Currently Azure AD only receives identity information through AD Connect. While this works and needs to remain in place, it obviously requires the data to be populated into AD first, which can present challenges from a technical and workflow aspect. If the data is only needed in Azure AD and not in on-prem AD then having to send the data through AD first increases the level of effort for adding new data to Azure AD.
Does Azure AD supports sources in addition to AD Connect or Cloud Sync for attribute population? We want to be able to sync certain data to Azure AD without having to ensure the data is present in our on-prem AD first.
If the user (or another identity) is required only in the cloud, you can create it in your Azure AD.
The is that you could only manage that identity in your Azure AD.
Azure AD Connect allows password writeback and groups writeback, you cannot sync anything else beyond that.
Related
I have an on-premises Windows server 2022, which is running AD DS, NPS and DHCP. I also have Azure AD subscription, where my users are located. I would like to keep my users database (AD) in the cloud, since currently, I do not have any backup solutions and it is easier for me to manage. I want to have ieee 801.x on premises, as well as VPN service. Is it possible to force the NPS to authenticate against the Azure AD, where all my users are located? If yes, how can this be done?
I know that Azure AD Connect provides hybrid integration, but from what I read, it is only one way, i.e from on-premises AD to cloud synchronization, but not the other way around.
Yes, you are correct that the synchronization is only one-way and the workarounds currently are to use use PowerShell export/import or use a third-party tool. In the NPS article you linked, the on-premises users ultimately authenticate against Azure MFA. The NPS extension acts as an adapter between RADIUS and cloud-based Azure AD Multi-Factor Authentication to provide MFA for the federated or synced users. Your cloud users would just use regular Azure MFA without needing that adapter.
The most common workaround for the user writeback scenario is to create a PowerShell script that scans Azure AD regularly, finds the users in Azure, and then creates an on-premises user with the attributes in Azure AD.
The regular user writeback feature is on the roadmap and actively being worked on though. I've asked for an update from the PG and will edit this post once it is available.
For cloud VPN options, see: Azure AD Authentication - Open VPN.
creating an SPN in Azure (single AD tenant) works very well, however, due some compliance reasons, organization says we have to creaty every user (including service ones) using on-prem AD, then sync via AD connect to Azure AD tenant.
That works very well for all the users (UPN), but can we sync those kind of objectes (SPN) on-prem -> Azure. I know it sounds a bit weird to create a SPN intended for Azure on on-prem AD, wait some time and do the work, but at the end it's all about syncing the objects.
Any help would be appreciated.
Thanks,
Stan
I do not believe it is possible. AAD SP is an AAD-only entity. Has no meaning in AD.
From their docs - https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-how-it-works
As a pre-requisite for Pass-through Authentication to work, users need to be provisioned into Azure AD from on-premises Active Directory using Azure AD Connect. Pass-through Authentication does not apply to cloud-only users.
Doesn't this defeat the whole point of pass-through. If users need to be provisioned in AAD (using AD connect), what's the point of pass through? Or is it just that USERNAMES are provisioned and no passwords..?
Very confusing. Please only respond if you have actually implemented this.
We use this at my work. It's better described here: What is Azure Active Directory Pass-through Authentication?
Azure Active Directory (Azure AD) Pass-through Authentication allows your users to sign in to both on-premises and cloud-based applications using the same passwords. This feature provides your users a better experience - one less password to remember, and reduces IT helpdesk costs because your users are less likely to forget how to sign in. When users sign in using Azure AD, this feature validates users' passwords directly against your on-premises Active Directory.
To use cloud-based services, the account must exist in Azure AD. To use on-premises services, the account must exist on-premises. So everyone's account is actually duplicated between on-premises and Azure AD.
The only purpose of using pass-through authentication is being able to use both cloud and on-premises applications with the same password. Therefore, the password is not stored in Azure AD and Azure AD defers to the on-premises environment to perform the authentication.
Azure AD have B2B collaboration for inviting external users.
But what if i wan't to invite an external Azure service that have a MSI.
Is it possible to create an Azure AD group and add a external(another subscription/tenant in Azure) MSI which i can then use to grant access to resources?
Say I wan't to allow a B2B partners Data Factory access to SQL database of ours and I do not wan't to give them a SQL Login.
MSIs are service principals which cannot be invited to other tenants. They are always tenant-specific.
The scenario sounds like you need to give access to something connected to your tenant.
I would suggest creating an App registration (Application),
adding a key, and giving those credentials to the other service.
You can then give the application access to your Azure subscription etc.
I've created some Microsoft Live accounts for managing my Azure subscriptions (I've got five). I can log in using, for example, joe#mycompany.com and manage my web services using the public portal. I think I've got the hang of Azure Active Directory and the Domain Services that go along with it. So now I'm wondering, can I associate my domain ('mycompany.com') with an Azure Active Directory in my corporate portal, add my user 'joe' to it, and use 'joe#mycompany.com' to sign into the portal? That is, will the Azure Portals use Azure Active Directory for logins?
The Azure Portal allows users to sign in with both Azure AD Accounts AND Microsoft accounts (aka MSAs, LiveIDs, #outlook.com).
If you associate your domain with an Azure AD tenant, you'll be able to log in to the Azure portal with your Azure AD account.
It is important to note that if you have a joe#mycompany.com Microsoft account and a joe#mycompany.com Azure AD account (which you get by adding the mycompany.com domain to an Azure AD tenant and then creating joe#mycompany.com that tenant), you effectively have tow DIFFERENT ACCOUNTS. When you type in joe#mycompany.com, you'll see a prompt like this one:
You'll have to make sure you pick the right one since your existing Azure subscriptions will be associated with your MSA and any new ones you create with your Azure AD account will, by default, not be accessible to your MSA.
Your best bet is to setup an Azure AD tenant, migrate your Azure subscriptions from your MSA to your Azure AD tenant by transfering ownership of the subscription and ensure all new subscriptions are created with Azure AD accounts (and not MSAs). At that point, you can always pick Organizational account and not have to worry about which which Azure subscription is linked to which account.
Other relevant info:
Comprehensive explanation of MSAs, Azure AD and Azure Subscriptions
Creating an Azure subscription using an Azure AD tenant