This post focus on Entra Connect and ADFS Servers
How Entra Connect works?
Entra Connect by default is a one-way Sync which synchronize the On-Premise AD objects to Azure AD. Few of the features like Password and Group write-back can be configured to write back to On-Premises AD from Entra Active Directory. Before looking at how Entra Connect works, let us understand the components of Entra Connect.
Management Agents – Question can be asked like what is Management Agent in AD Connect?
Management Agents in Azure AD Connect control the data flow between a connected data source and the Meta directory. DirSync or Azure AD Connect uses two management agents.
- Active Directory Connector management agent
- Microsoft Azure Active Directory management agent
DirSync or Azure AD Connect stores the information in two places: Question can be asked like what is Connector Space & Metaverse?
Connector Space: Connect Space has the Replica of the managed objects in the AD DS and each management agent or connector has its own connector space
Metaverse: Aggregate information about a managed objects (that is, User, Group, etc.) from multiple connected data source.
How Entra Connect Synchronization Intial data flow works:
- User object is imported from On-Premise AD into the Active Directory Connector space
- User object is projected to the Metaverse
- User object is provisioned to the Microsoft Azure Active Directory Connector space
- User object exported to the Office 365 Admin Web Service
What is Azure Active Directory, what we can do with Azure AD?
Azure AD is a multi-tenant service that provides enterprise-level identity and access management for Microsoft Cloud. Build to support global scale, reliability and availability. Azure AD is backed by a 99.99% SLA for Azure AD Premium or Basic.
Used to manage users and access to cloud resources. On-premise AD extended to cloud using Azure AD. It provided SSO across your cloud applications. MFA and Conditional Access in Azure AD enabled to reduce risk.
What is the Active Directory Federation Service?
Active Directory Federation Services provides access control and single sign on across a wide variety of applications including Office 365, cloud based SaaS applications, and applications on the corporate network.
For the IT organization, it enables you to provide sign on and access control to both modern and legacy applications based on the same set of credentials and policies.
For the user, it provides seamless sign on using the same credentials.
For the developer, it provides an easy way to authenticate users whose identities live in the organizational directory so that you can focus your efforts on your application, not authentication or identity.
This Content Is Only For Subscribers
What is new in ADFS in Windows Server 2016?
- Eliminate Passwords from Extranet – three new options for sign on without passwords, enabling organizations to avoid risk of network compromise from phished, leaked or stolen passwords.
- Sign-in with Azure MFA
- Password-less Access from Compliant Devices
- Moving from AD FS in Windows Server 2012 R2 to AD FS in Windows Server 2016 is easier
- Streamlined auditing for easier administrative management
- Customize sign in experience for AD FS applications
- Enable sign on with non-AD LDAP directories
- Configure access control policies without having to know claim rules language
What are the requirement to deploy ADFS 2016?
- AD FS requires Domain controllers running Windows Server 2008 or later
- Domain functional level has to Windows 2003 or later
- If client certificate authentication planned, then Windows 2008 functional level or higher require.
- If it is a new ADFS 2016 deployment, AD 2016 schema is required.
- Any standard account can be used as a service account
- Group Managed Service accounts required windows 2012 or higher
- For Kerberos Authentication, service principal name must be registered on the ADFS service account
- SSL Certificate for ADFS and Web Application Proxy from 3rd party certificate provider
- Token Signing and Token encrypting/decrypting certificate can be self-signed
What’s New in ADFS 2019 and 2022?
New features included in ADFS 2019 are mentioned below
- Token replay attacks are avoided using Key Derivation Function KDFv2.
- User sign-in experience improved with centered UX login, Paginated sing-in and Keep me sign-in capabilities
- Simplified Web application Proxy configurations.
- Users can now use passwords as an extra factor after using a non-password option as the first factor.
When comparing with New features with ADFS 2019, ADFS 2022 has no new features that has been highlighted by Microsoft.
