Chapter 2 Manage User Identity and Roles - Exam Ref MS-100 Microsoft 365 Identity and Services Cap2 PDF

 Exam Ref MS-100 Microso 365 Identity and Services
P REV N EXT
⏮ ⏭
Chapter 1 Design and implement Microso 365 services Chapter 3 Manage access and authentication
  🔎
Chapter 2
Manage user identity and roles
A k ey aspect of depl oy i ng Mi cr osof t 365 i s ensur i ng that user
i denti ty i s conf i gur ed pr oper l y . When thi s i s done, user s ar e abl e
to seaml essl y access r esour ces i n the on-pr emi ses env i r onment, as
w el l as i n the Mi cr osof t 365 env i r onment. If i t i s not done
cor r ectl y , user s hav e to juggl e di f f er ent accounts, dependi ng on
w hether the accessi bl e r esour ces ar e hosted l ocal l y or i n the cl oud.
In thi s chapter y ou w i l l l ear n about desi gni ng an i denti ty str ategy ,
how to pl an i denti ty sy nchr oni zati on w i th Azur e AD Connect, how
to manage that sy nchr oni zati on, how to manage Azur e AD
i denti ti es, and how to manage Azur e AD user r ol es.
Skills in this chapter:
Desi gn i denti ty str ategy
Pl an i denti ty sy nchr oni zati on by usi ng Azur e AD Connect
Manage i denti ty sy nchr oni zati on by usi ng Azur e AD Connect
Manage Azur e AD i denti ti es
Manage user r ol es
SK ILL 2.1: DESIGN IDENTITY STRATEGY

Thi s sk i l l deal s w i th desi gni ng a str ategy r el ated to on-pr emi ses
and cl oud based i denti ty . To master thi s sk i l l , y ou’l l need to
under stand how to deter mi ne y our or gani zati on’s r equi r ements
w hen i t comes to sy nchr oni zati on, w hat an appr opr i ate i denti ty
management sol uti on i s, and w hat ty pe of authenti cati on sol uti on
i s appr opr i ate f or y our env i r onment.
This section covers the following topics:
Evaluate requirements and solution for synchronization
Evaluate requirements and solution for identity management
Evaluate requirements and solution for authentication
Evaluate requirements and solution for synchronization

Sy nchr oni zati on i s the pr ocess of r epl i cati ng on-pr emi ses
i denti ti es, such as user s and gr oups, i nto the cl oud. Sy nchr oni zati on
i s onl y necessar y w her e an on-pr emi ses i denti ty pr ov i der i s
pr esent. In some sy nchr oni zati on model s, ev er y on-pr emi ses
i denti ty i s r epl i cated to the cl oud. In other model s, onl y a subset of
the on-pr emi ses i denti ti es ar e r epl i cated.
Another consi der ati on i n ev al uati ng sy nchr oni zati on

r equi r ements i s deter mi ni ng w hat i nf or mati on about a user ’s
i denti ty needs to be sy nchr oni zed to the cl oud. Dependi ng on the
model chosen, some, or al l of the pr oper ti es of those on-pr emi ses
i denti ti es, can be r epl i cated. For ex ampl e, some or gani zati ons stor e
sensi ti v e pr i v ate data about empl oy ees w i thi n Acti v e Di r ector y .
Onl y r epl i cati ng w hat i s necessar y i s especi al l y i mpor tant gi v en
the i ncr easi ng r egul ati on of data i nv ol v i ng per sonal i nf or mati on.
Shoul d an or gani zati on choose, i t i s possi bl e to per f or m a compl ete

r epl i cati on of ev er y aspect of an Acti v e Di r ector y object to the
cl oud. For ex ampl e, an or gani zati on can depl oy a domai n
contr ol l er , Shar ePoi nt Far m, Sy stem Center , and Ex change Ser v er
i n Azur e IaaS VMs. You can hav e those VMs connected v i a VPN or an
Ex pr essRoute connecti on to an on-pr emi ses Acti v e Di r ector y
i nstance. In thi s scenar i o, the Azur e IaaS VMs w oul d essenti al l y
f uncti on as an ex pensi v e br anch of f i ce si te r unni ng i n the Azur e
cl oud.
When ev al uati ng r equi r ements and a sol uti on f or sy nchr oni zati on,
consi der the f ol l ow i ng questi ons:
Whi ch i denti ti es need to be r epl i cated to the cl oud?
Find answers on the fly, or master something new. Subscribe today. See pricing options.
How of ten do those i denti ti es need to be r epl i cated to the
cl oud? /
What pr oper ti es of those i denti ti es need to be r epl i cated to
the cl oud?
Which identities to replicate?

Depl oy ment of Mi cr osof t 365 gi v es or gani zati ons an abi l i ty to
assess thei r ex i sti ng i denti ty needs. If an or gani zati on has been
usi ng Acti v e Di r ector y f or a l ong ti me, i t’s l i k el y that objects don’t
need to be r epl i cated to the cl oud, and pr obabl y don’t need to be i n
the on-pr emi ses Acti v e Di r ector y i nstance. It’s a good i dea, pr i or to
i mpl ementi ng any Mi cr osof t 365 r epl i cati on scheme, to do a
thor ough audi t of al l of the objects that ar e pr esent w i thi n the on-
pr emi ses di r ector y , and to cl ean out those that ar e no l onger
r equi r ed or necessar y .
Another i ssue to addr ess i s w hether ev er y on-pr emi ses i denti ty

needs to be pr esent i n Azur e Acti v e Di r ector y . Many or gani zati ons
tak e a phased appr oach to the i ntr oducti on of Mi cr osof t 365,
mi gr ati ng smal l gr oups of user s to the ser v i ce r ather than ev er y
user i n the or gani zati on al l at once. U ser s that ar e onl y pr esent i n
the on-pr emi ses di r ector y ser v i ce w on’t need to hav e Mi cr osof t 365
l i censes assi gned to them.
Ther e ar e al so speci al account ty pes that ar e commonl y pr esent i n

an on-pr emi ses Acti v e Di r ector y i nstance that do not need to be
r epl i cated, or si mpl y cannot be r epl i cated, to Azur e Acti v e
Di r ector y . For ex ampl e, ther e i s no need to r epl i cate ser v i ce
accounts or accounts that ar e used f or speci f i c admi ni str ati v e
pur poses f or on-pr emi ses r esour ces, such as the management of an
on-pr emi ses SQL Ser v er database ser v er or other w or k l oad.
Another chal l enge to consi der i s that many on-pr emi ses
env i r onments ar e mor e compl i cated than a si ngl e Acti v e Di r ector y
domai n. Some or gani zati ons hav e mul ti -domai n Acti v e Di r ector y
f or ests and, as i t i s a r ecommended Mi cr osof t secur e admi ni str ati v e
pr acti ce, an i ncr easi ng number of l ar ge or gani zati ons hav e mul ti -
f or est depl oy ments such as hav i ng an Enhanced Secur i ty
Admi ni str ati v e Env i r onment (ESAE) f or est to stor e pr i v i l eged
accounts f or the pr oducti on f or est.
U ser accounts ar e not the onl y i denti ty that an or gani zati on may
w i sh to r epl i cate to the cl oud. It may be necessar y to r epl i cate
some gr oups to the cl oud because these gr oups may be usef ul i n
medi ati ng access to Mi cr osof t 365 w or k l oads. For ex ampl e, i f y our
or gani zati on al r eady has a l ocal secur i ty gr oup that i s used to
col l ect together member s of the accounti ng team, y ou may w ant
that gr oup al so pr esent as a method of medi ati ng access to r esour ces
and w or k l oads w i thi n Mi cr osof t 365.
How o en to replicate?
When ev al uati ng r equi r ements and a sol uti on f or sy nchr oni zati on,
y ou need to answ er sev er al i mpor tant questi ons. For ex ampl e, how
of ten do the pr oper ti es of an on-pr emi ses i denti ty change and how
soon must those changes be pr esent w i thi n Azur e Acti v e
Di r ector y ?
You don’t w ant a user w ho changes thei r passw or d to hav e to w ai t 24

hour s bef or e that new passw or d can be used agai nst cl oud
i denti ti es. Si mi l ar l y , i f y ou depr ov i si on a user account because a
per son’s empl oy ment w i th the or gani zati on has been ter mi nated,
y ou’l l w ant that acti on to be r ef l ected i n l i mi ti ng access to
Mi cr osof t 365 w or k l oads, r ather than the user account hav i ng
conti nued access f or some ti me af ter thei r on-pr emi ses i denti ty has
been di sabl ed.
Whi l e ther e can be bandw i dth consi der ati ons ar ound i denti ty
sy nchr oni zati on, the major i ty of such tr af f i c i s goi ng to be the
r epl i cati on of changes, al so k now n as “del ta,” r ather than constant
r epl i cati ons of the enti r e i denti ty database. The amount of
bandw i dth consumed by del ta i denti ty sy nchr oni zati on tr af f i c i s
of ten i nsi gni f i cant compar ed to the bandw i dth consumed by other
Mi cr osof t 365 w or k l oads and ser v i ces.
Which properties to replicate?

Acti v e Di r ector y has been pr esent at some or gani zati ons f or al most
tw o decades. One of the or i gi nal sel l i ng poi nts of Acti v e Di r ector y
w as that i t coul d stor e f ar mor e i nf or mati on than just user names
and passw or ds. Because of thi s, many or gani zati ons use Acti v e
Di r ector y to stor e a substanti v e amount of i nf or mati on about
per sonnel , i ncl udi ng i nf or mati on about tel ephone number s,
posi ti on w i thi n the or gani zati on, and w hi ch br anch of f i ce the user
may be l ocated at.
When consi der i ng a sy nchr oni zati on sol uti on, deter mi ne w hi ch on-
pr emi ses Acti v e Di r ector y attr i bute i nf or mati on needs to be
r epl i cated to Azur e Acti v e Di r ector y . For ex ampl e, y ou may hav e
an appl i cati on r unni ng i n Azur e that needs access to the Job Ti tl e,
Depar tment, Company , and Manager attr i butes, as show n i n Fi gur e
2-1 .
Find answers on the fly, or master something new. Subscribe today. See pricing options. /
Figure 2-1 Whi ch attr i butes to r epl i cate
Evaluate requirements and solution for identity

management
Ev al uati ng the r equi r ements and sol uti on f or i denti ty management
f i r st i nv ol v es deter mi ni ng w hat y our or gani zati on’s sour ce of
author i ty i s. The sour ce of author i ty i s the di r ector y ser v i ce that
f uncti ons as the pr i mar y l ocati on f or the cr eati on and management
of user and gr oup accounts. You can choose betw een hav i ng an on-
pr emi ses Acti v e Di r ector y i nstance f uncti on as a sour ce of
author i ty , or y ou can hav e Azur e Acti v e Di r ector y f uncti on as the
sour ce of author i ty .
Ev en though Azur e Acti v e Di r ector y i s pr esent i n a hy br i d

depl oy ment, the sour ce of author i ty w i l l be the on-pr emi ses Azur e
AD Instance. Hy br i d depl oy ment accounts ar e used f or
authenti cati on and author i zati on pur poses w i th ex i sti ng on-
pr emi ses r esour ces as w el l as Mi cr osof t 365 w or k l oads.
Sour ce of author i ty i s a v er y i mpor tant concept w hen i t comes to

cr eati ng user s and gr oups i n an env i r onment w her e Azur e AD
Connect i s conf i gur ed to sy nchr oni ze an on-pr emi ses Acti v e
Di r ector y w i th the Azur e Acti v e Di r ector y i nstance that suppor ts
the Mi cr osof t 365 tenancy . When y ou cr eate a user or gr oup i n the
on-pr emi ses Acti v e Di r ector y i nstance, the on-pr emi ses Acti v e
Di r ector y i nstance r etai ns author i ty ov er that object. Objects
cr eated w i thi n the on-pr emi ses Acti v e Di r ector y i nstance that ar e
w i thi n the f i l ter i ng scope of objects sy nchr oni zed v i a Azur e AD
Connect w i l l r epl i cate to the Azur e Acti v e Di r ector y i nstance that
suppor ts the Mi cr osof t 365 tenancy .
New l y cr eated on-pr emi ses user and gr oup objects w i l l onl y be
pr esent w i thi n the Azur e Acti v e Di r ector y i nstance that suppor ts
the Mi cr osof t 365 tenancy af ter sy nchr oni zati on has occur r ed. You
can f or ce sy nchr oni zati on to occur usi ng the Azur e AD Connect
Sy nchr oni zati on Ser v i ce Manager tool .
Evaluate requirements and solution for authentication

When ev al uati ng authenti cati on r equi r ements, deter mi ne i f y our
or gani zati on w ants to sti l l r el y upon the tr adi ti onal combi nati on
of user name and passw or d, or i f y ou w ant to mov e tow ar d mor e
sophi sti cated and secur e authenti cati on techni ques, such as mul ti -
f actor authenti cati on. When mak i ng thi s deter mi nati on, many
or gani zati ons w i l l deci de that mor e secur e technol ogi es ar e
appr opr i ate f or sensi ti v e accounts, such as those used f or
admi ni str ati v e task s, and that the tr adi ti onal method of user name
and passw or d w i l l be suf f i ci ent f or the major i ty of standar d user s.
Mi cr osof t and Of f i ce 365 suppor t a technol ogy k now n as Moder n

Authenti cati on. Moder n Authenti cati on pr ov i des a mor e secur e
authenti cati on and author i zati on method than tr adi ti onal
authenti cati on methods. Moder n Authenti cati on can be used w i th
Mi cr osof t 365 hy br i d depl oy ments that i ncl ude Ex change Onl i ne
and Teams. Al l Of f i ce and Mi cr osof t 365 tenanci es cr eated af ter
August 201 7 that i ncl ude Ex change Onl i ne hav e Moder n
Authenti cati on enabl ed by def aul t. Moder n Authenti cati on
i ncl udes a combi nati on of the f ol l ow i ng authenti cati on and
author i zati on methods, as w el l as secur e access pol i ces:
Authentication methods Mul ti -f actor authenti cati on, Cl i ent

Cer ti f i cate-based authenti cati on, and Acti v e Di r ector y
Authenti cati on Li br ar y (ADAL).
Authorization methods Mi cr osof t’s i mpl ementati on of

OAuth (Open Author i zati on).
Conditional access policies Mobi l e Appl i cati on Management

(MAM) and Azur e Acti v e Di r ector y Condi ti onal access.
More Info Hybrid Modern Authentication
You can learn more about Hybrid Modern Authentication at the

following address:
https://docs.microsoft.com/office365/enterprise/hybrid-modern-auth-
overview.
Meeting the Azure AD Connect installation requirements
Pr i or to i nstal l i ng Azur e AD Connect, y ou shoul d ensur e that y our
env i r onment, Azur e AD Connect computer , and account used to
conf i gur e Azur e AD Connect meets the sof tw ar e, har dw ar e, and
pr i v i l ege r equi r ements. So, y ou need to ensur e that y our Acti v e
Di r ector y env i r onment i s conf i gur ed at the appr opr i ate l ev el , that
the computer on w hi ch y ou w i l l r un Azur e AD Connect has the
appr opr i ate sof tw ar e and har dw ar e conf i gur ati on, and that the
account used to i nstal l Azur e AD Connect has been added to the
appr opr i ate secur i ty gr oups.
More Info Azure AD Connect Prerequisites
You can learn more about Azure AD Connect prerequisites at the

following address: https://docs.microsoft.com/azure/active-
directory/connect/active-directory-aadconnect-prerequisites.
Azure AD and O ice 365 requirements

Bef or e y ou can i nstal l and conf i gur e Azur e AD Connect, y ou need to
ensur e that y ou hav e conf i gur ed an addi ti onal domai n f or Of f i ce
365. By def aul t, an Azur e AD tenant w i l l al l ow 50,000 objects,
how ev er , w hen y ou add and v er i f y an addi ti onal domai n, thi s l i mi t
i ncr eases to 300,000 objects. If y ou r equi r e mor e than 300,000
objects i n y our Azur e AD i nstance, y ou can open a suppor t ti ck et
w i th Mi cr osof t. If y ou r equi r e mor e than 500,000 objects i n y our
Azur e AD i nstance, y ou’l l need to acqui r e an Azur e AD Pr emi um or
Enter pr i se Mobi l i ty and Secur i ty l i cense.
On-premises Active Directory environment requirements

Azur e AD Connect r equi r es that the on-pr emi ses Acti v e Di r ector y
env i r onment be conf i gur ed at the Wi ndow s Ser v er 2003 f or est
f uncti onal l ev el or hi gher . For est f uncti onal l ev el i s dependent on
the mi ni mum domai n f uncti onal l ev el of any domai n i n a f or est.
For ex ampl e, i f y ou hav e f i v e domai ns i n a f or est, w i th f our of them
r unni ng at the Wi ndow s Ser v er 201 2 R2 domai n f uncti onal l ev el ,
and one of them r unni ng at the Wi ndow s Ser v er 2003 domai n
f uncti onal l ev el , then Wi ndow s Ser v er 2003 w i l l be the max i mum
f or est f uncti onal l ev el . As Wi ndow s Ser v er 2003 i s no l onger
suppor ted by Mi cr osof t w i thout a custom suppor t agr eement, y our
or gani zati on shoul d hav e domai n contr ol l er s at l east r unni ng
Wi ndow s Ser v er 2008. Mi cr osof t secur i ty best pr acti ce i s to hav e
domai n contr ol l er s depl oy ed w i th Mi cr osof t’s most r ecent v er si on
of the ser v er oper ati ng sy stem, so i n theor y y ou shoul d hav e
domai n contr ol l er s r unni ng Wi ndow s Ser v er 201 6 or l ater . To
suppor t the Azur e AD Connect passw or d w r i teback f uncti onal i ty ,
y ou’l l ei ther need domai n contr ol l er s r unni ng Wi ndow s Ser v er
2008 R2 or Wi ndow s Ser v er 2008 w i th al l ser v i ce pack s appl i ed as
w el l as hotf i x KB23867 1 7 .
You can check the f or est f uncti onal l ev el usi ng the Acti v e
Di r ector y Domai ns and Tr usts consol e. To do thi s, per f or m the
f ol l ow i ng steps:
1. Open the Acti v e Di r ector y Domai ns and Tr usts consol e.
2. Sel ect the Acti v e Di r ector y Domai ns and Tr usts node.
3. On the Acti ons menu, cl i ck Raise Forest Functional Level.
4. The di al og box di spl ay s the cur r ent f uncti onal l ev el and, i f

possi bl e, pr ov i des y ou w i th the opti on of upgr adi ng the
f or est f uncti onal l ev el . Fi gur e 2-2 show s the f or est
f uncti onal l ev el conf i gur ed at Wi ndow s Ser v er 201 2 R2,
w hi ch i s the hi ghest possi bl e f or est f uncti onal l ev el f or an
or gani zati on w her e al l domai n contr ol l er s ar e r unni ng the
Wi ndow s Ser v er 201 2 R2 oper ati ng sy stem. If al l the domai n
contr ol l er s ar e r unni ng the Wi ndow s Ser v er 201 6 oper ati ng
sy stem, i t i s possi bl e to r ai se the domai n and f or est f uncti onal
l ev el to Wi ndow s Ser v er 201 6.
Figure 2-2 For est f uncti onal l ev el
You can al so check the f or est f uncti onal l ev el by usi ng the

f ol l ow i ng Mi cr osof t Pow er Shel l command:
(Get-ADForest).ForestMode
Azure AD Connect Server requirements

Azur e AD Connect i s sof tw ar e that y ou i nstal l on a computer that
manages the pr ocess of sy nchr oni zi ng objects betw een the on-
pr emi ses Acti v e Di r ector y and the Azur e Acti v e Di r ector y
i nstance that suppor ts the Mi cr osof t 365 tenancy . You can i nstal l
Azur e AD Connect on computer s r unni ng the f ol l ow i ng oper ati ng
sy stems:
Wi ndow s Ser v er 2008 (x 86 and x 64)
Wi ndow s Ser v er 2008 R2 (x 64)

Wi ndow s Ser v er 201 2 (x 64)
Wi ndow s Ser v er 201 2 R2 (x 64)
Azur e AD Connect cannot be i nstal l ed on Wi ndow s Ser v er 2003.

Gi v en how Wi ndow s Ser v er 2003 i s no l onger suppor ted by
Mi cr osof t, and y ou ar e a di l i gent admi ni str ator , y ou w i l l of cour se
not hav e Wi ndow s Ser v er 2003 i n y our env i r onment.
Azur e AD Connect has the f ol l ow i ng r equi r ements:
Must be i nstal l ed on a Wi ndow s Ser v er i nstance that has the

GU I v er si on of the oper ati ng sy stem i nstal l ed. You cannot
i nstal l Azur e AD connect on a computer r unni ng the Ser v er
Cor e oper ati ng sy stem.
You can depl oy Azur e AD Connect on a computer that i s ei ther

a domai n contr ol l er , a member ser v er or , i f y ou use the
custom opti ons, a standal one ser v er .
If i nstal l i ng on v er si ons of Wi ndow s Ser v er pr i or to Wi ndow s

Ser v er 201 2, ensur e that al l ser v i ce pack s, updates, and
r el ev ant hotf i x es ar e appl i ed. As a di l i gent admi ni str ator ,
y ou hav e al r eady done thi s so i t i sn’t necessar y to r emi nd y ou
of thi s.
If y ou w ant to use the passw or d sy nchr oni zati on

f uncti onal i ty , y ou need to ensur e that Azur e AD connect i s
depl oy ed on Wi ndow s Ser v er 2008 R2 SP1 or l ater .
The ser v er hosti ng Azur e AD Connect r equi r es .NET

Fr amew or k 4.5.1 or l ater .
The ser v er hosti ng Azur e AD Connect r equi r es Mi cr osof t

Pow er Shel l 3.0 or l ater .
The ser v er hosti ng Azur e AD Connect must not hav e

Pow er Shel l Tr anscr i pti on enabl ed thr ough gr oup pol i cy .
If y ou ar e depl oy i ng Azur e AD Connect w i th Acti v e

Di r ector y Feder ati on Ser v i ces, y ou must use Wi ndow s Ser v er
201 2 R2 or l ater f or the Web Appl i cati on Pr ox y , and Wi ndow s
r emote management must be enabl ed on the ser v er s that w i l l
host AD FS r ol es.
If gl obal admi ni str ator s w i l l hav e mul ti f actor

authenti cati on enabl ed (MFA), then the U RL
https ://s ecure.aadcdn.micros oftonline-p.com must be
conf i gur ed as a tr usted si te.
Connectivity requirements
The computer w i th Azur e AD Connect i nstal l ed must be a member
of a domai n i n the f or est that y ou w ant to sy nchr oni ze, and must
hav e connecti v i ty to a w r i tabl e domai n contr ol l er i n each domai n
of the f or est y ou w i sh to sy nchr oni ze on the f ol l ow i ng por ts:
DNS TCP/U DP Por t 53
Kerberos TCP/U DP Por t 88
RPC TCP Por t 1 35
LDAP TCP/U DP Por t 389
SSL TCP Por t 443
SMB TCP 445
The computer w i th Azur e AD Connect i nstal l ed must be abl e to

establ i sh communi cati on w i th the Mi cr osof t Azur e ser v er s on the
Inter net ov er TCP por t 443. The computer w i th Azur e AD Connect
i nstal l ed can be l ocated on an i nter nal netw or k as l ong as i t can
i ni ti ate communi cati on on TCP por t 443. The computer hosti ng
Azur e AD Connect does not need a publ i cl y r outabl e IP addr ess. The
computer hosti ng Azur e AD Connect al w ay s i ni ti ates
sy nchr oni zati on communi cati on to Mi cr osof t Azur e. Mi cr osof t
Azur e Acti v e Di r ector y does not i ni ti ate sy nchr oni zati on
communi cati on to the computer hosti ng Azur e AD Connect on the
on-pr emi ses netw or k .
Whi l e y ou can i nstal l Azur e AD Connect on a domai n contr ol l er ,

Mi cr osof t r ecommends that y ou depl oy Azur e AD Connect on a
computer that does not host the domai n contr ol l er r ol e. If y ou ar e
goi ng to be r epl i cati ng mor e than 50,000 objects, Mi cr osof t
r ecommends that y ou depl oy SQL Ser v er on a computer that i s
separ ate f r om the computer that w i l l host Azur e AD Connect. If y ou
pl an to host the SQL Ser v er i nstance on a separ ate computer , ensur e
that communi cati on i s possi bl e betw een the computer hosti ng
Azur e AD Connect and the computer hosti ng the SQL Instance on
TCP por t 1 433.
If y ou ar e goi ng to use a separ ate SQL Ser v er i nstance, ensur e that

the account used to i nstal l and conf i gur e Azur e AD Connect has
“sy stems admi ni str ator ” r i ghts on the SQL i nstance, and that the
ser v i ce account used f or Azur e AD Connect has “publ i c”
per mi ssi ons on the Azur e AD Connect database.
Hardware requirements
The har dw ar e r equi r ements of the computer that hosts Azur e AD
Connect depend upon the number of objects i n the Acti v e
Di r ector y env i r onment that y ou need to sy nc. The gr eater the
Find answers on the fly,number

or master
of objectssomething
that y ou need to sy new. Subscribe
nc, the steeper today.
the har dw ar e See pricing options. /
r equi r ements. Tabl e 2-1 pr ov i des a gui de to the r equi r ements, w i th
al l conf i gur ati ons r equi r i ng at l east a 1 .6 GHz pr ocessor .
Table 2-1 Azure AD Connect computer hardware requirements
Number of objects in Active Directory Memory Storage
Few er than 1 0,000 4 GB 7 0 GB
1 0,000–50,000 4 GB 7 0 GB
50,000–1 00,000 1 6 GB 1 00 GB
1 00,000–300,000 32 GB 300 GB
300,000–600,000 32 GB 450 GB
Mor e than 600,000 32 GB 500 GB
It’s i mpor tant to note that dur i ng the pl anni ng phase, a new
Mi cr osof t 365 tenancy has a l i mi t of 50,000 objects. How ev er , once
the f i r st domai n i s v er i f i ed, thi s l i mi t i s i ncr eased to 300,000
objects. Or gani zati ons that need to stor e mor e than 300,000 objects
i n an Azur e Acti v e Di r ector y i nstance that suppor ts an Mi cr osof t
365 tenancy shoul d contact Mi cr osof t Suppor t.
SQL Server requirements

When y ou depl oy Azur e AD connect, y ou hav e the opti on of hav i ng
Azur e AD Connect i nstal l a SQL Ser v er Ex pr ess i nstance, or y ou can
choose to hav e Azur e AD Connect l ev er age a f ul l i nstance of SQL
Ser v er . SQL Ser v er Ex pr ess i s l i mi ted to a max i mum database si ze of
1 0 GB. In ter ms of Azur e AD Connect, thi s means that Azur e AD
Connect i s onl y abl e to manage 1 00,000 objects. Thi s i s l i k el y to be
adequate f or al l but the l ar gest env i r onments.
For env i r onments that r equi r e Azur e AD Connect to manage mor e

than 1 00,000 objects, y ou’l l need to hav e Azur e AD Connect
l ev er age a f ul l i nstance of SQL Ser v er . Azur e AD Connect can use
al l v er si ons of Mi cr osof t SQL Ser v er , f r om Mi cr osof t SQL Ser v er
2008 w i th the most r ecent ser v i ce pack thr ough to SQL Ser v er
201 7 . It i s i mpor tant to note that SQL Azur e i s not suppor ted as a
database f or Azur e AD Connect. If depl oy i ng a f ul l i nstance of SQL
Ser v er to suppor t Azur e AD Connect, ensur e that the f ol l ow i ng
pr er equi si tes ar e met:
Use a case-insensitive SQL collation Case i nsensi ti v e

col l ati ons hav e the _CI_ i denti f i er i ncl uded i n thei r name.
Case sensi ti v e col l ati ons (those that use the _CS_ desi gnati on)
ar e not suppor ted f or use w i th Azur e AD Connect.
Y ou can only use one sync engine per SQL instance If y ou

hav e an addi ti onal Azur e AD Connect sy nc engi ne, or i f y ou
ar e usi ng Mi cr osof t Identi ty Manager i n y our env i r onment,
each sy nc engi ne r equi r es i ts ow n separ ate SQL i nstance.
Installation account requirements

The accounts that y ou use to i nstal l and conf i gur e Azur e AD
Connect hav e the f ol l ow i ng r equi r ements:
The account used to conf i gur e Azur e AD Connect must hav e

the Admi ni str ator per mi ssi on i n the Mi cr osof t 365 tenant. If
y ou cr eate a ser v i ce account i n Mi cr osof t 365 to use i n pl ace
of the account w i th tenant admi ni str ator per mi ssi ons, ensur e
to conf i gur e the account w i th a passw or d that does not ex pi r e.
The account used to i nstal l and conf i gur e Azur e AD Connect

must hav e Enter pr i se Admi ni str ator per mi ssi ons w i thi n the
on-pr emi ses Acti v e Di r ector y f or est i f y ou w i l l be usi ng
ex pr ess i nstal l ati on setti ngs. Thi s account i s onl y r equi r ed
dur i ng i nstal l ati on and conf i gur ati on. Once Azur e AD
Connect i s i nstal l ed and conf i gur ed, thi s account no l onger
needs Enter pr i se Admi ni str ator per mi ssi ons. Best pr acti ce i s
to cr eate a separ ate account f or Azur e AD Connect
i nstal l ati on and conf i gur ati on and to tempor ar i l y add thi s
account to the Enter pr i se Admi ns gr oup dur i ng the
i nstal l ati on and conf i gur ati on pr ocess. Once Azur e AD
Connect i s i nstal l ed and conf i gur ed, thi s account can be
r emov ed f r om the Enter pr i se Admi ns gr oup. You shoul d not
attempt to change the account used af ter Azur e AD Connect i s
setup and conf i gur ed, si nce Azur e AD Connect al w ay s
attempts to r un usi ng the or i gi nal account.
The account used to i nstal l and conf i gur e Azur e AD Connect

must be a member of the l ocal Admi ni str ator s gr oup on the
computer on w hi ch Azur e AD Connect i s i nstal l ed.
Installing Azure AD Connect

Instal l i ng Azur e AD Connect w i th ex pr ess setti ngs i s appr opr i ate
i f y our or gani zati on has a si ngl e Acti v e Di r ector y f or est and y ou
w i sh to use passw or d sy nchr oni zati on f or authenti cati on. The
Azur e AD Connect ex pr ess setti ngs ar e appr opr i ate f or most
or gani zati ons. To obtai n Azur e AD connect, dow nl oad i t f r om the
f ol l ow i ng w ebsi te:
https ://w w w .micros oft.com/dow nload/details .as px?id=47594.
To i nstal l Azur e AD Connect w i th Ex pr ess setti ngs, per f or m the
1. Doubl e cl i ck on the Azur eADConnect.msi f i l e that y ou’v e

dow nl oaded f r om the Mi cr osof t dow nl oad center and cl i ck
Run on the secur i ty w ar ni ng show n i n Fi gur e 2-3.
Figure 2-3 Fi l e secur i ty w ar ni ng
2. Azur e AD Connect w i l l be i nstal l ed on y our computer . When

the i nstal l ati on i s compl ete, y ou w i l l be pr esented w i th the
spl ash scr een. You must agr ee to the l i cense ter ms and
pr i v acy noti ce as show n i n Fi gur e 2-4 and then cl i ck
Conti nue.
Figure 2-4 Wel come to Azur e AD Connect
3. If y our or gani zati on has an i nter nal non-r outabl e domai n i t

w i l l be necessar y f or y ou to use custom setti ngs. Fi gur e 2-5
show s the non-r outabl e domai n epi stemi cus.i nter nal i n use.
To use custom setti ngs, cl i ck Customi ze.
Figure 2-5 Ex pr ess setti ngs
4. On the Instal l Requi r ed Components page, show n i n Fi gur e 2-

6, choose betw een the f ol l ow i ng opti ons.
Figure 2-6 Instal l Requi r ed Components
1. Specify a custom installation location Choose thi s

opti on i f y ou w ant to i nstal l Azur e AD Connect i n a
separ ate l ocati on, such as on another v ol ume.
2. Specify an existing SQL Server Choose thi s opti on i f

y ou w ant to speci f y an al ter nate SQL ser v er i nstance.
By def aul t, Azur e AD Connect w i l l i nstal l a SQL Ser v er
Ex pr ess i nstance.
3. Use an existing service account You can conf i gur e

Azur e AD Connect to use an ex i sti ng ser v i ce account. By
def aul t, Azur e AD Connect w i l l cr eate a ser v i ce
account. You can conf i gur e Azur e AD Connect to use a
Gr oup Managed Ser v i ce account i f y ou ar e i nstal l i ng
Azur e AD Connect on a computer r unni ng Wi ndow s
Ser v er 201 2 or l ater . You’l l need to use an ex i sti ng
ser v i ce account i f y ou ar e usi ng Azur e AD Connect w i th
a r emote SQL Ser v er i nstance or i f communi cati on w i th
Azur e w i l l occur thr ough a pr ox y ser v er that r equi r es
authenti cati on.
4. Specify custom sync groups When y ou depl oy Azur e
AD Connect, i t w i l l cr eate f our l ocal gr oups on the /
ser v er that hosts the Azur e AD Connect Instance. These
gr oups ar e the Admi ni str ator s gr oup, Oper ator s gr oup,
Passw or d Reset gr oup, and the Br ow se gr oup. If y ou
w ant to use y our ow n set of gr oups, y ou can speci f y
them her e. These gr oups must be l ocal to the host ser v er
and not a member of the domai n.
5. Once y ou hav e speci f i ed w hi ch custom opti ons y ou r equi r e,

and y ou can sel ect none i f y ou w ant, but y ou hav e to per f or m
a custom i nstal l ati on because y ou hav e a non-r outabl e
domai n on-pr emi ses, cl i ck Instal l .
6. On the U ser si gn-i n page, show n i n Fi gur e 2-7 , speci f y w hat

ty pe of si gn on y ou w ant to al l ow . You can choose betw een the
f ol l ow i ng opti ons, the detai l s of w hi ch w er e cov er ed ear l i er
i n thi s chapter , w i th most or gani zati ons choosi ng passw or d
sy nchr oni zati on as thi s i s the most str ai ghtf or w ar d:
1. Passw or d Sy nchr oni zati on
2. Pass-thr ough authenti cati on
3. Feder ati on w i th AD FS
4. Feder ati on w i th Pi ngFeder ate
5. Do not conf i gur e
6. Enabl e si ngl e si gn-on
Figure 2-7 U ser si gn-i n opti ons
7. On the Connect To Azur e AD page, pr ov i de the cr edenti al s of a

gl obal admi n account. Mi cr osof t r ecommends y ou use an
account i n the def aul t onmi cr osof t.com domai n associ ated
w i th the Azur e AD i nstance y ou w i l l be connecti ng to. If y ou
choose the Feder ati on w i th AD FS opti on, ensur e that y ou do
not si gn i n usi ng an account i n a domai n that y ou w i l l enabl e
f or f eder ati on. Fi gur e 2-8 show s si gn-i n w i th a passw or d
sy nchr oni zati on scenar i o.
Figure 2-8 Connect to Azur e AD
8. Once Azur e AD Connect has connected to Azur e AD, y ou w i l l

be abl e to speci f y the di r ector y ty pe to sy nchr oni ze as w el l
as the f or est. Cl i ck Add Di r ector y to add a speci f y f or est.
When y ou add a f or est by cl i ck i ng Add Di r ector y , y ou w i l l
need to speci f y the cr edenti al s of an account that w i l l
per f or m per i odi c sy nchr oni zati on. U nl ess y ou ar e cer tai n
that y ou hav e appl i ed the mi ni mum necessar y pr i v i l eges to
an account, y ou shoul d pr ov i de Enter pr i se Admi ni str ator
cr edenti al s and al l ow Azur e AD Connect to cr eate the account
as show n i n Fi gur e 2-9. Thi s w i l l ensur e that the account i s
onl y assi gned the pr i v i l eges necessar y to per f or m
sy nchr oni zati on task s.
Figure 2-9 AD For est Account
9. Once the cr edenti al s hav e been v er i f i ed, as show n i n Fi gur e

2-1 0, cl i ck Next.
Figure 2-10 Connect Your Di r ector i es
10. On the Azur e AD Si gn-In conf i gur ati on page, show n i n Fi gur e
2-1 1 , r ev i ew the U PN suf f i x and then i nspect the on-pr emi ses
attr i bute to use as the Azur e AD user name. You’l l need to
ensur e that accounts use a r outabl e Azur e AD user name.
Figure 2-11 Azur e AD Si gn-In Conf i gur ati on
11. On the Domai n And OU Fi l ter i ng page, show n i n Fi gur e 2-1 2,

sel ect w hether y ou w ant to sy nc al l objects, or just objects i n
speci f i c domai ns and OU s.
Figure 2-12 Domai n And OU Fi l ter i ng
12. On the U ni quel y Identi f y i ng U ser s page, show n i n Fi gur e 2-

1 3, speci f y how user s ar e to be i denti f i ed. By def aul t user s
shoul d onl y hav e one r epr esentati on acr oss al l di r ector i es. In
the ev ent that user s ex i st i n mul ti pl e di r ector i es, y ou can
hav e matches i denti f i ed by a speci f i c acti v e di r ector y
attr i bute, w i th the def aul t bei ng the mai l attr i bute.
Figure 2-13 U ni quel y Identi f y i ng U ser s
13. On the Fi l ter U ser s And Dev i ces page, speci f y w hether y ou
w ant to sy nchr oni ze al l user s and dev i ces, or onl y member s of
a speci f i c gr oup. Fi gur e 2-1 4 show s member s of the Mi cr osof t
365-Pi l ot-U ser s gr oup bei ng conf i gur ed so that thei r accounts
w i l l be sy nchr oni zed w i th Azur e.
Figure 2-14 Fi l ter U ser s And Dev i ces
14. On the Opti onal Featur es page, show n i n Fi gur e 2-1 5, sel ect
any opti onal f eatur es that y ou w ant to conf i gur e. These
f eatur es i ncl ude the f ol l ow i ng.
Figure 2-15 Opti onal Featur es
1. Ex change hy br i d depl oy ment
2. Ex change Mai l Publ i c Fol der s
3. Azur e AD app and attr i bute f i l ter i ng
4. Passw or d sy nchr oni zati on
5. Passw or d w r i teback
6. Gr oup w r i teback
7. Dev i ce w r i teback
8. Di r ector y ex tensi on attr i bute sy nc
15. On the Ready To Conf i gur e page, show n i n Fi gur e 2-1 6, y ou

can choose to star t sy nchr oni zati on or to enabl e stagi ng mode,
w her e sy nchr oni zati on w i l l pr epar e to be r un, but w i l l not
sy nchr oni ze any data w i th Azur e AD.
Figure 2-16 Ready To Conf i gur e
More Info Azure AD Connect Custom Installation
To install Azure AD Connect with the custom settings, consult the

following article: https://docs.microsoft.com/azure/active-
directory/connect/active-directory-aadconnect-get-started-custom.
Identifying synchronized attributes

Azur e AD Connect sy nchr oni zes some, but not al l , attr i butes f r om
the on-pr emi ses Acti v e Di r ector y i nstance to Azur e Acti v e
Di r ector y i nstance that suppor ts a Mi cr osof t 365 tenancy . 1 43
separ ate attr i butes sy nchr oni ze, dependi ng on w hether the object
i s a user account, a gr oup account, or a mai l enabl ed contact object.
These attr i butes ar e as l i sted i n Tabl e 2-2.
Table 2-2 List of attributes synchronized by Azure AD Connect
accountEnabl ed MsEx chAr chi v eGU ID m
Assi stant MsEx chAr chi v eName m

L
al tReci pi ent msEx chAr chi v eStatus m
author i ng msEx chAssi stantName m
C msEx chAudi tAdmi n m
Cn msEx chAudi tDel egate m
Co msEx chAudi tDel egateAdmi n m
company msEx chAudi tOw ner m
countr y Code MsEx chBl ock edSender sHash m
depar tment msEx chBy passAudi t m
descr i pti on MsEx chBy passModer ati onFr om m

DLMember sLi nk
di spl ay Name MsEx chBy passModer ati onLi nk m
Find answers on the fly, or master ms

dLMemRejectPer something new. Subscribe
msEx chCoManagedBy Li nk today.
m See pricing options. /
dLMemSubmi tPer ms msEx chDel egateLi stLi nk m
Ex tensi onAttr i bute1 msEx chELCEx pi r y Suspensi onEnd o
Ex tensi onAttr i bute1 0 msEx chELCEx pi r y Suspensi onStar t o
Ex tensi onAttr i bute1 1 msEx chELCMai l box Fl ags o
Ex tensi onAttr i bute1 2 MsEx chEnabl eModer ati on o
Ex tensi onAttr i bute1 3 msEx chEx tensi onCustomAttr i bute1 o
Ex tensi onAttr i bute2 msEx chEx tensi onCustomAttr i bute4 o
Ex tensi onAttr i bute3 msEx chEx tensi onCustomAttr i bute5 p
Ex tensi onAttr i bute4 MsEx chGr oupDepar tRestr i cti on p
Ex tensi onAttr i bute5 MsEx chGr oupJoi nRestr i cti on p
Ex tensi onAttr i bute6 msEx chHi deFr omAddr essLi sts p
Ex tensi onAttr i bute7 MsEx chImmutabl eID p
Ex tensi onAttr i bute8 msEx chLi ti gati onHol dDate P
Ex tensi onAttr i bute9 msEx chLi ti gati onHol dOw ner p
Facsi mi l etel ephone MsEx chMai l box Gui d P

number
gi v enName msEx chMai l box Audi tEnabl e p
Gr oupTy pe msEx chMai l box Audi tLogAgeLi mi t r
hi deDLMember shi p MsEx chModer atedBy Li nk R
homephone MsEx chModer ati onFl ags s
Inf o MsEx chReci pi entDi spl ay Ty pe s
Ini ti al s msEx chReci pi entTy peDetai l s S
i pPhone MsEx chRemoteReci pi entTy pe s
L msEx chRequi r eAuthToSendTo t
l egacy Ex changeDN MsEx chResour ceCapaci ty T
Mai l MsEx chResour ceDi spl ay t
mai l ni ck name MsEx chResour ceMetaData t
managedBy MsEx chResour ceSear chPr oper ti es t
Manager msEx chRetenti onComment u
Member msEx chRetenti onU RL u
mi ddl eName MsEx chSaf eReci pi entsHash u
Mobi l e MsEx chSaf eSender sHash u
msDS- MsEx chSender Hi ntTr ansl ati ons U

HABSeni or i ty Index
msDS- msEx chTeamMai l box Ex pi r ati on u

Phoneti cDi spl ay Name
More Info Attributes Synchronized by Azure AD Connect
You can learn more about which attributes are synchronized by Azure
AD Connect at https://docs.microsoft.com/azure/active-
/
directory/connect/active-directory-aadconnectsync-attributes-
synchronized.
Exam Tip
Remember the Azur e AD Connect pr er equi si tes.
SK ILL 2.2: PLAN IDENTITY SYNCHRO NIZATIO N B Y

USING AZURE AD CO NNECT
Thi s sk i l l secti on deal s w i th pl anni ng the i mpl ementati on of
i denti ty sy nchr oni zati on usi ng Azur e AD Connect as the
sy nchr oni zati on sol uti on. To master thi s sk i l l , y ou’l l need to
under stand some of the i nf or mati on y ou l ear ned about i n the
pr ev i ous sk i l l as w el l as how to i mpl ement an appr opr i ate Azur e
AD Connect si gn-on opti on.
Design directory synchronization
Implement directory synchronization with directory services,

federation services, and Azure endpoints
Azure Active Directory Connect

Azur e AD Connect i s desi gned to str eaml i ne the pr ocess of
conf i gur i ng connecti ons betw een on-pr emi ses depl oy ment and an
Azur e AD i nstance. The Azur e Acti v e Di r ector y Connect tool i s
desi gned to mak e the pr ocess of conf i gur i ng sy nchr oni zati on
betw een an on-pr emi ses Acti v e Di r ector y depl oy ment and Azur e
Acti v e Di r ector y as f r i cti onl ess as possi bl e.
Azur e Acti v e Di r ector y Connect can automati cal l y conf i gur e and
i nstal l si mpl e passw or d sy nchr oni zati on or Feder ati on / Si ngl e
Si gn-on, dependi ng on y our or gani zati onal needs. When y ou choose
the Feder ati on w i th AD FS opti on, Acti v e Di r ector y Feder ati on
Ser v i ces i s i nstal l ed and conf i gur ed, as w el l as a Web Appl i cati on
Pr ox y ser v er to f aci l i tate communi cati on betw een the on-pr emi ses
AD FS depl oy ment and Mi cr osof t Azur e Acti v e Di r ector y .
The Azur e Acti v e Di r ector y Connect tool suppor ts the f ol l ow i ng

opti onal f eatur es, as show n i n Fi gur e 2-1 7 :
Exchange hybrid deployment Thi s opti on i s sui tabl e f or

or gani zati ons that hav e an Of f i ce 365 depl oy ment, w her e
ther e ar e mai l box es hosted both on-pr emi ses and i n the cl oud.
Exchange mail public folders Thi s f eatur e al l ow s

or gani zati ons to sy nchr oni ze mai l -enabl ed publ i c f ol der
objects f r om an on-pr emi ses Acti v e Di r ector y env i r onment to
Mi cr osof t 365.
Azure AD app and attribute filtering Sel ecti ng thi s opti on

gi v es y ou the abi l i ty to be mor e sel ecti v e about w hi ch
attr i butes ar e sy nchr oni zed betw een the on-pr emi ses
env i r onment and Azur e AD.
Password synchronization Sy nchr oni zes a hash of the user ’s

on-pr emi ses passw or d Azur e AD. When the user authenti cates
to Azur e AD, the submi tted passw or d i s hashed usi ng the same
pr ocess and i f the hashes match, the user i s authenti cated.
Each ti me the user updates thei r passw or d on-pr emi ses, the
updated passw or d hash sy nchr oni zes to Azur e AD.
Password writeback Passw or d w r i teback al l ow s user s to

change thei r passw or ds i n the cl oud and hav e the changed
passw or d w r i tten back to the on-pr emi ses Acti v e Di r ector y
i nstance.
Group writeback Changes made to gr oups i n Azur e AD ar e

w r i tten back to the on-pr emi ses AD i nstance.
Device writeback Inf or mati on about dev i ces r egi ster ed by

the user i n Azur e AD i s w r i tten back to the on-pr emi ses AD
i nstance.
Directory extension attribute sync Al l ow s y ou to ex tend

Azur e AD schema based on ex tensi ons made to y our
or gani zati on’s on-pr emi ses Acti v e Di r ector y i nstance.
Figure 2-17 Azur e Acti v e Di r ector F02x x 1 7 .
More Info Azure Active Directory Connect
You can learn more about Azure Active Directory Connect at

https://docs.microsoft.com/azure/active-directory/connect/active-
directory-aadconnect.
Cleaning up existing Active Directory objects

Bef or e y ou depl oy Azur e AD Connect, i t i s pr udent to ensur e that
y our on-pr emi ses Acti v e Di r ector y env i r onment i s heal thy . You
shoul d al so hav e an ex cel l ent under standi ng of the cur r ent state of
the Acti v e Di r ector y env i r onment. Thi s shoul d i ncl ude
per f or mi ng an audi t to deter mi ne the f ol l ow i ng:
Do any Acti v e Di r ector y objects use i nv al i d char acter s?
Do any Acti v e Di r ector y objects hav e i ncor r ect U ni v er sal

Pr i nci pal Names (U PNs)?
What ar e the cur r ent domai n and f or est f uncti onal l ev el s?
Ar e any schema ex tensi ons or custom attr i butes i n use?
Pr i or to depl oy i ng Azur e AD Connect, y ou shoul d ensur e that y ou

hav e per f or med the f ol l ow i ng task s.
Remov e any dupl i cate pr ox y Addr ess attr i butes.
Remov e any dupl i cate user Pr i nci pal Name attr i butes.
Ensur e that bl ank or i nv al i d user Pr i nci pal Name attr i bute

setti ngs hav e been al ter ed so that the setti ng contai ns onl y a
v al i d U PN.
Ensur e that f or user accounts that the sn and

samAccountName attr i butes hav e been assi gned v al ues.
Ensur e that f or gr oup accounts, the member , al i as, and

di spl ay Name (f or gr oups w i th a v al i d mai l or pr ox y Addr ess
attr i bute) ar e popul ated.
Ensur e that the f ol l ow i ng attr i butes do not contai n i nv al i d

char acter s:
gi v enName
sn
samAccountName
gi v enName
di spl ay Name
mai l
pr ox y Addr ess
mai l Ni ck Name
U PNs that ar e used w i th Of f i ce 365 can onl y contai n the f ol l ow i ng

char acter s:
Letter s
Number s
Per i ods
Dashes
U nder scor es
Rather than hav i ng to per f or m thi s oper ati on manual l y , Mi cr osof t

pr ov i des some tool s that al l ow y ou to automati cal l y r emedi ate
pr obl ems that mi ght ex i st w i th attr i butes pr i or to depl oy i ng
Azur e AD Connect.
IdFix
The IdFi x tool , w hi ch y ou can dow nl oad f r om Mi cr osof t’s w ebsi te,
al l ow s y ou to scan an Acti v e Di r ector y i nstance to deter mi ne i f
any user accounts, gr oup accounts, or contacts hav e pr obl ems that
w i l l cause them not to sy nchr oni ze betw een the on-pr emi ses
i nstance of Acti v e Di r ector y and the Mi cr osof t 365 i nstance of
Azur e Acti v e Di r ector y . IdFi x can al so per f or m r epai r s on objects
that w oul d other w i se be unabl e to sy nc. IdFi x r uns w i th the
secur i ty contex t of the cur r entl y si gned on user . Thi s means that i f
y ou w ant to use IdFi x to r epai r objects i n the f or est that hav e
pr obl ems, the secur i ty account y ou use to r un IdFi x must hav e
per mi ssi ons to modi f y those objects. The IdFi x tool i s show n i n
Fi gur e 2-1 8, di spl ay i ng an account detected w i th an i ncor r ectl y
conf i gur ed user Pr i nci pal Name.
Figure 2-18 IdFi x f i nds user w i th a pr obl emati c U PN
More Info IDFIX
You can download IdFix at the following address:

https://www.microsoft.com/download/details.aspx?id=36832.
ADModify.NET
ADmodi f y .NET i s a tool that al l ow s y ou to mak e changes to speci f i c
attr i butes f or mul ti pl e objects. If y ou ar e usi ng ADSIEdi t or the
Adv anced mode of the Acti v e Di r ector y U ser s and Computer s
consol e, y ou ar e onl y abl e to modi f y the attr i bute of one object at a
ti me. For ex ampl e, Fi gur e 2-1 9 show s ADModi f y .NET used to modi f y
the f or mat of the user Pr i nci pal Name attr i bute f or a number of
user accounts so that i t conf or ms to a speci f i c f or mat.
Figure 2-19 ADModi f y .NET
You can al so use ADModi f y .NET to per f or m other sy stem

admi ni str ati on task s, such as conf i gur i ng a l ar ge number of
accounts, so that the user s hav e to change thei r passw or d at nex t
l ogon or to di sabl e mul ti pl e accounts.
More Info ADMODIFY.NET
You can learn more about ADModify.NET at:

https://archive.codeplex.com/?p=admodify.
Using UPN su ixes and non-routable domains

Pr i or to per f or mi ng sy nchr oni zati on betw een an on-pr emi ses
Acti v e Di r ector y env i r onment and an Azur e Acti v e Di r ector y
i nstance used to suppor t a Mi cr osof t 365 tenancy , y ou must ensur e
that al l user account objects i n the on-pr emi ses Acti v e Di r ector y
env i r onment ar e conf i gur ed w i th a v al ue f or the U PN suf f i x that
i s abl e to f uncti on f or both the on-pr emi ses env i r onment and
Mi cr osof t 365.
Thi s i s not a pr obl em w hen an or gani zati on’s i nter nal Acti v e
Di r ector y domai n suf f i x i s a publ i cl y r outabl e domai n. For
ex ampl e, a domai n name, such as contoso.com or adatum.com that i s
r esol v abl e by publ i c DNS ser v er s w i l l suf f i ce. Thi ngs become
mor e compl i cated w hen the or gani zati on’s i nter nal Acti v e
Di r ector y domai n suf f i x i s not publ i cl y r outabl e. For ex ampl e,
Fi gur e 2-20 show s the adatum346ER.i nter nal non-r outabl e domai n.
Figure 2-20 Non r outabl e domai n
If a domai n i s non-r outabl e, the def aul t r outi ng domai n, such as

adatum346ER.onmi cr osof t.com, shoul d be used f or the Mi cr osof t 365
U PN suf f i x . Thi s r equi r es modi f y i ng the U PN suf f i x of accounts
stor ed i n the on-pr emi ses Acti v e Di r ector y i nstance. Modi f i cati on
of U PN af ter i ni ti al sy nchr oni zati on has occur r ed i s not suppor ted.
So, y ou need to ensur e that on-pr emi ses Acti v e Di r ector y U PNs ar e
pr oper l y conf i gur ed pr i or to per f or mi ng i ni ti al sy nchr oni zati on
usi ng Azur e AD Connect.
Per f or m the f ol l ow i ng steps to add a U PN suf f i x to the on-pr emi ses

Acti v e Di r ector y i n the ev ent that the Acti v e Di r ector y domai n
uses a non-r outabl e namespace:
1. Open the Acti v e Di r ector y Domai ns And Tr ust consol e and

sel ect Active Directory Domains And Trusts.
2. On the Acti on menu, cl i ck Properties.
3. On the U PN Suf f i x es tab, enter the U PN suf f i x to be used

w i th Mi cr osof t 365. Fi gur e 2-21 show s the U PN suf f i x of
epi stemi cus.com.
Figure 2-21 Routabl e domai n
4. Once the U PN suf f i x has been added i n Acti v e Di r ector y

Domai ns And Tr usts, y ou can assi gn the U PN suf f i x to user
accounts. You can do thi s manual l y as show n i n Fi gur e 2-22 by
usi ng the Account tab of the user ’s pr oper ti es di al og box i n
Acti v e Di r ector y U ser s And Computer s.
Figure 2-22 Conf i gur e U PN
5. You can use tool s l i k e ADModi f y .NET to r eset the U PNs of

mul ti pl e accounts as show n i n Fi gur e 2-23.
Figure 2-23 ADModi f y .NET
6. You can al so use Mi cr osof t Pow er Shel l scr i pts to r eset the
U PNs of mul ti pl e user accounts. For ex ampl e, the f ol l ow i ng
scr i pt r esets U PN suf f i x es of al l user accounts i n the
epi stemi cus.i nter nal domai n to epi stemi cus.onmi cr osof t.com.
Cl i ck her e to v i ew code i mage
Get-ADUser -Filter {UserPrincipalName -like "*@epistemicus.internal

"DC=epistemicus,DC=internal" |
ForEach-Object {
$UPN =
$_.UserPrincipalName.Replace("epistemicus.internal","epistemicus.on
Set-ADUser $_ -UserPrincipalName $UPN
}
Azure AD Connect sign-on options

Azur e AD Connect suppor ts a v ar i ety of si gn i n opti ons. You
conf i gur e w hi ch one y ou w ant to use w hen setti ng up Azur e AD
Connect as show n i n Fi gur e 2-24. The def aul t method, Passw or d
Sy nchr oni zati on, i s appr opr i ate f or the major i ty of or gani zati ons
w ho w i l l use Azur e AD Connect to sy nchr oni ze i denti ti es to the
cl oud.
Figure 2-24 U ser si gn-i n
Password synchronization
Hashes of on-pr emi ses Acti v e Di r ector y user passw or ds
sy nchr oni ze to Azur e AD, and changed passw or ds i mmedi atel y
sy nchr oni ze to Azur e AD. Actual passw or ds ar e nev er sent to Azur e
AD and ar e not stor ed i n Azur e AD. Thi s al l ow s f or si ngl e si gn-on
f or user s of computer s that ar e joi ned to an Acti v e Di r ector y
domai n that sy nchr oni zes to Azur e AD. Passw or d sy nchr oni zati on
al so al l ow y ou to enabl e passw or d w r i te-back f or sel f ser v i ce
passw or d r eset f uncti onal i ty thr ough Azur e AD.
Pass-through authentication
When authenti cati ng to Azur e AD, the user ’s passw or d i s v al i dated
agai nst an on-pr emi ses Acti v e Di r ector y domai n contr ol l er .
Passw or ds and passw or d hashes ar e not pr esent i n Azur e AD. Pass-
thr ough authenti cati on al l ow s f or on-pr emi ses passw or d pol i ci es
to appl y . Pass-thr ough authenti cati on r equi r es that Azur e AD
Connect hav e an agent on a computer joi ned to the domai n that
hosts the Acti v e Di r ector y i nstance that contai ns the r el ev ant user
accounts. Pass-thr ough authenti cati on al so al l ow s si ngl e si gn-on
f or user s of domai n joi ned machi nes.
Wi th pass-thr ough authenti cati on, the user ’s passw or d i s v al i dated

agai nst the on-pr emi ses Acti v e Di r ector y contr ol l er . The passw or d
doesn’t need to be pr esent i n Azur e AD i n any f or m. Thi s al l ow s f or
on-pr emi ses pol i ci es, such as si gn-i n hour r estr i cti ons, to be
ev al uated dur i ng authenti cati on to cl oud ser v i ces.
Pass-thr ough authenti cati on uses a si mpl e agent on a Wi ndow s

Ser v er 201 2 R2, Wi ndow s Ser v er 201 6, or Wi ndow s Ser v er 201 9
domai n-joi ned machi ne i n the on-pr emi ses env i r onment. Thi s agent
l i stens f or passw or d v al i dati on r equests. It doesn’t r equi r e any
i nbound por ts to be open to the Inter net.
In addi ti on, y ou can al so enabl e si ngl e si gn-on f or user s on domai n-

joi ned machi nes that ar e on the cor por ate netw or k . Wi th si ngl e
si gn-on, enabl ed user s onl y need to enter a user name to hel p them
secur el y access cl oud r esour ces.
Active Directory Federation
Thi s al l ow s user s to authenti cate to Azur e AD r esour ces usi ng on-
pr emi ses cr edenti al s. It al so r equi r es the depl oy ment of an Acti v e
Di r ector y Feder ati on Ser v i ces i nf r astr uctur e. Thi s i s the most
compl i cated i denti ty sy nchr oni zati on conf i gur ati on f or Mi cr osof t
365 and i s onl y l i k el y to be i mpl emented i n env i r onments w i th
compl i cated i denti ty conf i gur ati ons.
More Info Azure AD Connect Sign-In Options
You can learn more about sign-in options, consult the following
article: https://docs.microsoft.com/azure/active-
directory/connect/active-directory-aadconnect-user-signin.
Exam Tip
Remember the di f f er ence betw een passw or d sy nchr oni zati on and
pass-thr ough authenti cati on.
SK ILL 2.3: MANAGE IDENTITY SYNCHRO NIZATIO N

B Y USING AZURE AD CO NNECT
Thi s sk i l l secti on deal s w i th the pr ocess of managi ng i denti ty
sy nchr oni zati on w i th Azur e AD Connect once i t has been depl oy ed.
To master thi s sk i l l y ou’l l need to under stand how to moni tor Azur e
AD Connect heal th, manage Azur e AD Connect sy nchr oni zati on,
conf i gur e object f i l ter s, and conf i gur e passw or d sy nchr oni zati on.
Monitor Azure AD Connect Health
Manage Azure AD Connect synchronization
Configure object filters
Configure password sync
Implement multi-forest AD Connect scenarios
Monitor Azure AD Connect Health

Azur e AD Connect Heal th i s a tool av ai l abl e i n the Azur e Acti v e
Di r ector y Admi n Center , show n i n Fi gur e 2-25, that al l ow s y ou to
moni tor the heal th of sy nchr oni zati on betw een y our or gani zati on’s
on-pr emi ses di r ector y and Azur e Acti v e Di r ector y .
Figure 2-25 Azur e AD Connect Heal th
You can use Azur e AD Connect heal th to v i ew i nf or mati on about:
Synchronization errors Thi s w i l l di spl ay er r or s i ncl udi ng

dupl i cate attr i butes, data mi smatch, data v al i dati on f ai l ur e,
l ar ge attr i butes, Feder ated Domai n Change, and Ex i sti ng
Admi n Rol e Conf l i cts.
Synchronization services Thi s handl es i nf or mati on about

w hi ch ser v i ces ar e sy nchr oni zi ng w i th Azur e Acti v e
Di r ector y .
AD FS services Inf or mati on about AD FS w hen Azur e AD

Connect i s conf i gur ed f or f eder ati on. Incl udes i nf or mati on
about er r or s and i ssues.
AD DS services Inf or mati on about domai ns and f or ests

connected to Azur e Acti v e Di r ector y .
More Info Azure AD Connect Health
You can learn more about Azure AD Connect Health at:

https://docs.microsoft.com/azure/active-directory/hybrid/whatis-
azure-ad-connect.
Manage Azure AD Connect synchronization

You can manage sy nchr oni zati on usi ng a v ar i ety of tool s, i ncl udi ng
Pow er Shel l cmdl ets that ar e par t of the ADSy nc Pow er Shel l
modul e. Thi s modul e i s automati cal l y i nstal l ed on a computer w hen
y ou i nstal l Azur e AD Connect.
To v i ew the cur r ent conf i gur ati on of the schedul er , y ou can r un

the Get-ADSy ncSchedul er cmdl et. The output of thi s cmdl et i s
Find answers on the fly,show

or nmaster something new. Subscribe today. See pricing options.
i n Fi gur e 2-26.
/
Figure 2-26 Get-ADSy ncSchedul er
The output of thi s cmdl et pr ov i des the f ol l ow i ng i nf or mati on:
AllowedSyncCyleInterval Mi ni mum i nter v al s betw een sy nc

cy cl es suppor ted by Mi cr osof t. If y ou sy nc mor e of ten than
thi s i nter v al , y our conf i gur ati on w i l l be deemed
unsuppor ted.
CurrentlyEffectiveSyncCycleInterval The schedul e that

cur r entl y appl i es.
CustomizedSyncCycleInterval U sed w hen y ou hav e a custom

schedul e appl i ed.
NextSyncCyclePolicyType Speci f i es w hether the nex t sy nc

i s a f ul l sy nchr oni zati on or a del ta sy nchr oni zati on.
NextSyncCycleStartTimeInUTC The ti me w hen the nex t

sy nc cy cl e w i l l occur accor di ng to the schedul e.
PurgeRunHistoryInterval Speci f i es how l ong the l ogs shoul d

be k ept.
SyncCycleEnabled Speci f i es w hether the schedul er i s

r unni ng an i mpor t, sy nc, or ex por t pr ocess as par t of i ts
ex ecuti on.
MaintenanceEnabled Speci f i es i f the mai ntenance pr ocess

i s enabl ed.
StatingModeEnaled Li sts w hether the stagi ng mode i s

enabl ed.
SyncCycleInProgress Speci f i es w hether sy nchr oni zati on i s

actual l y occur r i ng.
You can use the Set-ADSy ncSchedul er cmdl et to conf i gur e the
f ol l ow i ng setti ngs that ar e di spl ay ed w hen y ou r un the Get-
ADSy ncSchedul er cmdl et:
Customi zedSy ncCy cl eInter v al
Nex tSy ncCy cl ePol i cy Ty pe
Pur geRunHi stor y Inter v al
Sy ncCy cl eEnabl ed
Mai ntenanceEnabl ed
More Info Managing the Scheduler
You can learn more about managing the Azure AD Connect

scheduler at: https://docs.microsoft.com/azure/active-
directory/connect/active-directory-aadconnectsync-feature-
scheduler.
Forcing synchronization
By def aul t, sy nchr oni zati on occur s betw een the on-pr emi ses
di r ector y and Azur e ev er y 30 mi nutes. In some cases y ou’l l mak e a
change to a user account or cr eate a col l ecti on of user accounts and
w ant to get those changes or new accounts up i nto the Azur e Acti v e
Di r ector y i nstance that suppor ts the Of f i ce 365 tenancy as f ast as
possi bl e. You can f or ce sy nchr oni zati on by r unni ng the Azur e AD
Connect w i zar d agai n, or y ou can use the Sy nchr oni zati on Ser v i ce
Manager .
To per f or m a f ul l sy nchr oni zati on usi ng Sy nchr oni zati on Ser v i ce

Manager , per f or m the f ol l ow i ng steps:
1. Open the Sy nchr oni zati on Ser v i ce Manager , ei ther by

cl i ck i ng on Synchronization Service f r om the Star t menu, or
by r unni ng mi i scl i ent.ex e l ocated i n the C:\Pr ogr am
Fi l es\Mi cr osof t Azur e AD Sy nc\U IShel l f ol der .
2. Cl i ck the Connectors tab.
3. On the Connector s tab, cl i ck the name of y our Acti v e

Di r ector y domai n ser v i ce, as show n i n Fi gur e 2-27 .
Figure 2-27 Sy nchr oni zati on Ser v i ce Manager
4. On the Acti ons pane, cl i ck Run.
5. On the Run Management Agent di al og box , sel ect Full

Synchronization, as show n i n Fi gur e 2-28.
Figure 2-28 Ful l Sy nchr oni zati on
Rather than per f or mi ng a Ful l Sy nc, y ou can tr i gger one of the

f ol l ow i ng ty pes of sy nchr oni zati on usi ng the Sy nchr oni zati on
Ser v i ce Manager :
Full Synchronization Per f or ms a f ul l sy nchr oni zati on
Delta Import Impor ts changed schema and objects
Delta Synchronization Sy nchr oni zes onl y objects changed

si nce the l ast sy nc
Export Wr i tes data f r om the Azur e i nstance to the on-

pr emi ses i nstance
Full Import A f ul l i mpor t and f ul l sy nc i s sui tabl e f or

i ni ti ati ng the f i r st f ul l sy nchr oni zati on or the f i r st f ul l
sy nchr oni zati on af ter y ou hav e changed the f i l ter i ng
par ameter s
You can al so use the Sy nchr oni zati on Ser v i ce Manager to conf i gur e
ex tensi v e f i l ter i ng opti ons, though f or task s such as conf i gur i ng
OU based f i l ter i ng, Mi cr osof t r ecommends that y ou f i r st attempt
conf i gur i ng f i l ter i ng usi ng the Azur e AD Connect setup w i zar d and
onl y r el y on a tool such as Sy nchr oni zati on Ser v i ce Manager i f
pr obl ems ar i se.
More Info Synchronization Service Manager
You can learn more about Synchronization Service Manager at:

directory-aadconnectsync-service-manager-ui.
You can al so f or ce sy nchr oni zati on by usi ng the Star t-

ADSy ncCy cl e cmdl et. You can use thi s cmdl et to tr i gger ei ther a
del ta or a f ul l sy nchr oni zati on. To f or ce a del ta sy nc cy cl e, r un the
f ol l ow i ng command:
Start-ADSyncCycle -PolicyType Delta
To tr i gger a f ul l sy nc cy cl e, r un the command:
Start-ADSyncCycle -PolicyType Initial
Configure object filters

When y ou use Azur e AD Connect to sy nchr oni ze on-pr emi ses
Acti v e Di r ector y to an Azur e Acti v e Di r ector y i nstance, the
def aul t setti ng i s to hav e al l user accounts, gr oup accounts, and
mai l -enabl ed contact objects sy nchr oni zed up to the cl oud. For
some or gani zati ons, sy nchr oni zi ng ev er y thi ng i s ex actl y w hat they
w ant. Other or gani zati ons w ant to be mor e sel ecti v e about w hi ch
objects ar e sy nchr oni zed f r om the on-pr emi ses Acti v e Di r ector y
env i r onment to the Azur e Acti v e Di r ector y i nstance that suppor ts
the Of f i ce 365 tenancy .
Wi th Azur e AD Connect, y ou can choose to f i l ter based on the
f ol l ow i ng opti ons as show n i n Fi gur e 2-29:
Domain based In a f or est w i th mul ti pl e domai ns, y ou can

conf i gur e f i l ter i ng so that onl y objects f r om some domai ns,
and not other s, ar e f i l ter ed.
Organizational unit (OU) based Wi th thi s f i l ter i ng ty pe,

y ou choose w hi ch objects ar e f i l ter ed based on thei r l ocati on
w i thi n speci f i c or gani zati onal uni ts.
Figure 2-29 Domai n and OU f i l ter i ng
You can al so conf i gur e f i l ter i ng on the basi s of gr oup member shi p,
as show n i n Fi gur e 2-30. You can conf i gur e separ ate gr oup-based
f i l ter s f or each f or est or domai n sy nchr oni zed usi ng Azur e AD
Connect.
Figure 2-30 Fi l ter U ser s And Dev i ces
More Info Configure Filtering
You can learn more about Azure AD Sync filtering at:

directory-aadconnectsync-configure-filtering.
Whi l e Azur e AD Connect w i l l addr ess most or gani zati on’s

sy nchr oni zati on r equi r ements, the most compr ehensi v e tool that
y ou can use to f i l ter sy nchr oni zati on i s the Sy nchr oni zati on Rul es
Edi tor , show n i n Fi gur e 2-31 . You can use thi s tool to modi f y
ex i sti ng sy nchr oni zati on r ul es, but al so to cr eate new r ul es.
Rather than conf i gur i ng sy nchr oni zati on on a per -domai n or per -
OU basi s, y ou can tai l or r ul es f or i ndi v i dual objects and speci f i c
Acti v e Di r ector y attr i butes.
Figure 2-31 Sy nchr oni zati on Rul es Edi tor
More Info Synchronization Rules Editor
You can learn more about the Synchronization Rules Editor at:
directory-aadconnectsync-change-the-configuration.
Configure password sync

Passw or d Sy nc al l ow s the sy nchr oni zati on of user account
passw or ds f r om on-pr emi ses Acti v e Di r ector y to the Azur e Acti v e
Di r ector y i nstance that suppor ts the Of f i ce 365 tenancy . The
adv antage of thi s i s that user s can si gn on to Mi cr osof t 365 usi ng the
same passw or d that they use to si gn i n to computer s on the on-
pr emi ses env i r onment. Passw or d Sy nc does not pr ov i de si ngl e si gn-
on or f eder ati on.
When y ou enabl e Passw or d Sy nc, the on-pr emi ses passw or d

compl ex i ty pol i ci es ov er r i de passw or d compl ex i ty pol i ci es
conf i gur ed f or the Azur e Acti v e Di r ector y i nstance that suppor ts
the Mi cr osof t 365 tenancy . Thi s means that any passw or d that i s
Find answers on the fly,vevor master something new. Subscribe today. See pricing options.
al i d f or an on-pr emi ses user w i l l be v al i d w i thi n Mi cr osof t 365,
en i f i t w oul d not be nor mal l y . /
Passw or d ex pi r ati on w or k s i n the f ol l ow i ng w ay : the passw or d of
the account of the cl oud user object i s set to nev er ex pi r e. Each
ti me the user account passw or d i s changed i n the on-pr emi ses
Acti v e Di r ector y i nstance, thi s change r epl i cates to the Azur e
Acti v e Di r ector y i nstance that suppor ts the Mi cr osof t 365 tenancy .
Thi s means that i t i s possi bl e f or a user account’s passw or d to
ex pi r e on the on-pr emi ses Acti v e Di r ector y i nstance, but that user
can sti l l use the same passw or d to si gn on to Mi cr osof t 365. The nex t
ti me they si gn on to the on-pr emi ses env i r onment, they ar e f or ced
to change thei r passw or d and that change r epl i cates up to the
Azur e Acti v e Di r ector y i nstance that suppor ts the Mi cr osof t 365
tenancy .
When Passw or d Sy nc i s enabl ed and y ou di sabl e a user ’s account i n

the on-pr emi ses Acti v e Di r ector y i nstance, the user ’s account i n
the Azur e Acti v e Di r ector y i nstance that suppor ts the Mi cr osof t
365 tenancy i s di sabl ed w i thi n a f ew mi nutes. If Passw or d Sy nc i s
not enabl ed and y ou di sabl e user account i n the on-pr emi ses Acti v e
Di r ector y i nstance, the user ’s account i n the Azur e Acti v e
Di r ector y i nstance that suppor ts the Mi cr osof t 365 tenancy i s not
di sabl ed unti l the nex t f ul l sy nchr oni zati on.
More Info Password Synchronization
You can learn more about password synchronization:

https://docs.microsoft.com/azure/active-directory/hybrid/how-to-
connect-password-hash-synchronization.
Implement multi-forest AD Connect scenarios

The Azur e Acti v e Di r ector y Connect tool al so suppor ts
sy nchr oni zati on f r om mul ti pl e on-pr emi ses Acti v e Di r ector y
f or ests to a si ngl e Azur e Acti v e Di r ector y i nstance. Mul ti pl e f or est
sy nchr oni zati on to a si ngl e Azur e AD i nstance i s suppor ted onl y
w hen a si ngl e Azur e AD Connect ser v er i s i n use. Mi cr osof t does not
suppor t mul ti pl e Azur e AD Connect ser v er s sy nchr oni zi ng w i th a
si ngl e Azur e AD i nstance, w hether ther e i s one or mul ti pl e f or ests
bei ng sy nchr oni zed.
By def aul t, Azur e AD Connect w i l l assume that:
A user has a si ngl e enabl ed account. Al so, the f or est w her e

thi s account i s l ocated must host the di r ector y that i s used to
authenti cate the user . Thi s assumpti on i s used i n both
passw or d sy nc and f eder ati on scenar i os. On the basi s of thi s
assumpti on, the U ser Pr i nci pal Name and
sour ceAnchor /i mmutabl eID ar e dr aw n f r om thi s f or est.
Each user has a si ngl e mai l box , and the f or est that hosts that
mai l box i s the best sour ce of attr i butes v i si bl e i n the
Ex change Gl obal Addr ess Li st (GAL). In the ev ent that a user
doesn’t hav e an associ ated mai l box , any conf i gur ed f or est can
f uncti on as the sour ce f or the attr i bute v al ues.
If a user account has a l i nk ed mai l box , ther e w i l l be an

account i n an al ter nate f or est used f or the si gn-i n pr ocess.
The k ey to sy nchr oni zi ng user accounts f r om mul ti pl e f or ests i s

that onl y one user account f r om al l sy nchr oni zed f or ests shoul d
r epr esent the user . Thi s means that the sy nchr oni zati on engi ne
shoul d hav e a w ay to deter mi ne w hen accounts i n separ ate f or ests
r epr esent the same user . You can conf i gur e how the Azur e AD
Connect sy nc engi ne i denti f i es user s on the U ni quel y Identi f y i ng
Your U ser s page, show n i n Fi gur e 2-32, usi ng one of the f ol l ow i ng
opti ons.
Figure 2-32 U ni quel y i denti f y user s
Match user s usi ng the mai l attr i bute
Match user usi ng ObjectSID and

msEx changeMaster AccountSID/msRTCIP-Or gi gi nator SID
attr i butes
Match user usi ng SAMAccountName and Mai l Ni ck Name

attr i butes
Speci f y a custom attr i bute upon w hi ch to match names
More Info Multi-Forest Synchronization
You can learn more about multi-forest synchronization and supported

topologies for Azure AD Connect at the following address:
directory-aadconnect-topologies.
Exam Tip
Remember w hat tool s y ou can use to tr i gger sy nchr oni zati on.
SK ILL 2.4: MANAGE AZURE AD IDENTITIES

Thi s sk i l l deal s w i th the management of i denti ti es w i thi n Azur e
Acti v e Di r ector y . Thi s i s of pr i mar y i mpor tance w hen Azur e
Acti v e Di r ector y f uncti ons as the sour ce of author i ty . To master
thi s sk i l l y ou’l l need to under stand how to pl an f or the use of Azur e
AD i denti ti es, how to depl oy sel f ser v i ce passw or d r eset, manage
access r ev i ew s, manage Azur e AD gr oups, manage Azur e AD
passw or ds, manage pr oduct l i censes, manage user s, and per f or m
bul k user management task s.
Plan Azure AD identities
Implement and manage Azure AD self service password

reset
Manage access reviews
Manage groups
Manage passwords
Manage product licenses
Manage users
Perform bulk user management
Plan Azure AD identities

In hy br i d env i r onments, y ou’l l pr i mar i l y per f or m the
management of i denti ti es usi ng on-pr emi ses management tool s such
as Acti v e Di r ector y U ser s and Computer s. In env i r onments w her e
Azur e AD f or ms the pr i mar y sour ce of author i ty y ou can use the
Mi cr osof t 365 Admi n Center to per f or m the management of user
i denti ti es. You can al so use the Azur e Acti v e Di r ector y admi n
center as show n i n Fi gur e 2-33, or y ou can use Azur e CLI or
Pow er Shel l .
Figure 2-33 Azur e Acti v e Di r ector y Admi n Center
When pl anni ng the use of Azur e i denti ti es, y ou’l l need to consi der
the f ol l ow i ng questi ons:
What UPN will be used with the identity for logon to

Microsoft 365 resources? You can change the U PN suf f i x to
any domai n that i s conf i gur ed and author i zed f or use w i th the
di r ector y .
What authentication and authorization options will be

required to access Microsoft 365 resources? Wi l l user s
need to r egul ar l y change thei r passw or ds? Wi l l user s be
r equi r ed to per f or m mul ti -f actor authenti cati on?
What roles will be assigned to users? Wi l l y ou need to

assi gn Azur e AD r ol es to speci f i c user s? What method w i l l
y ou use to per f or m thi s task ?
Will Azure AD Groups be used? What str ategy w i l l y ou use

to manage col l ecti ons of user s i nto gr oups? Wi l l y our
or gani zati on use a gr oup nami ng conv enti on?
You’l l l ear n mor e about how to per f or m user management task s

l ater i n thi s chapter .
Implement and manage Azure AD self service password

reset
Somethi ng that i s chal l engi ng to depl oy i n an on-pr emi ses
env i r onment, but w hi ch i s r el ati v el y str ai ghtf or w ar d to depl oy i n
an env i r onment that uses Azur e AD as a sour ce of i denti ty
author i ty , i s sel f ser v i ce passw or d r eset. A sel f ser v i ce passw or d
r eset al l ow s a user to r eset thei r ow n passw or d w hen they f or get
that passw or d, r ather than hav i ng to contact the ser v i ce desk and
hav e a member of the IT staf f per f or m the task f or them. To enabl e
sel f ser v i ce passw or d r eset, per f or m the f ol l ow i ng steps:
1. Open the Azur e Acti v e Di r ector y por tal at

https ://aad.portal.azure.com w i th an account that has tenant
admi ni str ator per mi ssi ons.
2. In the Azur e Acti v e Di r ector y Admi n Center , cl i ck the Users

node. Thi s w i l l open the U ser s bl ade as show n i n Fi gur e 2-34.
Figure 2-34 Azur e Acti v e Di r ector y Admi n Center
3. In the U ser s bl ade of the Azur e Acti v e Di r ector y admi n

center , cl i ck Password Reset.
4. On the Passw or d r eset – Pr oper ti es page, cl i ck All, as show n

i n Fi gur e 2-35, to enabl e the sel f ser v i ce passw or d r eset f or
al l Mi cr osof t 365 user s.
Figure 2-35 Enabl e Sel f Ser v i ce Passw or d Reset
Once enabl ed, user s w i l l be pr ompted f or addi ti onal i nf or mati on

the nex t ti me that they si gn i n, w hi ch w i l l be used to v er i f y thei r
i denti ty i f they use the sel f -ser v i ce passw or d r eset tool . U ser s ar e
abl e to r eset thei r passw or ds by nav i gati ng to the w ebsi te
https ://pas s w ordres et.micros oftonline.com, show n i n Fi gur e 2-36,
and compl eti ng the f or m.
Figure 2-36 Enabl e Sel f -ser v i ce Passw or d Reset
More Info Self Service Password Reset
You can learn more about configuring self service password at:
https://docs.microsoft.com/office365/admin/add-users/let-users-
reset-passwords.
Manage access reviews

You can r ev i ew a user ’s access to Mi cr osof t 365 r esour ces thr ough
the Azur e Acti v e Di r ector y consol e. To per f or m thi s task , open up
the user ’s pr oper ti es page and sel ect the si gn-i ns secti on of the
U ser Management bl ade. Fi gur e 2-37 show s the si gn i n acti v i ty of
the admi ni str ator account used to manage a Mi cr osof t 365 tenancy .
Figure 2-37 Vi ew si gn i n acti v i ty
The audi t l ogs node w i l l al l ow y ou to r ev i ew the acti ons per f or med

by accounts. Fi gur e 2-38 show s that acti ons per f or med by the
account used f or Mi cr osof t 365 tenancy admi ni str ati on ar e
r ecor ded f or r ev i ew .
Figure 2-38 Audi t l og
Manage groups
Gr oups al l ow y ou to col l ect user s together and then assi gn them
pr i v i l eges and access to w or k l oads or ser v i ces. Rather than assi gn
pr i v i l eges and access to w or k l oads or ser v i ces di r ectl y to user s,
y ou can assi gn these r i ghts to a gr oup and then i ndi r ectl y assi gn
them to user s by addi ng the user accounts to the appr opr i ate gr oup.
U si ng gr oups i n thi s w ay i s a l ong standi ng admi ni str ati v e
pr acti ce, because i t al l ow s y ou to deter mi ne a user ’s l ev el of access
and r i ghts by l ook i ng at the user ’s gr oup member shi ps, r ather than
check i ng each w or k l oad and ser v i ce to deter mi ne i f the user
account has been assi gned r i ghts to that ser v i ce.
You can use the Azur e AD admi ni str ati v e consol e to manage gr oups.
Azur e AD suppor ts tw o gr oup ty pes: Of f i ce 365 gr oups and Secur i ty
gr oups. Fi gur e 2-39 show s the sel ecti on of gr oup ty pe w hen
cr eati ng the gr oup. Of f i ce 365 gr oups ar e used f or col l abor ati on
betw een user s. These user s can be i nsi de our ex ter nal to the
or gani zati on. Each Of f i ce 365 gr oup has an associ ated emai l addr ess,
shar ed w or k space f or conv er sati ons, shar ed l ocati on f or f i l es,
cal endar ev ents, and a pl anner . Secur i ty gr oups ar e used to gr ant
access to speci f i c Mi cr osof t 365 r esour ces, such as Shar ePoi nt si tes.
Secur i ty gr oups can contai n user accounts as w el l as dev i ce
accounts. Dev i ce r el ated gr oups ar e most of ten used w i th ser v i ces
such as Intune.
Figure 2-39 Cr eate Azur e AD Gr oup
Gr oup member shi p f or both gr oup ty pes can be conf i gur ed as

assi gned or dy nami c. When the assi gned opti on i s sel ected,
member shi p i s managed manual l y . When the dy nami c opti on i s
sel ected, gr oup member shi p i s deter mi ned based on the r esul ts of a
quer y agai nst user or dev i ce attr i butes. For ex ampl e, y ou can hav e
a user l ocated i n a speci f i c depar tment or ci ty w ho may be managed
by a speci f i c per son. Fi gur e 2-40 show s an Of f i ce 365 gr oup w i th
dy nami c member shi p, w her e user s w ho hav e the depar tment
Mar k eti ng w i l l automati cal l y be assi gned member shi p of the
gr oup.
Figure 2-40 Of f i ce 365 dy nami c gr oup member shi p
Sour ce of author i ty i s i mpor tant w hen i t comes to mak i ng

modi f i cati ons to user s and gr oups. Remember that modi f i cati ons
that occur i n the on-pr emi ses Acti v e Di r ector y ov er w r i te the
cur r ent state of the objects w i thi n the Azur e Acti v e Di r ector y
i nstance that suppor ts the Mi cr osof t 365 tenancy . The onl y
ex cepti on to thi s r ul e i s w i th the assi gnment of l i censes, w hi ch
onl y occur s usi ng the Mi cr osof t 365 Admi n Center or Mi cr osof t
Pow er Shel l tool s.
Modi f i cati ons made to on-pr emi ses user and gr oup objects w i l l onl y
be pr esent w i thi n the Azur e Acti v e Di r ector y i nstance that
suppor ts the Mi cr osof t 365 tenancy af ter sy nchr oni zati on has
occur r ed. By def aul t, sy nchr oni zati on occur s ev er y 30 mi nutes. You
can f or ce sy nchr oni zati on to occur usi ng the Sy nchr oni zati on
Ser v i ce Manager tool or by usi ng Mi cr osof t Pow er Shel l .
Wi th del eti on, the concept of sour ce of author i ty agai n i s v er y

i mpor tant. When y ou w ant to del ete a user or gr oup account
cr eated i n the on-pr emi ses Acti v e Di r ector y i nstance, y ou shoul d
use tool s, such as Acti v e Di r ector y U ser s and Computer s, or Acti v e
Di r ector y Admi ni str ati v e Center , to r emov e that user . When y ou
del ete the user or gr oup usi ng thi s method, the user w i l l be del eted
f r om the on-pr emi ses Acti v e Di r ector y i nstance and then, w hen
sy nchr oni zati on occur s, w i l l be del eted f r om the Azur e Acti v e
Di r ector y i nstance that suppor ts the Mi cr osof t 365 tenancy .
When y ou del ete a user f r om Mi cr osof t 365, thei r account r emai ns

i n the Azur e Acti v e Di r ector y Recy cl e Bi n f or 30 day s. Thi s means
that y ou can r ecov er the account onl i ne shoul d i t be necessar y to
do so. If y ou del ete a user f r om y our on-pr emi ses Acti v e Di r ector y
env i r onment, but hav e enabl ed the on-pr emi ses Acti v e Di r ector y
Recy cl e Bi n, r ecov er i ng the user f r om the on-pr emi ses Acti v e
Di r ector y Recy cl e Bi n w i l l r ecov er the user account i n Mi cr osof t
365. If y ou don’t hav e the Acti v e Di r ector y Recy cl e Bi n enabl ed,
y ou w i l l need to cr eate another account w i th a new GU ID.
In some cases, sy nchr oni zati on doesn’t w or k pr oper l y and objects

that ar e del eted f r om the on-pr emi ses Acti v e Di r ector y i nstance
don’t del ete f r om the Azur e Acti v e Di r ector y i nstance that
suppor ts the Mi cr osof t 365 tenancy . In thi s ci r cumstance y ou can
use the Remov e-Msol U ser , Remov e-Msol Gr oup, or Remov e-
Msol Contact Mi cr osof t Pow er Shel l cmdl ets to manual l y r emov e the
or phaned object.
You can use the f ol l ow i ng Pow er Shel l commands f r om the Azur eAD
modul e to manage Azur e AD Gr oups:
Get-AzureADGroup Pr ov i des i nf or mati on about Azur e AD

Gr oups.
New-AzureADGroup Cr eates a new Azur e AD Gr oup.
Set-AzureADGroup Conf i gur es the pr oper ti es of an Azur e AD

Gr oup.
Remove-AzureADGroup Remov es an Azur e AD Gr oup.
Add-AzureADGroupMember Adds a user to an Azur e AD

Gr oup.
Remove-AzureADGroupMember Remov es a user f r om an

Azur e AD Gr oup.
Add-AzureADGroupOwner Adds a user as an ow ner of an

Azur e AD Gr oup. Gi v es the user l i mi ted gr oup management
pr i v i l eges.
Remove-AzureADGroupOwner Remov es a user as ow ner of

an Azur e AD Gr oup.
More Info Azure AD Groups
You can learn more about Azure AD Groups at:

https://docs.microsoft.com/azure/active-
directory/fundamentals/active-directory-groups-view-azure-portal.
Manage passwords
The onl y thi ng that peopl e f or get mor e of ten than w her e they hav e
put thei r k ey s i s w hat thei r passw or d i s. As someone w ho i s
suppor ti ng Mi cr osof t 365, i t’s mor e l i k el y than not that i f y ou
hav en’t enabl ed sel f ser v i ce passw or d r eset, or ev en i f y ou hav e,
y ou’r e goi ng to hav e to r eset user passw or ds on a semi -r egul ar basi s.
To r eset a Mi cr osof t 365 user passw or d, per f or m the f ol l ow i ng steps:
1. In the Mi cr osof t 365 Admi n Center , sel ect the user w hose
passw or d y ou w ant to r eset i n the l i st of Acti v e user s by
sel ecti ng the check box nex t to the user ’s name.
2. On the U ser ’s pr oper ti es page, cl i ck the Reset Password

button show n i n Fi gur e 2-41 .
Figure 2-41 Reset Passw or d button
3. On the Reset Passw or d page, show n i n Fi gur e 2-42, choose

w hether to hav e an automati cal l y gener ated passw or d, to
cr eate a passw or d, or to sel ect w hether the passw or d needs to
be changed w hen the user nex t si gns i n.
Figure 2-42 Passw or d r eset
4. It w i l l be necessar y to pr ov i de ei ther the automati cal l y

gener ated passw or d or the admi ni str ator passw or d to the user
thr ough a secur e channel , such as i n per son or ov er the
phone.
You can r eset a user ’s passw or d thr ough Pow er Shel l usi ng the Set-
Msol U ser Passw or d cmdl et usi ng the sy ntax :
Set-MsolUserPassword -UserPrincipalName <UPN> -NewPassword <NewPassword>-

ForceChangePassword $True
You can conf i gur e passw or d ex pi r ati on pol i cy f or al l user s by

per f or mi ng the f ol l ow i ng steps:
1. In the Mi cr osof t 365 Admi n Center , sel ect Security & Privacy
under Setti ngs, as show n i n Fi gur e 2-43.
/
Figure 2-43 Secur i ty and pr i v acy
2. Nex t to Passw or d Pol i cy , cl i ck Edit.
3. In the Passw or d Pol i cy page, show n i n Fi gur e 2-44, y ou can

choose to hav e passw or ds nev er ex pi r e, or y ou can conf i gur e
passw or ds to ex pi r e af ter a speci f i c number of day s. You can
al so conf i gur e the number of day s bef or e a user w i l l be
i nf or med that thei r passw or d w i l l ex pi r e.
Figure 2-44 Passw or d Pol i cy
More Info Reset User Passwords
You can learn more about resetting Microsoft 365 user passwords
at: https://docs.microsoft.com/office365/admin/add-users/reset-
passwords.
Manage product licenses

U ser s r equi r e l i censes to use Mi cr osof t 365 ser v i ces and pr oducts.
To assi gn a l i cense to a user , per f or m the f ol l ow i ng steps:
1. In the Mi cr osof t 365 consol e, sel ect the Acti v e U ser s node
under U ser s as show n i n Fi gur e 2-45.
Figure 2-45 Acti v e U ser s
2. Sel ect the check box nex t to the user to w hi ch y ou w i sh to

assi gn a l i cense. Thi s w i l l br i ng up the user ’s pr oper ti es page,
as show n i n Fi gur e 2-46.
Figure 2-46 U ser pr oper ti es page
3. On the user ’s pr oper ti es page, cl i ck Edit nex t to Pr oduct

Li censes. You w i l l be pr ov i ded w i th a l ocati on dr op dow n and
the abi l i ty to assi gn l i censes f or Enter pr i se Mobi l i ty and
Secur i ty , Of f i ce 365 Enter pr i se, and Wi ndow s 1 0 Enter pr i se,
as show n i n Fi gur e 2-47 .
Figure 2-47 Pr oduct l i censes page
4. Cl i ck Sav e to assi gn the l i censes to the user .
It’s i mpor tant to r emember that user accounts cr eated i n Mi cr osof t

365 by the sy nchr oni zati on pr ocess w i l l not automati cal l y be
assi gned Mi cr osof t 365 l i censes. Thi s means w hen y ou ar e cr eati ng
new user accounts i n the on-pr emi ses env i r onment af ter y ou’v e
i ni ti al l y conf i gur ed Azur e AD Connect, y ou’l l al so need to use
Mi cr osof t 365 Admi n Center , or Pow er Shel l , to pr ov i si on those
accounts w i th Mi cr osof t 365 l i censes.
One of the si mpl est methods to assi gn l i censes to a l ar ge number of

accounts i s by usi ng Pow er Shel l . To accompl i sh thi s task usi ng
Mi cr osof t Pow er Shel l , y ou need to f i r st ensur e that a usage l ocati on
i s set f or each unl i censed user , and then to assi gn a l i cense usi ng
the pr oper SKU i denti f i er .
To deter mi ne w hi ch Mi cr osof t 365 user s hav e not been pr oper l y

conf i gur ed w i th a l i cense, enact the f ol l ow i ng Mi cr osof t
Pow er Shel l command:
Get-MsolUser –UnlicensedUsersOnly
To assi gn al l unl i censed user s to a speci f i c l ocati on, use the

f ol l ow i ng command, w her e <l ocati on> i s the l ocati on to w hi ch y ou
w i sh to assi gn the unl i censed user s:
Get-MsolUser –UnlicensedUsersOnly | Set-MsolUser –UsageLocation <location
You’l l need to appl y the account SKU ID to each account. The w ay

y ou can do thi s i s f i r st by assi gni ng SKU i nf or mati on to a v ar i abl e
w i th the f ol l ow i ng command:
$Sku=Get-MsolAccountSku
Once y ou hav e thi s i nf or mati on, y ou can use the f ol l ow i ng

command to appl y the appr opr i ate account SKU ID to cor r ectl y
l i cense each account.
Get-MsolUser –UnlicensedUsersOnly | Set-MsolUser –AddLicenses $Sku.Accoun
More Info Assign Licenses to Users
You can learn more about assigning licenses to users at:

https://docs.microsoft.com/office365/admin/subscriptions-and-
billing/assign-licenses-to-users.
Manage users
You can use the Mi cr osof t 365 Admi n Center , the Azur e AD Admi n
Center , or Azur e Pow er Shel l to manage Azur e AD U ser accounts.
The Azur e AD Admi n Center gi v es y ou a gr eater set of opti ons f or
managi ng the pr oper ti es of user accounts than the Mi cr osof t 365
Admi n Center , because y ou can edi t ex tended user pr oper ti es as
show n i n Fi gur e 2-48.
Figure 2-48 U ser pr oper ti es page
To cr eate a new Azur e AD U ser , per f or m the f ol l ow i ng steps:
1. In the Azur e AD consol e, sel ect Users – All Users and then
cl i ck New User.
2. In the New U ser bl ade, show n i n Fi gur e 2-49, pr ov i de the

f ol l ow i ng i nf or mati on:
1. Name The user ’s actual name.
2. User Name The user ’s si gn-i n name i n U PN f or mat.
3. Profile The user ’s f i r st name, l ast name, job ti tl e and

depar tment.
4. Properties Thi s speci f i es the sour ce of author i ty f or

the user . By def aul t i f y ou ar e cr eati ng the user usi ng
the Azur e AD Admi n Center or the Mi cr osof t 365 Admi n
Center , thi s w i l l be Azur e Acti v e Di r ector y .
5. Groups Thi s def i nes w hi ch gr oups the user shoul d be a

Find answers on the fly, or master something
member of . new. Subscribe today. See pricing options. /
6. Directory role Choose w hether the account has U ser ,
Gl obal Admi ni str ator , or a Li mi ted Admi ni str ator r ol e.
7. Password Thi s as the automati cal l y gener ated

passw or d. Wi th a Show Password opti on y ou can
tr ansmi t the passw or d to the user thr ough a secur e
channel .
Figure 2-49 New user pr oper ti es page
You can al so use the Azur e AD Admi n Center to per f or m the

f ol l ow i ng user admi n task s:
U pdate pr of i l e i nf or mati on
Assi gn Di r ector y Rol es
Manage gr oup member shi p
Manage l i censes
Manage dev i ces
Manage access to Azur e r esour ces
Manage authenti cati on methods
More Info Creating Azure AD Users
You can learn more about Azure AD PowerShell cmdlets for

managing users at:
https://docs.microsoft.com/powershell/azure/active-directory/new-
user-sample.
Perform bulk user management

The best tool f or per f or mi ng bul k user management i s the Azur e
AD r el ated Pow er Shel l commands. You can use the f ol l ow i ng
commands, some of w hi ch ar e show n i n Fi gur e 2-50, to scr i pt bul k
user management task s:
New-AzureADUser Cr eate a new Azur e AD user .
Get-AzureADUser Retr i ev e i nf or mati on about one or mor e

Azur e AD user s.
Set-AzureADUser Conf i gur e the pr oper ti es of an Azur e AD

user .
Remove-AzureADUser Remov e an Azur e AD user account.
Get-AzureADUserMembership Vi ew gr oup member shi p f or

a speci f i c Azur e AD user .
Set-AzureADUserPassword Manage Azur e AD user

passw or ds.
Figure 2-50 U ser r el ated Pow er Shel l cmdl ets
More Info User Management Powershell Cmdlets
You can learn more about Azure AD PowerShell cmdlets for

managing users at:
https://docs.microsoft.com/powershell/module/azuread/?
view=azureadps-2.0#users.
Exam Tip
Remember w hi ch Pow er Shel l cmdl ets y ou use to add and r emov e

user s f r om gr oups.
SK ILL 2.5: MANAGE USER RO LES

Thi s sk i l l secti on deal s w i th managi ng user r ol es w i thi n Azur e
Acti v e Di r ector y . To master thi s sk i l l y ou’l l need to under stand
how to pl an Azur e AD Rol es, al l ocate r ol es, conf i gur e
admi ni str ati v e accounts, conf i gur e Azur e AD RBAC, del egate admi n
r i ghts, manage admi ni str ator r ol es, and pl an secur i ty and
compl i ance r ol es.
Plan user roles
Allocate roles in workloads
Configure administrative accounts
Configure RBAC within Azure AD
Delegate admin rights
Manage admin roles
Manage role allocations by using Azure AD
Plan security and compliance roles for Microsoft 365
Plan user roles

Rather than assi gn al l user s w ho need to per f or m admi ni str ati v e
task s member shi p of the Gl obal Admi ni str ator s r ol e, an
or gani zati on’s appr oach to pl anni ng and assi gnment of user r ol es
shoul d f ol l ow the pr i nci pl e of l east pr i v i l ege. Thi s pr i nci pl e
di ctates that y ou shoul d assi gn the mi ni mum necessar y pr i v i l eges
to an account that ar e r equi r ed f or the user associ ated w i th that
account to per f or m task s. When pl anni ng user r ol es, deter mi ne
pr eci sel y w hat task s the user needs to per f or m and then assi gn then
the r ol e that al l ow s them to per f or m onl y those task s. For ex ampl e,
i f a suppor t desk techni ci an needs to be abl e to r eset passw or ds,
assi gn that techni ci an the Passw or d Admi ni str ator r ol e r ather
than a mor e pr i v i l eged r ol e such as Secur i ty Admi ni str ator or
Gl obal Admi ni str ator .
Allocate roles in workloads

Sev er al Azur e AD Rol es, such as Ex change Admi ni str ator , Intune
Admi ni str ator , and Shar ePoi nt Admi ni str ator ar e speci f i c to
cer tai n Mi cr osof t 365 w or k l oads. These r ol es of ten pr ov i de
compl ete admi ni str ati v e r i ghts f or those w or k l oads, but pr ov i de no
admi ni str ati v e per mi ssi ons bey ond those w or k l oads. In
or gani zati ons w her e staf f ar e r esponsi bl e f or one or mor e
Mi cr osof t 365 w or k l oads, but not r esponsi bl e f or task s such as user
management or other w or k l oads, ensur e that y ou f ol l ow the
pr i nci pl e of l east pr i v i l ege and onl y assi gn r ol es at the w or k l oad
l ev el .
Manage admin roles

Azur e Acti v e Di r ector y i ncl udes a l ar ge number of r ol es that
pr ov i de a v ar i ety of per mi ssi ons to di f f er ent aspects of Azur e AD
and Mi cr osof t 365 w or k l oads. These r ol es, and the per mi ssi ons that
they gr ant, ar e l i sted i n Tabl e 2-3
Table 2-3 Azure AD Roles
Role Description
Appl i cati on Can admi ni ster enter pr i se appl i cati ons,

Admi ni str ator appl i cati on r egi str ati ons, and appl i cati on
pr ox y setti ngs
Appl i cati on Can cr eate appl i cati on r egi str ati ons.
Dev el oper
Authenti cati on Can v i ew cur r ent authenti cati on method

Admi ni str ator setti ngs. Can set or r eset non-passw or d
cr edenti al s. Can f or ce MFA on nex t si gn on.
Bi l l i ng Can pur chase and manage subscr i pti ons.

Admi ni str ator Can manage suppor t ti ck ets and moni tor
ser v i ce heal th.
Cl oud Can manage al l aspects of enter pr i se

Appl i cati on appl i cati ons and r egi str ati ons, but cannot
Admi ni str ator manage appl i cati on pr ox y .
Cl oud Dev i ce Can enabl e, di sabl e, and r emov e dev i ces i n
Admi ni str ator Azur e AD. Can v i ew Wi ndow s 1 0 Bi tLock er
Dr i v e Encr y pti on Key s thr ough the Azur e
por tal .
Compl i ance Manage f eatur es i n the Mi cr osof t 365

Admi ni str ator compl i ance center , Mi cr osof t 365 Admi n
Center , Azur e, and Mi cr osof t 365 Secur i ty
and Compl i ance Center .
Condi ti onal Admi ni str ati v e r i ghts ov er Azur e AD

Access condi ti onal access conf i gur ati on.
Admi ni str ator
Customer Manages customer l ock box r equests. Can

Lock box access al so enabl e and di sabl e the customer
appr ov er l ock box f eatur e.
Dev i ce U ser s assi gned thi s r ol e w i l l become l ocal

Admi ni str ator s admi ni str ator s on al l computer s r unni ng
Wi ndow s 1 0 that ar e joi ned to Azur e AD.
Di r ector y Rol e f or appl i cati ons that do not suppor t

Reader s consent f r amew or k . Shoul d not be assi gned
to user s.
Di r ector y Assi gned to the Azur e AD Connect ser v i ce

Sy nchr oni zati on and not used f or user accounts.
Accounts
Di r ector y A l egacy r ol e assi gned to appl i cati ons that

Wr i ter s do not suppor t the consent f r amew or k .
Shoul d onl y be assi gned to appl i cati ons
and not user accounts.
Dy nami cs 365 Admi ni str ati v e access to Dy nami cs 365

Admi ni str ator / Onl i ne.
CRM
Admi ni str ator
Ex change Admi ni str ati v e access to Ex change Onl i ne.

Admi ni str ator
Gl obal Admi ni str ati v e access to al l Azur e AD

Admi ni str ator / f eatur es. Thi s i ncl udes admi ni str ati v e
Company access to ser v i ces that use Azur e AD
Admi ni str ator Identi ti es i ncl udi ng Mi cr osof t 365
secur i ty center , Mi cr osof t 365 compl i ance
center , Ex change Onl i ne, Shar ePoi nt
Onl i ne, and Sk y pe f or Busi ness Onl i ne. The
account used to si gn up f or the tenancy
becomes the gl obal admi ni str ator . Gl obal
admi ni str ator s can r eset the passw or ds of
any user , i ncl udi ng other gl obal
admi ni str ator s
Guest Inv i ter Can manage Azur e AD B2B guest user

i nv i tati ons.
Inf or mati on Has the abi l i ty to manage al l aspects of

Pr otecti on Azur e Inf or mati on Pr otecti on i ncl udi ng
Admi ni str ator conf i gur i ng l abel s, managi ng pr otecti on
templ ates, and acti v ati ng pr otecti on.
Intune Has f ul l admi ni str ati v e r i ghts to Mi cr osof t

Admi ni str ator Intune.
Li cense Can manage l i cense assi gnments on user s

Admi ni str ator and gr oups. Cannot pur chase or manage
subscr i pti ons.
Message Center Can moni tor noti f i cati on and Mi cr osof t

Reader adv i sor i es i n the Mi cr osof t 365 Message
Center .
Passw or d Abl e to per f or m the f ol l ow i ng task s f or al l

Admi ni str ator / user s ex cept those that hav e
Hel pdesk admi ni str ati v e r ol es:
Admi ni str ator
Change passw or ds
Inv al i date r ef r esh tok ens
Manage ser v i ce r equests
Moni tor ser v i ce heal th
Pow er BI Has admi ni str ator per mi ssi ons ov er Pow er

Admi ni str ator BI.
Pr i v i l eged Rol e
Find answers on the fly, or master something
Admi ni str ator
new. Subscribe today. See pricing options.
Can manage al l aspects of Azur e AD
Pr i v i l eged Identi ty Management. Can /
manage r ol e assi gnments i n Azur e AD.
Repor ts Reader Can v i ew r epor ti ng data i n the Mi cr osof t

365 r epor ts dashboar d.
Secur i ty Has admi ni str ator l ev el access to manage

Admi ni str ator secur i ty f eatur es i n the Mi cr osof t 365
secur i ty center , Azur e AD Identi ty
Pr otecti on, Azur e Inf or mati on Pr otecti on,
and Mi cr osof t 365 Secur i ty and Compl i ance
Center .
Secur i ty Reader Has r ead-onl y access to secur i ty Mi cr osof t

365 r el ated secur i ty f eatur es.
Ser v i ce Suppor t Can open and v i ew suppor t r equests w i th

Admi ni str ator Mi cr osof t f or Mi cr osof t 365 r el ated
ser v i ces.
Shar ePoi nt Has gl obal admi ni str ator per mi ssi ons f or
Admi ni str ator Shar ePoi nt Onl i ne w or k l oads.
Sk y pe f or Has gl obal admi ni str ator per mi ssi ons f or

Busi ness / Ly nc Sk y pe f or Busi ness w or k l oads.
Admi ni str ator
Teams Can admi ni ster al l el ements of Mi cr osof t

Admi ni str ator Teams.
Teams Can manage Teams w or k l oads r el ated to

Communi cati ons v oi ce & tel ephony i ncl udi ng tel ephone
Admi ni str ator number assi gnment, v oi ce and meeti ng
pol i ci es.
Teams Can tr oubl eshoot communi cati on i ssues

Communi cati ons w i thi n Teams & Sk y pe f or Busi ness. Can
Suppor t v i ew detai l s of cal l r ecor ds f or al l
Engi neer par ti ci pants i n a conv er sati on.
Teams Can tr oubl eshoot communi cati on i ssues

Communi cati ons w i thi n Teams & Sk y pe f or Busi ness. Can
Suppor t onl y v i ew user detai l s i n the cal l f or a
Speci al i st speci f i c user .
U ser Account Can cr eate and manage user accounts. Can

Admi ni str ator cr eate and manage gr oups. Can manage user
v i ew s, suppor t ti ck ets and moni tor ser v i ce
heal th.
More Info Azure AD Administrator Roles
You can learn more about Azure AD Administrator roles at:

https://docs.microsoft.com/azure/active-directory/users-groups-
roles/directory-assign-admin-roles.
Configure RBAC within Azure AD

Azur e RBAC (Rol e Based Access Contr ol ) al l ow s y ou to conf i gur e
f i ne-gr ai ned access contr ol to Azur e r esour ces, such as v i r tual
machi nes and stor age accounts. When y ou conf i gur e RBAC, y ou
assi gn a r ol e and a scope, w i th the scope bei ng the r esour ce y ou
w i sh to hav e managed. Azur e RBAC i ncl udes mor e than 7 0 r ol es. A
f ul l l i sti ng of the detai l s of al l 7 0 ar e bey ond the scope of thi s tex t,
but ther e ar e f our f undamental r ol es that those r esponsi bl e f or
managi ng Mi cr osof t 365 shoul d be aw ar e of , w hi ch can be assi gned
to speci f i c Azur e subscr i pti ons, r esour ce gr oups, or r esour ces.
These r ol es ar e:
Owner U ser s that hol d thi s r ol e hav e f ul l access to al l

r esour ces w i thi n the scope of the assi gnment and ar e abl e to
del egate access to other s.
Contributor U ser s that hol d thi s r ol e can cr eate and manage

r esour ces w i thi n the scope of the assi gnment, but cannot
gr ant access to other s.
Reader U ser s that hol d thi s r ol e ar e abl e to v i ew r esour ces

w i thi n the scope of the assi gnment, but can’t per f or m other
task s and cannot gr ant access to other s.
User Access Administrator Can manage user access to Azur e

r esour ces w i thi n the scope of the assi gnment.
More Info Azure RBAC
You can learn more about Azure RBAC at:

docs.microsoft.com/azure/role-based-access-control/rbac-and-
directory-admin-roles (http://docs.microsoft.com/azure/role-based-access-
control/rbac-and-directory-admin-roles).
Delegate admin rights
To v i ew w hi ch user s ar e assi gned a speci f i c r ol e, per f or m the
1. In the Azur e AD Admi n Center , sel ect Roles and

Administrators, as show n i n Fi gur e 2-51 .
Figure 2-51 Rol es and Admi ni str ator s
2. Cl i ck on the r ol e that y ou w i sh to l ear n the member shi p of .

Fi gur e 2-52 show s member s of the Passw or d Admi ni str ator s
r ol e.
Figure 2-52 Member s of the Passw or d Admi ni str ator s r ol e
You can use the f ol l ow i ng Azur e Pow er Shel l cmdl ets to v i ew r ol es

and r ol e member shi p:
Get-AzureADDirectoryRole Vi ew a l i st of Azur e AD
Di r ector y r ol es.
Get-AzureADDirectoryRoleMember Vi ew the user s assi gned

member shi p i n an Azur e AD Di r ector y r ol e
More Info Delegating Admin Rights
You can learn more about delegating admin rights at:

https://docs.microsoft.com/azure/active-directory/users-groups-
roles/roles-concept-delegation.
Manage role allocations by using Azure AD

To assi gn a user to a speci f i c r ol e w i thi n Azur e AD, per f or m the
1. In the Azur e AD Admi n Center , sel ect Roles And

Administrators.
2. Sel ect the r ol e to w hi ch y ou w i sh to add a user . Thi s w i l l open

the r ol e’s pr oper ti es page.
3. In the Rol e pr oper ti es page, cl i ck Add Member. Fi gur e 2-53

show s addi ng the user Adel e Vance to the Secur i ty
Admi ni str ator r ol e.
You can use the f ol l ow i ng Azur e Pow er Shel l cmdl ets to manage r ol e
member shi p:
Add-AzureADDirectoryRoleMember Add a user to an Azur e

AD Di r ector y r ol e.
Remove-AzureADDirectoryRoleMember Remov e a user

f r om an Azur e AD Di r ector y r ol e.
More Info View and Assign Azure AD Administrator Roles
You can learn more about viewing and assigning administrator roles
at: https://docs.microsoft.com/azure/active-directory/users-groups-
roles/directory-manage-roles-portal.
Configure administrative accounts

Azur e AD Pr i v i l eged Identi ty Management (PIM) al l ow s y ou to
mak e r ol e assi gnment tempor ar y and conti ngent on appr ov al ,
r ather than per manent, as i s the case w i th manual l y addi ng a
member to the r ol e. PIM r equi r es Azur e AD P2 and must be enabl ed
bef or e y ou can conf i gur e i t. To conf i gur e an Azur e AD
admi ni str ati v e r ol e f or use w i th PIM, per f or m the f ol l ow i ng steps:
1. In the Azur e AD Admi n Center , sel ect Roles And

Administrators.
2. Sel ect the r ol e to w hi ch y ou w i sh to add a user . Thi s w i l l open

the r ol e’s pr oper ti es page.
3. In the Rol e pr oper ti es page, cl i ck Manage In PIM. The r ol e

w i l l open and any member s assi gned per manentl y to the r ol e
w i l l be l i sted w i th the status of per manent as show n i n
Fi gur e 2-54.
4. Sel ect the user that y ou w i sh to conv er t f r om per manent to

el i gi bl e. An el i gi bl e user can r equest access to the r ol e, but
w i l l not hav e i ts associ ated r i ghts and pr i v i l eges unti l that
access i s gr anted. On the user ’s pr oper ti es page, cl i ck Make
Eligible.
You can edi t the condi ti ons under w hi ch an el i gi bl e user can be

gr anted by per f or mi ng the f ol l ow i ng steps:
1. In the Pr i v i l eged Identi ty Management bl ade, cl i ck Azure AD

Roles.
2. U nder Manage, show n i n Fi gur e 2-55, cl i ck Settings.
Figure 2-55 Manage PIM
3. Cl i ck Roles and then sel ect the r ol e that y ou w i sh to

conf i gur e. Fi gur e 2-56 show s the PIM setti ngs f or the Secur i ty
Admi ni str ator r ol e w her e r ol e acti v ati on can occur f or an
hour at most, but w her e MFA and appr ov al ar e not r equi r ed.
Figure 2-56 Manage PIM
U ser s can acti v ate r ol es that they ar e el i gi bl e f or f r om the

Pr i v i l eged Identi ty Management ar ea of the Azur e AD
Admi ni str ati v e consol e. Admi ni str ator s w i th the appr opr i ate
per mi ssi ons can al so use the Pr i v i l eged Identi ty Management ar ea
of the Azur e AD Admi ni str ati v e consol e to appr ov e r equests that
r equi r e appr ov al and r ev i ew r ol e acti v ati ons.
More Info Privileged Identity Management
You can learn more about topic at:

https://docs.microsoft.com/azure/active-directory/privileged-identity-
management/pim-configure.
Plan security and compliance roles for Microso 365

The Mi cr osof t 365 Secur i ty and Compl i ance center i ncl udes def aul t
r ol e gr oups that ar e appr opr i ate f or the most commonl y per f or med
secur i ty and compl i ance task s. To assi gn user s per mi ssi on to
per f or m these task s, add them to the appr opr i ate r ol e gr oup i n the
Mi cr osof t 365 Secur i ty and Compl i ance Center . These Mi cr osof t 365
secur i ty and compl i ance r ol e gr oups ar e l i sted i n Tabl e 2-4.
Table 2-4 Security and compliance role groups
Role Group Description
Compl i ance Can manage dev i ce management setti ngs, data

Admi ni str ator l oss pr ev enti on setti ngs, and data
pr eser v ati on r epor ts.
eDi scov er y Can per f or m sear ches and pl ace hol ds on

Manager Shar ePoi nt Onl i ne si tes, OneDr i v e f or
Busi ness l ocati ons and Ex change Onl i ne
mai l box es. Can cr eate and manage
eDi scov er y cases.
Or gani zati on Can contr ol per mi ssi ons f or accessi ng
Find answers on the fly, or masterSecur

Management
something new. Subscribe today. See pricing options.
i ty & Compl i ance Center . Can al so
manage setti ngs f or data l oss pr ev enti on, /
dev i ce management, r epor ts, and
pr eser v ati on.
Recor ds Manage and di spose of r ecor d content.

Management
Rev i ew er Vi ew the l i st of eDi scov er y cases i n the

Secur i ty and Compl i ance center . U nabl e to
cr eate or manage eDi scov er y cases.
Secur i ty Al l the per mi ssi ons of the Secur i ty Reader

Admi ni str ator r ol e, pl us admi ni str ati v e per mi ssi ons f or
Azur e Inf or mati on Pr otecti on, Identi ty
Pr otecti on Center , Pr i v i l eged Identi ty
Management, the abi l i ty to moni tor Of f i ce
365 Ser v i ce Heal th, and Mi cr osof t 365
Secur i ty and Compl i ance Center .
Secur i ty Pr ov i des r ead-onl y access to secur i ty

Reader f eatur es of the Identi ty Pr otecti on Center ,
Pr i v i l eged Identi ty Management, Mi cr osof t
365 ser v i ce heal th, and Mi cr osof t 365
Secur i ty and Compl i ance Center .
Ser v i ce Pr ov i des r epor ts and documentati on that

Assur ance ex pl ai n Mi cr osof t’s secur i ty pr acti ces f or
U ser customer data stor ed i n Mi cr osof t 365.
Super v i sor y Abl e to cr eate and manage pol i ci es that

Rev i ew medi ate w hi ch communi cati ons ar e subject
to r ev i ew .
More Info Security and Compliance Roles
You can learn more about security and compliance roles at:
https://docs.microsoft.com/office365/securitycompliance/permissions-
in-the-security-and-compliance-center.
Exam Tip
Remember the f uncti onal i ty of the di f f er ent secur i ty and

compl i ance r ol es that can be assi gned to user s.
THO UGHT EXPERIMENT

In thi s thought ex per i ment, demonstr ate y our sk i l l s and k now l edge
of the topi cs cov er ed i n thi s chapter . You can f i nd answ er s to thi s
thought ex per i ment i n the nex t secti on.
You ar e i n the pr ocess of consul ti ng f or Adatum about thei r

pl anned sy nchr oni zati on sol uti on that w i l l al l ow them to
r epl i cate user account, gr oup account, and mai l enabl ed contacts
f r om thei r on-pr emi ses Acti v e Di r ector y env i r onment to an Azur e
Acti v e Di r ector y i nstance that suppor ts an Of f i ce 365 tenancy . The
Adatum env i r onment consi sts of thr ee f or ests w i th 21 separ ate
domai ns. A pr el i mi nar y assessment usi ng the IdFi x tool has f ound
that i t i s necessar y to mak e bul k changes to cer tai n attr i butes used
w i th user accounts bef or e sy nchr oni zati on betw een the on-
pr emi ses env i r onment and Azur e Acti v e Di r ector y can commence.
Pr i or to f ul l scal e depl oy ment of sy nchr oni zati on, i t w i l l al so be
necessar y to hav e r obust r ecov er y pr ocedur es i n the ev ent that one
or mor e accounts i s del eted. Fi nal l y , al l accounts at Adatum ar e i n
geogr aphy -based OU s. Attr i butes, such as the Depar tment
attr i bute, denote the depar tments that the user s ar e associ ated
w i th.
Wi th thi s i n mi nd, answ er the f ol l ow i ng questi ons:
1. How many i nstances of Azur e AD Connect ar e necessar y to

sy nc the Adatum env i r onment to a si ngl e Azur e AD i nstance?
2. What tool , besi des Mi cr osof t Pow er Shel l , coul d be used to

bul k modi f y the attr i butes of sel ected user accounts at
Adatum?
3. How can y ou ensur e that member s of the Resear ch

depar tment don’t hav e thei r accounts sy nchr oni zed to the
Azur e Acti v e Di r ector y i nstance that suppor ts the Of f i ce 365
tenancy ?
4. What f eatur e can y ou enabl e on the on-pr emi ses Acti v e

Di r ector y i nstance that w i l l al l ow y ou to r ecov er an
acci dental l y del eted account w i thout hav i ng to r ecr eate i t
w i th a new GU ID?
5. How l ong ar e objects del eted f r om the Azur e Acti v e

Di r ector y i nstance used to suppor t Of f i ce 365 r ecov er abl e?
THO UGHT EXPERIMENT ANSWERS

Thi s secti on contai ns the sol uti on to the thought ex per i ment. Each
Find answers on the fly,answ
or ermaster
ex pl ai ns wsomething
hy the answ er choinew.
ce i s corSubscribe
r ect. today. See pricing options. /
1. You onl y need a si ngl e i nstance of Azur e AD Connect to
sy nchr oni ze f r om thr ee separ ate Acti v e Di r ector y f or ests.
2. ADModi f y .NET can be used to bul k modi f y the attr i butes of

sel ected user accounts at Adatum.
3. You can conf i gur e Azur e AD Connect to onl y r epl i cate

speci f i c OU s. You coul d al so use tool s such as the
Sy nchr oni zati on Rul es edi tor i f mor e compl i cated
sy nchr oni zati on r ul es ar e necessar y .
4. Enabl i ng Acti v e Di r ector y Recy cl e Bi n al l ow s y ou to

r ecov er an acci dental l y del eted account w i thout hav i ng to
r ecr eate i t w i th a new GU ID.
5. Objects ar e r ecov er abl e f r om the Azur e Acti v e Di r ector y

Recy cl e Bi n f or 30 day s.
Chapter summary
When deter mi ni ng an appr opr i ate i denti ty str ategy , f i gur e

out w hi ch i denti ti es need to be r epl i cated to the cl oud, how
of ten that r epl i cati on shoul d occur , and w hi ch aspects of
those i denti ti es must be r epl i cated.
A hy br i d appr oach i s necessar y w hen the on-pr emi ses Acti v e

Di r ector y i nstance i s sti l l i n oper ati on.
Azur e AD Connect can be i nstal l ed on a l ocal member ser v er

and w i l l al l ow sy nchr oni zati on of i denti ti es and passw or d
hashes to Azur e AD.
Pr i or to depl oy i ng Azur e AD Connect, the on-pr emi ses

di r ector y shoul d be cl eaned up to r emov e any cur r ent
setti ngs that may bl ock successf ul sy nchr oni zati on. Tool s
such as the IdFi x tool and ADModi f y .NET can be used to
per f or m thi s task .
If y our on-pr emi ses di r ector y uses a non-r outabl e domai n,

y ou w i l l need to update on-pr emi ses accounts w i th a U PN
suf f i x that i s r outabl e and conf i gur ed to w or k w i th Mi cr osof t
365. Thi s w i l l usual l y be a r egi ster ed domai n name associ ated
w i th the tenancy .
Passw or d sy nchr oni zati on w i th Azur e AD Connect

sy nchr oni zes hashes of passw or ds f r om the on-pr emi ses
env i r onment to Azur e AD. It can be conf i gur ed f or passw or d
w r i te back i f sel f -ser v i ce r eset i s enabl ed.
Pass-thr ough authenti cati on has the user ’s passw or d

v al i dated agai nst an on-pr emi ses AD i nstance. Thi s r equi r es
an agent be i nstal l ed on an on-pr emi ses domai n contr ol l er .
Acti v e Di r ector y Feder ati on i s appr opr i ate f or

env i r onments w i th mor e sophi sti cated i denti ty r equi r ements
than those cater ed to by Azur e AD Connect passw or d
sy nchr oni zati on or pass-thr ough authenti cati on.
The heal th of Azur e AD Connect can be moni tor ed thr ough the
Azur e Acti v e Di r ector y Admi n Center consol e.
Sy nchr oni zati on can be f or ced usi ng the Sy nchr oni zati on
Ser v i ce Manager or thr ough Pow er Shel l .
Azur e AD i denti ti es can be managed thr ough the Azur e Acti v e

Di r ector y admi n center , the Mi cr osof t 365 Admi n Center , or
Azur e Pow er Shel l .
Sel f -ser v i ce passw or d r esets al l ow user s to r eset thei r

passw or ds af ter answ er i ng questi ons r el ated to thei r i denti ty .
Azur e AD suppor ts tw o ty pes of gr oup, Of f i ce 365 gr oups and

secur i ty gr oups. Of f i ce 365 gr oups hav e access to addi ti onal
O365 r esour ces such as shar ed mai l box and cal endar .
Member shi p can be di r ectl y assi gned or dy nami cal l y
conf i gur ed thr ough a quer y of Azur e AD attr i butes.
U ser s must be assi gned l i censes to use Mi cr osof t 365

r esour ces. Thi s task can be per f or med thr ough the Mi cr osof t
365 Admi n Center or Azur e AD Admi n Center .
You can del egate admi ni str ati v e pr i v i l eges by assi gni ng
r ol es. You shoul d f ol l ow the pr i nci pl e of l east pr i v i l ege and
onl y assi gn user s the mi ni mum necessar y admi ni str ati v e
per mi ssi ons r equi r ed to per f or m thei r duti es.
Settings / Support / Sign Out

© 2020 O'Reilly Media, Inc. Terms of Service / Privacy Policy
P REV N EXT
⏮ ⏭
Chapter 1 Design and implement Microso 365 services Chapter 3 Manage access and authentication

Chapter 2 Manage User Identity and Roles - Exam Ref MS-100 Microsoft 365 Identity and Services Cap2 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 2 Manage User Identity and Roles - Exam Ref MS-100 Microsoft 365 Identity and Services Cap2 PDF

Uploaded by

Copyright:

Available Formats

 Exam Ref MS-100 Microso 365 Identity and Services

Skills in this chapter:

Desi gn i denti ty str ategy

Pl an i denti ty sy nchr oni zati on by usi ng Azur e AD Connect

Manage i denti ty sy nchr oni zati on by usi ng Azur e AD Connect

Manage Azur e AD i denti ti es

SK ILL 2.1: DESIGN IDENTITY STRATEGY

This section covers the following topics:

Evaluate requirements and solution for synchronization

Evaluate requirements and solution for identity management

Evaluate requirements and solution for authentication

Evaluate requirements and solution for synchronization

Another consi der ati on i n ev al uati ng sy nchr oni zati on

Shoul d an or gani zati on choose, i t i s possi bl e to per f or m a compl ete

Whi ch i denti ti es need to be r epl i cated to the cl oud?

Which identities to replicate?

Another i ssue to addr ess i s w hether ev er y on-pr emi ses i denti ty

Ther e ar e al so speci al account ty pes that ar e commonl y pr esent i n

You don’t w ant a user w ho changes thei r passw or d to hav e to w ai t 24

Which properties to replicate?

Evaluate requirements and solution for identity

Ev en though Azur e Acti v e Di r ector y i s pr esent i n a hy br i d

Sour ce of author i ty i s a v er y i mpor tant concept w hen i t comes to

Evaluate requirements and solution for authentication

Mi cr osof t and Of f i ce 365 suppor t a technol ogy k now n as Moder n

Authentication methods Mul ti -f actor authenti cati on, Cl i ent

Authorization methods Mi cr osof t’s i mpl ementati on of

Conditional access policies Mobi l e Appl i cati on Management

More Info Hybrid Modern Authentication

You can learn more about Hybrid Modern Authentication at the

More Info Azure AD Connect Prerequisites

You can learn more about Azure AD Connect prerequisites at the

Azure AD and O ice 365 requirements

On-premises Active Directory environment requirements

1. Open the Acti v e Di r ector y Domai ns and Tr usts consol e.

2. Sel ect the Acti v e Di r ector y Domai ns and Tr usts node.

3. On the Acti ons menu, cl i ck Raise Forest Functional Level.

4. The di al og box di spl ay s the cur r ent f uncti onal l ev el and, i f

Figure 2-2 For est f uncti onal l ev el

You can al so check the f or est f uncti onal l ev el by usi ng the

Azure AD Connect Server requirements

Wi ndow s Ser v er 2008 (x 86 and x 64)

Wi ndow s Ser v er 2008 R2 (x 64)

Wi ndow s Ser v er 201 6 (x 64)

Wi ndow s Ser v er 201 9 (x 64)

Azur e AD Connect cannot be i nstal l ed on Wi ndow s Ser v er 2003.

Azur e AD Connect has the f ol l ow i ng r equi r ements:

Must be i nstal l ed on a Wi ndow s Ser v er i nstance that has the

You can depl oy Azur e AD Connect on a computer that i s ei ther

If i nstal l i ng on v er si ons of Wi ndow s Ser v er pr i or to Wi ndow s

If y ou w ant to use the passw or d sy nchr oni zati on

The ser v er hosti ng Azur e AD Connect r equi r es .NET

The ser v er hosti ng Azur e AD Connect r equi r es Mi cr osof t

The ser v er hosti ng Azur e AD Connect must not hav e

If y ou ar e depl oy i ng Azur e AD Connect w i th Acti v e

If gl obal admi ni str ator s w i l l hav e mul ti f actor

DNS TCP/U DP Por t 53

Kerberos TCP/U DP Por t 88

RPC TCP Por t 1 35

LDAP TCP/U DP Por t 389

SSL TCP Por t 443

SMB TCP 445

The computer w i th Azur e AD Connect i nstal l ed must be abl e to