Toggle menu
Toggle personal menu
Not logged in
Your IP address will be publicly visible if you make any edits.

Authentication: Microsoft Entra Cloud Sync

From sysadminafterdark docs

History

Authentication: Microsoft Entra Cloud Sync is a new offering from Microsoft designed to meet and accomplish your hybrid identity goals for synchronization of users, groups, and contacts to Microsoft Entra ID. It accomplishes this by using the Microsoft Entra cloud provisioning agent instead of the Microsoft Entra Connect application. You may learn more about Microsoft Entra Cloud Sync and the new features it offers by reading Microsoft's What is Microsoft Entra Cloud Sync? article.

Deployment

The following setup guide walks through a typical deployment process to synchronize an already configured Authentication:Active Directory domain sync with Authentication: Microsoft Entra Cloud Sync. It is HIGHLY recommended you view Microsoft's Install the Microsoft Entra provisioning agent article as I have to ensure you are using the correct agent for your environment and are following best practices. It appears deploying the agent on an Active Directory Domain Controller, is fully supported now. Unfortunately, Servers: SAD-DC01 and Servers: SAD-DC02 are both utilizing Windows Server Core, which is still not supported. Future domain controllers in my environment will most likely follow suit, so I will be installing the agent on Servers: SAD-AUTH01, which, in addition to the agent, hosts Authentication: Microsoft NPS to authenticate Network: Road Warrior VPN.

Setup an additional Active Directory UPN

An active Directory User Principal Name, or UPN, is a DNS domain name, often used to specify the Windows domain name. For example, the default UPN is internal.sysadminafterdark.com. In order to meet the prerequisites to sync the directory with Entra, another UPN for sysadminafterdark.com must be added and changed for the users we would like to sync.

  1. On a computer with RSAT tools installed (such as an administrative jumpbox or domain controller), Open Active Directory Domains and Trusts.
  2. On the sidebar, at the top of the tress, right click Active Directory Domains and Trusts and click Properties.
  3. Under "Alternative UPN Suffixes", enter the name of the domain you publicly utilize. In my case, this is sysadminafterdark.com. Then click Add, Apply, and finally, Ok.

Change Users To New UPN

The following process was used to convert users to the new UPN. At large scales, you may want to investigate utilizing a powershell script. I personally only have three users that will be syncing to Entra, so this process was performed manually.

  1. On a computer with RSAT tools installed (such as an administrative jumpbox or domain controller), Open Active Directory Users and Computers.
  2. Navigate to the user you wish to modify, right click, then click on properties.
  3. At the top of the window, click Account.
  4. Under User Logon Name, click the dropdown and select the new UPN. Click Apply, then Click OK.
  5. Repeat this process for any users you will be synchronizing to Entra.

Install Microsoft Entra Cloud Sync

An agent must be installed on a local server that meets the Microsoft minimum requirements. I mentioned earlier that installing the agent on a domain controller is now fully supported. This process walks through downloading and installing an agent.

  1. Open a web browser and login to your Office 365 tenant as a global administrator.
  2. On the sidebar, under Admin Centers, Click Identity.
  3. On the Identity sidebar, click Hybrid Management then click Cloud sync on the second sidebar under Get Started.
  4. Click Agents, then click Download on-premises agent. Copy this to the server you will be installing the agent on.