Azure AD Connect – You can now provision cloud identity from disconnected Active Directory

As you already know Azure Active Directory Connect (AAD Connect) is the easiest and quickest way to provision identities in Azure AD, especially for large organization, while providing simple authentication method to cloud services (password hash sync, Seamless SSO…).

That being said, you may find yourself in position you have to quickly provide cloud identities for other ‘independent’ entities (due to merger or historical disconnected environment) in your organization while you do not have the ability or the time to setup trust relationship.

This challenge now has a response with a new cloud provisioning feature of Azure AD Connect, providing a lightweight synchronization solution to onboard disconnected Active Directory.

Another advantage of this capability is you can deploy multiple agents, providing high availability for the service (opposite to the ‘full’ Azure AD Connect which does not provide such capability, unless you deploy a standby instance).

Before starting digging into this new feature (in preview), you need to ensure the following prerequisites are matched:

  • you have a global administrator account on your Azure AD tenant
  • at least one Windows Server 2012 R2 or later domain joined (to the disconnected domain) is available to run the provisioning agent
    • with the .Net Framework 4.7.1
    • TLS 1.2 enabled
    • NOTE I have tested installing the agent on the domain controller itself and while this is not clearly documented, it works; the agent can be installed, configured and syncing with Azure AD successfully
  • the firewall allows outbound traffic from this/these server(s) on port 80, 443 and 8080 (optional and being used if 443 can not be used)
  • firewall/proxy exception for:
    • *.msappproxy.net
    • *.servicebus.windows.net
    • login.windows.net
    • login.microsoftonline.com
    • mscrl.microsoft.com
    • crl.microsoft.com
    • ocsp.msocsp.com
    • www.microsoft.com
    • or if you can;t manage URL you need to allow the Azure IP address (see https://www.microsoft.com/download/details.aspx?id=41653)

You can test access using the test portal  https://aadap-portcheck.connectorporttest.msappproxy.net/

image

Once all of these prereqes are matched, you can start using the Cloud Identity provisioning for disconnected AD features by connecting to your Azure portal (https://portal.azure.com/) or Azure AD portal (https://aad.portal.azure.com/) to reach the Azure Active Directory\Azure AD Connect blade

image  image

There you will see the new feature Manage provisioning (preview) to download he lightweight and manage the agent

image  image

Once the agent is downloaded, the installation steps are pretty simple and straightforward: accept the license terms (as always Smile) and that’s it

image  image

Then the configuration wizard will popup (if not a shortcut is available on the Desktop) and will ask you to connect to your Azure AD tenant

image

Then (as for the ‘classic’ Azure AD Connect), you will have to connect to the disconnected domain

image

You can even select the order domain controllers to connect to using the Select domain controller priority option

image

That’s is for the configuration; you do not have to configure the synchronization or authentication options. All the management capability is available only through the Azure AD/Azure portal

image  image  image

Once the agent(s) is/are registered, when you refresh the Azure AD Provisioning blade, you can confirm the

agent(s) is/are up and running and successfully connected using the Review all agents

image  image

You can also check the services state:

  • Microsoft Azure AD Connect Agent Updater (in charge of updating to the latest agent version)
  • Microsoft Azure AD Connect Provisioning Agent (in charge of the synchronization)

image

Then New Configuration option becoming available; use this option to configure the agent and define the various synchronization options

image  image

Same as with Azure AD Connect, you can select if you are syncing the full directory, or just members of a security group or a selected OU’s (you can add multiple OU’s)

If you want to sync selected OU’s, you have to enter the OU path using the Distinguished Name (you can not browse)

image

It is recommended to keep the password hash sync option enabled, even if your are not planning to use it

An email address is then required to get notified if the agent(s) is/are getting unhealthy

image

When you go back to the main Azure AD Provisioning blade, the disconnected domain is now showing up with his status and associated agents

image  image  image

Configuration changes are synced every 2 minutes while the provisioning interval is every 40 minutes

All agent activities are logged into the Applications and Services Logs\AzureADConnect log

  • either AgentUpdater for any agent updated activities (you will see there if there has been an update)
  • or ProvisioningAgent for any provisioning activities

image

Important events for the ProvisioningAgent will be:

  • Event 14000 when the agent has been starting
  • Event 14003 when a synchronization configuration has been applied/updated

You can access the provisioning logs and other settings for the domain by accessing the Enterprise Applications\All Applications blade and then searching for the synced domain using the All Applications type filter

image

Then go to the Provisioning blade for the application

image

This application will be automatically deleted when you delete the configuration you have created above

Users and groups from the disconnected AD should now show up in your Azure AD

image  image

In addition an new synchronization account (ADToAADSyncServiceAccount) should also show up in your Azure AD

image

You can provide feedbacks using the ULR https://go.microsoft.com/fwlink/?linkid=2033943

Leave a Comment

Your email address will not be published. Required fields are marked *