ra2 studio - Fotolia
Administrators can integrate the on-premises Active Directory in Windows Server with the cloud-based Microsoft Azure Active Directory. This feature lets a business manage both local and cloud access through a single common identity and access mechanism. Azure Active Directory Connect is Microsoft's tool designed to handle the AD integration.
Azure Active Directory (AD) Connect replaces older tools, such as Microsoft's DirSync and Azure AD Sync. Azure AD Connect is composed of three essential parts: synchronization, federation and monitoring. Sync Services handles synchronization; it creates users and groups, and ensures that local and cloud AD information matches. Businesses can use the AD Federation Services (AD FS) option to supply users with single sign-on access to systems or workloads located outside of the organization. AD FS establishes trust between two organizations and uses tokens to verify user identities. AD FS also supports more comprehensive security environments, such as smart card and multifactor authentication access. Federation also requires careful monitoring, so a health monitoring feature watches over AD FS and presents health information to administrators through the Azure portal.
However, synchronizing local and cloud Active Directory deployments can be a challenging endeavor, which should only be attempted by experienced administrators. Azure AD Connect must first be downloaded from Microsoft, and numerous prerequisites must be met in Azure, the local server environment, user accounts, and network configuration and connectivity.
Azure AD Connect needs to be installed and configured on the local Sync server. Administrators can opt for Express installation for a relatively simple, single AD forest, or custom installation for multi-forest AD, AD FS support and other advanced features. Administrators can also use this installation to set up Sync Services for Exchange hybrid deployments, with mailboxes in the cloud and on premises.
After installation, Azure AD Connect should be configured. Administrators can filter the users, contacts, groups and endpoint computers that are synchronized. Password synchronization allows the same user passwords to work on premises and in the cloud -- but managed in one location. Write-back features allow users to change or reset passwords in the cloud while using local policies; the new passwords will be written back to the local AD server. Similarly, configuring device write-back allows devices registered in the cloud to be conveyed back to the local AD server. Administrators can prevent accidental deletes that stop a large number of deletions at the same time. This can mitigate sweeping changes that inadvertently impact the entire environment.
Finally, Azure AD Connect installs with a robust default configuration, but administrators can tweak the configuration of Azure AD Connect to customize behaviors and operations to suit the specific environment.
Admins get more granular identity control in Windows Server 2016
Working Active Directory into a cloud environment
Using Azure Active Directory for hybrid cloud management
Dig Deeper on Microsoft Azure cloud services
Related Q&A from Stephen J. Bigelow
Learn how load balancing in the cloud differs from a traditional network traffic distribution, and explore services available from AWS, Google and ... Continue Reading
Access management is critical to securing the cloud. Understand the differences between AWS IAM roles and users to properly restrict access to AWS ... Continue Reading
Containers have rapidly come into focus as a popular option for deploying applications, but they have limitations and are fundamentally different ... Continue Reading