Overview
An interesting challenge came my way recently, for a global firm with locations in 15 different countries, who were going through an exciting period of growth and acquisition.
This article is going to talk about the challenge I faced with regards to the businesses hybrid identity requirements.
But first I’d like to provide a bit of background to the project.
The first stage of the project was to merge two separate firms and all of their offices based in the UK from an IT infrastructure perspective. This included on-premises identity, on-premise servers, cloud resources & networking.
Both firms had different specialities however once merged these two firms would become the global firms UK division.
The second stage of the project was to bring the UK division into the global businesses Microsoft Azure infrastructure & Microsoft Entra ID tenant. This included converting every user into a hybrid identity so they could authenticate to on-premise and cloud resources with one identity. Provide a zero touch build process for every end-user compute (EUC) device by leveraging Intune (MDM) & Autopilot.
Due to the nature of the global business, my remit was only in relation to the UK division, divisions located outside of the UK are managed by their own respective IT teams. Therefore, the solution implemented had to only affect the UK division, whilst allowing other divisions to replicate this behaviour and functionality during their onboarding transformation projects in the future.
The challenge
How to use a hybrid identity model for a specific on-premises Active Directory Domain Services (AD DS) forest, with a Microsoft Entra ID tenant which in future will require other independent AD DS forests to also implement a hybrid identity model, all whilst not having any trusts or connectivity between these independent AD DS forests.
Over the years the Entra ID Connect sync service, installed on a Windows Server, has generally been the go to option for hybrid identity sync between AD DS and Entra ID.
However, Entra ID has a limitation whereby it cannot connect to and use multiple Entra ID Connect servers.
Which meant this was not a suitable option in this scenario due to the lack of connectivity and trusts between AD DS forests across the globe.
The solution
Microsoft Entra ID Connect cloud sync.
The primary difference between the Entra ID Connect Cloud Sync service and an on-premises Entra ID Connect server is the sync engine is offloaded to the cloud.
This method suited this scenario perfectly as it supports multiple forests without the need for line of sight connectivity and trusts between the individual ADDS forests.
To be able to sync to Entra ID with Entra ID Connect cloud sync, a light weight Entra ID Connect Cloud sync agent is required, this needs to be installed onto a domain member server within each forest.
The Entra ID Connect Cloud sync service is more limited when compared to the traditional Entra ID Connect service.
Although in my opinion the main features expected are all there and fully functional. For example the Entra ID Connect cloud sync service still allows you to have a two-way sync (AD to Entra ID and Entra ID to AD) which provides you with password writeback functionality. Entra ID Connect cloud sync also provides OU filtering allowing you to control which objects are synced from AD DS.
For reference, if you require users to be able to change their AD DS passwords from the cloud, each user will require a Microsoft Entra ID P2 license so they are able to change their password via Microsoft’s self-service password reset solution.
You can find the Entra ID Connect cloud sync agent installer within the Entra ID portal.
Firstly, login to Entra ID portal (entra.microsoft.com).
Secondly, open the ‘Entra Connect’ blade:
Thirdly, open the ‘cloud sync’ blade:
Fourth, select ‘New configuration’ under the Configurations blade, then select the ‘AD to Microsoft Entra ID sync’ sync direction:
Finally, select ‘click here’ next to ‘For a list of active agents’, which will open a new menu where you can use the download option to get a copy of the agent installer:
Further information on how to install an Entra ID Connect Cloud Sync agent is available here: https://learn.microsoft.com/en-us/entra/identity/hybrid/install
Hope this helps and thanks for reading!
Leave a Reply