So I decided to take the plunge and switch to Azure and Intune to test the MDM part and the Co-Management of SCCM.
I am currently testing the Enterprise Mobility + Security E5 subscription which includes ...
Ouille the price that stings… CHF 16.40 (€ 14.60) per user and per month!
But hey, a little new has just appeared, since I don't need all of it, at the end of my trial period, I will instead use the much cheaper version, CHF 5.60 (€ 5.10) .
To see the different subscriptions and their options I invite you to go on this page at Microsoft.
Now that I've taken out my credit card… let's get down to business, synchronizing my AD On-Premise with AD Azure.
Adding a custom domain name
Since by default we have a subdomain xxxx.onmicrosoft.com, I want my users to connect with the domain stevenbart.com and lab.stevenbart.com, to do this, left click on Azure Active Directory
Click on Custom domain names
Click on Add a custom domain
Enter the domain name and click on Add a domain
Validate your domain with your DNS host or in your DNS published on the internet with the TXT or MX record requested.
If all goes well, your domain will go into domain Checked.
We have completed the domain configuration.
Installing Azure AD Connect
Azure AD Connect is an Active Directory synchronization utility that can be downloaded From this page from the Microsoft site.
It allows you to perform the following operations:
- Password hash synchronization : An authentication method that synchronizes a user's local AD password hash with Azure AD.
- Direct authentication An authentication method that allows users to use the same password locally and in the cloud, but without the additional infrastructure of a federated environment.
- Federation integration : Federation is an optional part of Azure AD Connect that can be used to set up a hybrid environment using an on-premises AD FS infrastructure. It also offers AD FS management features such as certificate renewal and additional AD FS server deployments.
- Synchronization : This component is responsible for creating users, groups, and other objects, and also for ensuring that the identity information for users and groups in your on-premises environment matches that in the cloud. This synchronization also includes password hashes.
- Functional analysis Azure AD Connect Health can provide robust monitoring and a central location in the Azure Portal for viewing this activity.
Here is his operating scheme without AD FS
And how it works with AD FS:
Launch of the Azure AD Connect installation MSI.
For my part I used the option Customize, this will allow me to connect to my SQL instance without having to install a SQL Server Express yet ...
I enter my information for my SQL server, I must also enter a service account, so that the assistant can connect to it.
This is where everything is played, I chose the default option, i.e. Password Hash Synchronization, but if you have AD FS do not hesitate to use Federation with AD FS 😉
If you do not know which scenario to choose, this page could help you.
Enter your Azure credentials
Connect to your AD, select your Forest, then click on the button Add Directory
Choose whether the wizard should create a sync account for you or if you prefer to use a current user.
I chose the default option (Create a new AD user).
Then enter the username and password of a company administrator.
If all goes well, there is a small green "Vu" that appears next to your forest, if you have others, perform the same operation as before.
We check the UPN suffixes previously created on the Azure portal and selection of the UPN that should be used for Azure user names. I left the default choice (userPrincipalName) because it suits me very well.
For my part, I don't want to throw all my AD into Azure, so I filter the OUs that I want to synchronize.
It is possible to modify the unique identification of our users, I left by default (Users are represented only once across all directories.)
It is possible to filter users and devices, I will leave the default choice (Synchronize all users and devices) and synchronize everything.
We can still add some optional features, such as Office 365 Exchange hybrid synchronization, Azure password synchronization to AD On-Premise (Password writeback), etc.
We are ready to configure synchronization with Azure AD.
The installation is complete and the synchronization is complete, let's see what happened on the Azure portal side.
Here is my AD On-Premise, normally I should only have this user in Azure ...
Bingo! My user is there and we can see that the source is Windows Server AD
Here, the synchronization being effective and functional, this tutorial is finished.
Founder of StevenBart.com - Vevey, Switzerland.
I have been in IT since 2001, I work as a Workplace Architect and mainly take care of the administration of MEMCM (SCCM), the mass deployment of workstations and applications. Learn more about me.