1
00:00:00,640 --> 00:00:02,240
Azure AD Connect.

2
00:00:02,240 --> 00:00:05,940
What is Azure AD Connect and what are its primary use cases?

3
00:00:05,940 --> 00:00:06,790
Well, it's like this.

4
00:00:06,790 --> 00:00:10,430
As you can see, the attribution, when I use a Microsoft docs image,

5
00:00:10,430 --> 00:00:12,160
is in the lower corner of the slide.

6
00:00:12,160 --> 00:00:15,510
We're assuming that you have an on‑premises Active Directory.

7
00:00:15,510 --> 00:00:18,700
Now we could be talking single forest or multi forest,

8
00:00:18,700 --> 00:00:20,630
single domain or multi domain.

9
00:00:20,630 --> 00:00:24,510
It doesn't matter, but you've got your local Active Directory credentials.

10
00:00:24,510 --> 00:00:28,040
Your users sign into their domain‑joined workstations with,

11
00:00:28,040 --> 00:00:31,050
it could be their UPN, their User Principal Name,

12
00:00:31,050 --> 00:00:34,850
which uniquely identifies their account in the forest and has

13
00:00:34,850 --> 00:00:38,070
the same format as an SMTP email address.

14
00:00:38,070 --> 00:00:40,920
That's going to be important when we're planning hybrid identity.

15
00:00:40,920 --> 00:00:44,270
But then importantly, just as much, we have the local password.

16
00:00:44,270 --> 00:00:49,340
We want to give our local Active Directory users single sign‑on into CloudApp.

17
00:00:49,340 --> 00:00:53,470
Now CloudApp is an app that runs with Azure AD authentication.

18
00:00:53,470 --> 00:00:56,610
We could be talking about Microsoft, first‑party SaaS,

19
00:00:56,610 --> 00:00:59,940
or software as a service products like Microsoft 365,

20
00:00:59,940 --> 00:01:05,310
we could be talking about your homegrown native desktop or web or mobile apps,

21
00:01:05,310 --> 00:01:09,800
or we could be talking about SSO integrations to different providers,

22
00:01:09,800 --> 00:01:14,300
as you see here, SAP, Dropbox Business, even AWS.

23
00:01:14,300 --> 00:01:18,670
Azure Active Directory includes a whole bunch of programming already

24
00:01:18,670 --> 00:01:22,390
done for you to help set up those SSO federations.

25
00:01:22,390 --> 00:01:23,670
So long story short,

26
00:01:23,670 --> 00:01:27,800
how can we give our on‑premises Active Directory users the ability to

27
00:01:27,800 --> 00:01:30,590
sign into our cloud apps with their local credentials?

28
00:01:30,590 --> 00:01:35,360
We want to avoid having to give or saddle our users with additional credentials.

29
00:01:35,360 --> 00:01:38,520
When we're doing this AD Connect business,

30
00:01:38,520 --> 00:01:42,570
you have to think about, are you going to allow self‑service password reset,

31
00:01:42,570 --> 00:01:43,280
or SSPR?

32
00:01:43,280 --> 00:01:46,930
This is called password writeback where you allow your user

33
00:01:46,930 --> 00:01:49,200
to change their password in Azure AD.

34
00:01:49,200 --> 00:01:52,760
And if you do want the password change to go back across

35
00:01:52,760 --> 00:01:57,130
the Azure AD channel to on‑premises, this is something you have to think about,

36
00:01:57,130 --> 00:02:00,990
plan for, and implement when you're doing your Azure AD Connect setup.

37
00:02:00,990 --> 00:02:03,860
There are also a number of password sync options that we

38
00:02:03,860 --> 00:02:07,290
need to review for our exam AZ‑800 success.

39
00:02:07,290 --> 00:02:11,840
Azure AD Connect is a Windows service that runs on your local

40
00:02:11,840 --> 00:02:14,680
domain controllers and/or member servers.

41
00:02:14,680 --> 00:02:18,360
You'll want to install at least two of these Azure AD

42
00:02:18,360 --> 00:02:22,680
Connect services for high availability, and they operate over the internet.

43
00:02:22,680 --> 00:02:26,810
You don't have to have a site‑to‑site VPN or an ExpressRoute tunnel.

44
00:02:26,810 --> 00:02:33,040
We're talking about TCP 443 with TLS/SSL encryption.

45
00:02:33,040 --> 00:02:36,730
There are actually, as I alluded to at the overview part of this lesson,

46
00:02:36,730 --> 00:02:39,180
two Azure AD Connect options.

47
00:02:39,180 --> 00:02:42,850
In fact, this tool, this directory synchronization service,

48
00:02:42,850 --> 00:02:46,350
has been around for many years under many different names.

49
00:02:46,350 --> 00:02:51,190
It's just for the last few years, Microsoft has standardized on Azure AD Connect,

50
00:02:51,190 --> 00:02:53,590
and they revise the service regularly.

51
00:02:53,590 --> 00:02:58,140
It's still ongoing as of this recording in very early 2022.

52
00:02:58,140 --> 00:03:02,020
So let's compare and contrast Azure AD Connect on the left and

53
00:03:02,020 --> 00:03:04,410
Azure AD Connect cloud sync on the right.

54
00:03:04,410 --> 00:03:06,630
Well, let me let the cat out of the bag.

55
00:03:06,630 --> 00:03:12,280
AZ‑800 and 801 assume that you're using AAD Connect rather than cloud sync.

56
00:03:12,280 --> 00:03:14,480
So that's what I'm going to demo in this lesson.

57
00:03:14,480 --> 00:03:18,230
Azure AD Connect supports the synchronization of not only your

58
00:03:18,230 --> 00:03:20,290
Active Directory user and group accounts,

59
00:03:20,290 --> 00:03:23,140
but also device objects like computer accounts,

60
00:03:23,140 --> 00:03:28,440
and you also can map custom schema extensions or attributes that you

61
00:03:28,440 --> 00:03:31,600
might've added to your users and groups into Azure AD,

62
00:03:31,600 --> 00:03:32,580
which is pretty cool.

63
00:03:32,580 --> 00:03:35,920
Cloud sync can't do that, at least not yet, as of this recording.

64
00:03:35,920 --> 00:03:37,460
Passthrough authentication,

65
00:03:37,460 --> 00:03:40,200
which we'll formally define on the next slide is

66
00:03:40,200 --> 00:03:45,600
supported only with AAD Connect, as is device and group membership writeback.

67
00:03:45,600 --> 00:03:48,150
If you make a group change in Azure AD,

68
00:03:48,150 --> 00:03:50,220
that change will go back across the channel.

69
00:03:50,220 --> 00:03:52,120
You can't do that yet with cloud sync.

70
00:03:52,120 --> 00:03:54,510
Now notice that I'm saying yet because I'm assuming

71
00:03:54,510 --> 00:03:57,910
eventually the cloud sync option will be in full feature

72
00:03:57,910 --> 00:04:00,950
parity with Azure AD Connect as it stands.

73
00:04:00,950 --> 00:04:04,840
A significant issue for some customers who are running Exchange Server in

74
00:04:04,840 --> 00:04:08,330
an Exchange Online/Exchange Server hybrid topology,

75
00:04:08,330 --> 00:04:11,270
Exchange hybrid writebacks available at this point only

76
00:04:11,270 --> 00:04:13,710
with AAD Connect cross‑domain references.

77
00:04:13,710 --> 00:04:17,870
And then very importantly for our exam AZ‑800 success,

78
00:04:17,870 --> 00:04:21,480
Azure AD Domain Services integration only works with

79
00:04:21,480 --> 00:04:23,910
the full AAD Connect software.

80
00:04:23,910 --> 00:04:27,620
Bottom line is, although cloud sync is a great idea,

81
00:04:27,620 --> 00:04:31,240
it's going to be a little while before it's mature enough to where

82
00:04:31,240 --> 00:04:34,260
you can migrate from the one method to the other,

83
00:04:34,260 --> 00:04:37,440
or if you're greenfielding it where you're setting up

84
00:04:37,440 --> 00:04:41,470
hybrid identity from scratch now, whether you would go for cloud sync.

85
00:04:41,470 --> 00:04:43,260
Probably not, to be totally honest.

86
00:04:43,260 --> 00:04:47,330
The biggest advantage of Azure AD Connect cloud sync is

87
00:04:47,330 --> 00:04:49,660
instead of relying on client setup,

88
00:04:49,660 --> 00:04:52,670
the way that AAD Connect works normally is that you

89
00:04:52,670 --> 00:04:55,020
configure it completely on the client side,

90
00:04:55,020 --> 00:04:58,440
that is in your local environment on your infrastructure servers.

91
00:04:58,440 --> 00:05:02,000
And remember how I said you'll want to have two or more AAD Connect

92
00:05:02,000 --> 00:05:05,020
boxes running the service for high availability?

93
00:05:05,020 --> 00:05:06,540
Well, they don't talk to each other.

94
00:05:06,540 --> 00:05:09,340
So you've got to do all this stuff with only one

95
00:05:09,340 --> 00:05:11,130
instance that's actually running,

96
00:05:11,130 --> 00:05:15,940
and then you basically put the other instances in what's called staging mode.

97
00:05:15,940 --> 00:05:17,280
It's kind of a pain.

98
00:05:17,280 --> 00:05:21,320
Cloud sync gives you centralized cloud‑based command control

99
00:05:21,320 --> 00:05:24,330
over your synchronization, and you just deploy a more

100
00:05:24,330 --> 00:05:26,930
lightweight agent to multiple systems,

101
00:05:26,930 --> 00:05:30,830
and you do have that automatic failover and high availability.

102
00:05:30,830 --> 00:05:34,340
So that's the biggest advantage to the cloud sync model.

103
00:05:34,340 --> 00:05:38,140
Cloud sync also allows connectivity to disconnected forests,

104
00:05:38,140 --> 00:05:40,680
which AAD Connect does not support.

105
00:05:40,680 --> 00:05:49,000
That's really it at this point, as of this recording in very early 2022. Cloud sync is really still in its early days.