Step by Step Azure Active Directory (Azure AD) Connect Cloud Provisioning   Leave a comment

Recently a new option for AD sync is in preview Azure AD Connect cloud provisioning, Azure AD Connect Cloud Provisioning can run in a tenant already using Azure AD Connect Sync, Support for synchronizing to an Azure AD tenant from a multi-forest disconnected Active Directory forest environment. This is currently not possible with AD connect. and many organizations are struggling with this.

Simplified installation with light-weight provisioning agents: The agents act as a bridge from AD to Azure AD, with all the sync configuration managed in the cloud.

  • Multiple provisioning agents can be used to simplify high availability deployments, particularly critical for organizations relying upon password hash synchronization from AD to Azure AD.

Azure Active Directory (Azure AD) Connect Cloud Provisioning

The common scenarios include merger & acquisition, where the acquired company’s AD forests are isolated from the parent company’s AD forests and companies that have historically had multiple AD forests.

Azure Active Directory (Azure AD) Connect Cloud Provisioning

Multiple provisioning agents can be used to simplify high availability deployments, particularly critical for organizations relying upon password hash synchronization from AD to Azure AD.

Azure Active Directory (Azure AD) Connect Cloud Provisioning

Here I have a sample of 3 the same used accounts but different domain, now with the Azure Active Directory (Azure AD) Connect Cloud Provisioning they are synced into a single AAD.

image

If there is a firewall between your servers and Azure AD, configure the following items:

Ensure that agents can make outbound requests to Azure AD over the following ports:

Port number and How it’s used

  • 80  Downloads the certificate revocation lists (CRLs) while validating the SSL certificate
  • 443 Handles all outbound communication with the service
  • 8080(optional) Agents report their status every 10 minutes over port 8080, if port 443 is unavailable. This status is displayed on the Azure AD portal.

Also the Following URL’s need to be unblocked.

You can test access using the test portal  https://aadap-portcheck.connectorporttest.msappproxy.net/

msappproxy.net domain Ports Test Tool

Now that I know that all the ports are open we can start with the deployment.

Go to the Azure portal and open the Active directory Blade.

https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/AzureADConnect

image

When clicking the Provisioning link the new window opens with the download Agent in the ribbon.

image

Now that we have downloaded the Agent we can start the installation, Keep in mind if you don’t have installed the latest .NET version you need to install this and it will take a kernel reboot.

Azure Active Directory (Azure AD) Connect Cloud Provisioning

Azure Active Directory (Azure AD) Connect Cloud Provisioning

A quick setup and our next step is the Configuration.

Azure Active Directory (Azure AD) Connect Cloud ProvisioningAzure Active Directory (Azure AD) Connect Cloud Provisioning

Us a service account for the Sync, and keep in mind that your domain settings are correct else all the accounts got synced with the *.onmicrosoft.com

Azure Active Directory (Azure AD) Connect Cloud Provisioning

My local Active directory domain.

image

In this demo I use the Administrator but don’t use this account in you production site. Create a proper account for this.

Azure Active Directory (Azure AD) Connect Cloud Provisioningimage

Now that the AD is connected we can kick off the sync and move on to the next steps/

Azure Active Directory (Azure AD) Connect Cloud Provisioning

image

The Agent is creating two services on the sync server.

Azure Active Directory (Azure AD) Connect Cloud Provisioning

In the Azure portal you can see the sync status. I did already do a couple of installs so no panic if your layout is different.

Azure Active Directory (Azure AD) Connect Cloud ProvisioningAzure Active Directory (Azure AD) Connect Cloud Provisioning

Now we are checking if the Agent is running and use review all agents as default there is an extra step to take

image 

In previews you can always give feedback so when the product is GA there is a good chance that the menu’s will change.

Azure Active Directory (Azure AD) Connect Cloud Provisioning

As you can see it is active, If it is not active check the Services on the on-premises server where you installed the Agent

You can also your external public IP

Azure Active Directory (Azure AD) Connect Cloud Provisioning

You can also check the services state:

  • Microsoft Azure AD Connect Agent Updater (in charge of updating to the latest agent version)
  • Microsoft Azure AD Connect Provisioning Agent (in charge of the synchronization)

Our next step is configuring the Azure AD Connect cloud provisioning, using password hash and setup a notification email.

Azure Active Directory (Azure AD) Connect Cloud Provisioning

Now that the configuration is complete we are ready for production

Azure Active Directory (Azure AD) Connect Cloud Provisioning

we save this config and check the agent health status.

Azure Active Directory (Azure AD) Connect Cloud Provisioning

For testing you can use the Cloud applications portal. https://myapps.microsoft.com

Azure Active Directory (Azure AD) Connect Cloud Provisioning

When logging in you will see the apps that are assigned to that user.

Configuration changes are synced every 2 minutes while the provisioning interval is every 40 minutes.

All agent activities are logged into the Applications and Services Logs\Microsoft\AzureADConnect\ProvisioningAgent\Admin

image

AgentUpdater for any agent updated activities (you will see there if there has been an update) or ProvisioningAgent for any provisioning activities.

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Posted February 12, 2020 by Robert Smit [MVP] in Azure

Tagged with , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Twitter

  • RSS Azure and Microsoft Windows Server Blog

  • %d bloggers like this: