Hybrid identity best practices

Managed Service Accounts: Understanding, Implementing, Best Practices, and Troubleshooting

First published on TechNet on Sep 10, 2009 Group Managed Service Accounts superseded MSAs, which in Windows 7 and Windows Server 2008 R2 (both no longer supported). Please use this updated link for more current information: https://docs.microsoft.com/en-us/windows-server/security/group-managed-se…

I'm going to go thru the technical steps with installing, instead I will talk about the best practices for it as their is step-by-step instructions all the over the web.

Azure AD Connect: Getting Started using express settings

Learn how to download, install and run the setup wizard for Azure AD Connect.

When you have Azure AD Connect installed and you did't choose custom installation, you didn't see the option to filter based on the OU's.

If this was the case you can still modify these with synchronization Service.

And open the AD connector and choose properties.

And choose containers. From here you can choose the OU's that you want to sync.

Then just let it run or run it manually. The first sync is full. It populates the data to SQL Express that was installed by AAD Connect Wizard.

Start-ADSyncSyncCycle -PolicyType Initial

And next run will incremental = only changes

Start-ADSyncSyncCycle -PolicyType Delta

Or you can just disable syncing user that don't have the correct UPN Suffix directly from the connector either from GUI.

Or with PowerShell.

Import-Module ADSync $Connector = (Get-ADSyncConnector | Where-Object {$_.Type -eq "AD"}) $UPNSuffix = "@$($Connector.Name)" # Uncomment the next line to manually specify your UPN suffix. #UPNSuffix = "@yourdomain.local" # Make sure no other rule has the same precendence. $Precedence = 99 New-ADSyncRule ` -Name 'In from AD - User Filter by UPN' ` -Description 'Filter users based on UPN.' ` -Direction 'Inbound' ` -Precedence $Precedence ` -SourceObjectType 'user' ` -TargetObjectType 'person' ` -Connector $Connector.Identifier.Guid ` -LinkType 'Join' ` -SoftDeleteExpiryInterval 0 ` -ImmutableTag '' ` -OutVariable syncRule Add-ADSyncAttributeFlowMapping ` -SynchronizationRule $syncRule[0] ` -Source @('True') ` -Destination 'cloudFiltered' ` -FlowType 'Constant' ` -ValueMergeType 'Update' ` -OutVariable syncRule New-Object ` -TypeName 'Microsoft.IdentityManagement.PowerShell.ObjectModel.ScopeCondition' ` -ArgumentList 'userPrincipalName',$UPNSuffix,'ENDSWITH' ` -OutVariable condition0 Add-ADSyncScopeConditionGroup ` -SynchronizationRule $syncRule[0] ` -ScopeConditions @($condition0[0]) ` -OutVariable syncRule Add-ADSyncRule ` -SynchronizationRule $syncRule[0] 

Identity synchronization - Problems and matching

If you don't want to use Exchange hybrid Deployment and for that reason didn't select Exchange attributes to the sync,

But instead you want to do third-party migration from our Exchange Server there is a possibility that you end-up with the following error.

This means that Exchange Online got the information based on msExchMailboxGuid attribute and now knows that you have mailbox and you cannot there fore license that user with Exchange Online and create a mailbox.

So you have to Null the attribute with Azure AD Connect, again not writing an section as there is multiple ready ones. Here a good and accurate one.

How can I set msExchMailboxGUID attribute to null?

When Migrating onPrem to O365 and you receive the following error How can I set msExchMailboxGUID attribute to null? Answer: This can be set within

But it's always a wise and recommended option to use a Hybrid Exchange. When you migrate mailboxes to the cloud you will keep the Hybrid as a management for the users cloud-based mailboxes. And it's the only currently supported way to keep user sync between on-premise and the cloud. If not deployed your should remove the sync.

User matching in problem situations

Normally Azure AD matches users with SMTP matching, with SMTP matching it will your on-premises ProxyAddresses and attach that to objectID in the cloud.

One of these situations could be that you need to connect your domain to Azure AD, you have mailboxes on-premises and you assigned licenses to all users and created mailboxes before Azure AD Connect implementation.

Then it could be a job for Soft matching (SMTP matching) or even for Hard matching (ImmunitableID) that uses the is generated from your UserPrincipalName and ObjectID so it will be an unique identifier.

Sander Berkouwer wrote an detailed article on this one.

Explained: User Hard Matching and Soft Matching in Azure AD Connect - The things that are better left unspoken

In Hybrid Identity implementations, where objects and their attributes are synchronized between on-premises Active Directory environments and Azure AD tenants, integrity is key; When user objects on both sides have different attributes, or exist multiple times at one side, information security drops…

Now we have covered a lot of the process for understanding the identity, modifying the identity and syncing the identity, but there is still a lot after these steps.

Stay tuned (and safe) for more Identity releted content!

Over and out,

Share this: