sync

An agent must be installed on a local server that meets the Microsoft minimum requirements. I mentioned earlier that installing the agent on a domain controller is now fully supported. This process walks through downloading and installing an agent.

  1. Open a web browser and login to your Office 365 tenant as a global administrator.
  2. On the sidebar, under Admin Centers, Click Identity.
  3. On the Identity sidebar, click Hybrid Management then click Cloud sync on the second sidebar under Get Started.
  4. Click Agents, then click Download on-premises agent. Copy this to the server you will be installing the agent on.
  5. Double click the installer and install it.
  6. The Microsoft Entra Provisioning Wizard will start:
    1. One the Welcome tab, click Next.
    2. On the Select Extension tab, Select HR-driven provisioning, then click Next.
    3. On the Connect Microsoft Entra ID tab, click the green Authenticate tab and enter the credentials for the hybrid identity administrator service account created earlier.
    4. On the Configure Service Account tab, select Create gMSA. Enter the credentials of an Enterprise Admin account.
      1. Note: Hover your mouse over the blue question mark. You DO NOT need to create a local service account for this process. The user entered will be USED to create the service account and credentials will not be stored or used at a later date.
    5. On the Connect Active Directory tab, click Next
    6. On the Confirm tab, review your changes then click Confirm.

Configure Sync

Now that the agent has been installed, we must configure synchronization to the cloud via the Microsoft Entra portal.

  1. # On the sidebar, under Admin Centers, Click Identity.
  2. On the Identity sidebar, click Hybrid Management then click Cloud sync on the second sidebar under Get Started. Your agent should now appear here.
  3. Click Configurations in the second sidebar.
  4. Click the New Configuration Button then click AD to Microsoft Entra ID sync button from the dropdown.
  5. On the New Cloud Sync Configuration page, select your domain from the dropdown and ensure "Enable password hash sync" is checked. Click Create.
  6. Once added successfully, you will be redirected to the Overview page. Click Add Scoping Filters.
  7. On the Scoping Filters page, select your preferred method of synchronization. I will be syncing by Organizational Units as it is easiest for my environment.
  8. To find the Distinguished Name of the OU, open Active Directory Users and Computers and navigate to the OU you will be syncing. Right click on it, then select Properties.
  9. Click the Attribute Editor tab, scroll to distinguishedName and copy it to the prompt in your web browser. Click Add then Save once finished.
    1. NOTE: If you change the name of the OU in the future, the scope must be updated.

Azure AD Sync Troubleshooting

Retrieved from "https://docs.sysadminafterdark.com:443/index.php?title=Authentication:_Microsoft_Entra_Cloud_Sync&oldid=590"